The 2026 FIFA World Cup is ongoing, and a wide range of threat actors are targeting those participating in and attending the event.
The World Cup, which runs until July 19, presents a complex threat landscape across US, Canada, and Mexico, with attendees representing 48 different nationalities. These factors create opportunities for threat actors, both financial as well as nation-state actors looking for espionage opportunities.
Flashpoint on June 22 published research covering the current state of threats targeting FIFA’s event and various factors playing into how those threats target victims. Flashpoint analysts called the threat environment dynamic, “spanning physical security, civil unrest, cyber threats, and geopolitical developments.”
On the physical security front, protest activity in host nations has led to demonstrations and clashes with security forces over issues such as the World Cup itself, FIFA, housing advocacy, immigration enforcement, labor, Iran-themed tensions, and more. All this said, Flashpoint analysts (who are concerned with physical security in addition to cyber) “have not identified any credible indications of an imminent attack targeting tournament venues or participants” thus far.
Flashpoint described cybercrime activity as “persistent,” with an emphasis on social engineering.
Cyber Threats Targeting the 2026 World Cup
Cyber threat actor motivations vary but generally involve money or data; attackers are leaning into ticketing fraud (stealing and reselling tickets purchased legitimately), phishing opportunities, ransomware, and DDoS attacks against transit systems, stadium operations, and hospitality networks, and infrastructure vulnerability targeting against public-facing systems.
“Security researchers and law enforcement agencies continue to warn of thousands of fraudulent domains impersonating FIFA-related services, including fake ticketing portals, merchandise sites, streaming services, and employment opportunities designed to steal credentials and personal information,” the blog post read.
Analysts have also observed claims from hacktivist and state-aligned threat actors trying to associate themselves with World Cup-related activity, though many claims remain unverified. Despite active campaigns, Flashpoint expects the World Cup to act as a “stress test” for global infrastructure.
“While some publicly promoted claims remain uncorroborated, the broader trend highlights ongoing interest from politically motivated cyber actors in leveraging the tournament’s visibility to amplify messaging, generate attention, or target supporting infrastructure,” analysts said. Threat actors could further monetize through AI-enhanced fraud campaigns, fraudulent housing and rental listings, transportation scams (such as that involving rideshare), sports betting manipulation, and more, they added.
Protecting Against World Cup Threats
A massive number of organizations and businesses are going to be swept up in World Cup, either through involvement in events or proximity to them. That includes hospitality, food, beverage, and transportation vendors, but also local businesses as well as the software companies expected to orchestrate and secure every facet of the World Cup.
Kayne McGladrey, senior member of the Institute of Electrical and Electronics Engineers (IEEE), tells Dark Reading teams can survive data floods by creating a baseline of “normal” behavior before relevant events so deviations trigger immediate automated responses. Defenders can use dedicated honeypots replicating stadium infrastructure as well as real-time behavioral telemetry from within one’s own network, so teams can “spot unusual behavior in IT and OT layers in the minutes before an attack.”
“Pre-event threat hunting and alert tuning can further help to reduce or remove known misconfigurations early, shrinking the decision space so analysts aren’t drowning in noise when the clock starts ticking,” he says. “Security leaders know that they can’t expect analysts to review every alert, so they’re prioritizing only high-confidence behavioral detections tied to big event milestones, like the opening ceremony or a high-profile matchup.”
As far as conventional security issues go, McGladrey says the biggest blind spot for organizations is “the uncontrolled network connections between business IT and operational technology (like HVAC or lighting systems), which lets attackers move laterally with ease.”
“Organizations consistently ignore supply chain risks,” he says, “allowing trusted vendors to hold persistent access that becomes a backdoor months before the event starts, or choosing lower-cost equipment that comes with backdoors built in.”

No responses yet