INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

2026 World Cup Attack Surface

| 2026-05-28 10:00 CRITICAL LOW
JSON
Executive Summary AI-generated
The 2026 World Cup is a high-profile event that poses significant cyber threats to various sectors, including hospitality supply chains and tournament infrastructure. Iran-nexus activity has been identified as a major risk factor for the tournament, with groups like Group-IB assessing them as potential fronts for Iranian intelligence services. The threat landscape also includes wiper attacks, hacktivist operations, and DDoS and defacement targeting of host-city, federation, and ticketing services. Furthermore, incidents such as the WADA leak and Pyeongchang Winter Olympics cyber attack demonstrate that state-sponsored actors are capable of launching sophisticated cyberattacks against major international sporting events.
Technical Mitigations AI-generated
• Implement robust network segmentation and isolation to limit the attack surface of critical infrastructure, such as internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs). • Conduct thorough vulnerability assessments and penetration testing on all systems hosting World Cup events, including stadiums, arenas, and transportation hubs. • Develop and implement a comprehensive incident response plan that includes procedures for responding to DDoS attacks, ransomware operations, and other types of cyber threats.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation EastwoodOperation Eastwood Scattered SpiderScattered SpiderAPT28APT28 ALPHVALPHVMilanMilanWiperWiperAvengerAvengerOlympic DestroyerOlympic DestroyerBlackCatBlackCat
Target & Sectors
NORTH_AMERICA NORTH_AMERICA GCC GCC financefinance mediamedia defensedefense transportationtransportation healthhealth hospitalityhospitality governmentgovernment technologytechnology energyenergy
Incident Timeline
‎Oct 2020
Iran-Nexus cyber operations targeted various World Cup host cities, including the U.S. and Qatar, with attacks on ticketing systems, hospitality businesses, and digital infrastructure.
tactic Wiper
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
source_region United Kingdom
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
tactic Ddos
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
organisation WADA
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
organisation Rio
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
organisation Fighting Ursa
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
organisation Pyeongchang Winter Olympics
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
malware Olympic Destroyer
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
organisation GRU Unit
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
organisation Sandworm
WADA leak Prolonged DDoS against the official Rio website; Fighting Ursa publication of stolen WADA athlete medical records   Pyeongchang Winter Olympics 2018 Olympic Destroyer wiper ; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) by UK FCDO , Oct 2020 Wi-Fi at opening ceremony , Olympics website, ticketing, broadcast drones disabled.
organisation Iran-Nexus
Geopolitical Threats: Iran-Nexus and Disruptive Hacktivism The geopolitical context for the 2026 tournament is materially different from any prior World Cup.
organisation Storm-0784
Iran-Nexus: CyberAv3ngers and OT Targeting CyberAv3ngers (aka Shahid Kaveh Group , Bauxite , Hydro Kitten , Storm-0784 and UNC5691 ) is the IRGC Cyber-Electronic Command's industrial-control-system arm.
organisation IRGC Cyber-Electronic Command's
Iran-Nexus: CyberAv3ngers and OT Targeting CyberAv3ngers (aka Shahid Kaveh Group , Bauxite , Hydro Kitten , Storm-0784 and UNC5691 ) is the IRGC Cyber-Electronic Command's industrial-control-system arm.
organisation the Electronic Operations Room
Iran-Nexus: Other Personas and the Electronic Operations Room Beyond Handala and CyberAv3ngers, multiple Iran-aligned personas — DieNet, APTIran, Cyber Toufan, Cyber Support Front, Iranian Avenger, Cyb3r Drag0nz — have been observed operating through a team named the Electronic Operations Room of Islamic Resistance Axis .
organisation Cyber Support Front
Iran-Nexus: Other Personas and the Electronic Operations Room Beyond Handala and CyberAv3ngers, multiple Iran-aligned personas — DieNet, APTIran, Cyber Toufan, Cyber Support Front, Iranian Avenger, Cyb3r Drag0nz — have been observed operating through a team named the Electronic Operations Room of Islamic Resistance Axis .
infrastructure Android
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
infrastructure Ios
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
organisation FIFA
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
organisation FanID
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
organisation Telegram
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
organisation Cybercriminal Vector Primary
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
organisation Hotel
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
organisation TestFlight
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
organisation RedLine
FIFA World Cup, Qatar 2022 Cybercriminal ecosystem ; multiple groups Group-IB : 16,000+ scam domains, 40+ fake mobile apps, 50+ fake social-media accounts, and 90 compromised Hayya FanID accounts (RedLine and Erbium info-stealer credentials).
organisation Account Takeover
Ticket Fraud and FanID-equivalent Account Takeover Based on the Qatar 2022 Games, there are five categories of ticket-themed fraud :
organisation Credential-stuffing
Lookalike resale sites Fake social-media reseller accounts Lottery/giveaway phishing Fake mobile applications on official app stores Credential-stuffing attacks against the official fan portal Hospitality and Accommodation Fraud Attacks against hospitality businesses and platforms, digital key infrastructure, point of sale (PoS) and identity providers and fake short-term rental properties are another potential area of risk.
organisation Fiddling Scorpius
Rugby World Cup, France 2023 Fiddling Scorpius, distributors of Play ransomware French Rugby Federation systems encrypted three months before kickoff; Personally identifiable information (PII) exfiltrated.
organisation French Rugby Federation
Rugby World Cup, France 2023 Fiddling Scorpius, distributors of Play ransomware French Rugby Federation systems encrypted three months before kickoff; Personally identifiable information (PII) exfiltrated.
organisation PII
Rugby World Cup, France 2023 Fiddling Scorpius, distributors of Play ransomware French Rugby Federation systems encrypted three months before kickoff; Personally identifiable information (PII) exfiltrated.
infrastructure 2024 Multiple cybercriminal groups
Paris Summer Olympics 2024 Multiple cybercriminal and hacktivist groups ; one ransomware actor.
organisation Ransomware
Ransomware on Grand Palais venue and approximately  40 other museums.
organisation Every World Cup
Every World Cup host city in the United States operates municipal water, wastewater and energy infrastructure inside this advisory's threat envelope.
organisation ANSSI
ANSSI confirmed 140+ events ANSSI : 140+ events , 119 low-impact, 22 successful intrusions.
organisation Italian National Cybersecurity Agency
Italian National Cybersecurity Agency operated a dedicated command centre throughout the Games.
organisation the Tournament Supply Chain Financially
Cybercriminal Threats to Fans and the Tournament Supply Chain Financially motivated cybercrime is the highest-volume, highest-likelihood threat category for the 2026 FIFA World Cup Games.
‎March 2022
NoName057(16) used Russian Federation's infrastructure to target Allied Hacktivists between July 2024 and July 2025.
source_region Russian Federation
Russia-Nexus: NoName057(16) and Allied Hacktivists NoName057(16) has been the most operationally consistent pro-Russian hacktivist group since March 2022, with an attributed 3,700-plus targeted hosts to the group between July 2024 and July 2025.
organisation Allied Hacktivists NoName057(16
Russia-Nexus: NoName057(16) and Allied Hacktivists NoName057(16) has been the most operationally consistent pro-Russian hacktivist group since March 2022, with an attributed 3,700-plus targeted hosts to the group between July 2024 and July 2025.
infrastructure 3,700 attributed targeted hosts
Russia-Nexus: NoName057(16) and Allied Hacktivists NoName057(16) has been the most operationally consistent pro-Russian hacktivist group since March 2022, with an attributed 3,700-plus targeted hosts to the group between July 2024 and July 2025.
‎January 2024
Russian cyberattackers used the internet of things (IoT) devices to disrupt water treatment facilities in Texas.
source_region Russian Federation
A January 2024 Russian cyberattack on a municipality in Texas resulted in successfully overflowing a water tank after unsuccessful attempts in neighboring water systems.
‎July 2025
French authorities confirmed at least 140 cyber events during the Games, including 22 confirmed unauthorized intrusions and a ransomware attack against the Grand Palais venue.
organisation Operation Eastwood
Operation Eastwood (July 2025) disrupted but did not eliminate the group.
organisation Documented Impact / Primary Source
The Bottom Line Defenders should plan against the possibility of all of the following: Cybercriminals targeting fans and the hospitality supply chain Iran-nexus disruptive operations against ancillary U.S. infrastructure during the tournament window Pro-Russian and pro-Iran hacktivist DDoS and defacement targeting of host-city, federation and ticketing services A wiper deployed against tournament IT during a high-visibility ceremony Previous Attacks Against Major International Sporting Events Event Year Operation / Actor Documented Impact / Primary Source Rio Summer Olympics 2016 OpOlympicHacking ; Fighting Ursa (aka Fancy Bear, APT28)
threat_actor APT28
The Bottom Line Defenders should plan against the possibility of all of the following: Cybercriminals targeting fans and the hospitality supply chain Iran-nexus disruptive operations against ancillary U.S. infrastructure during the tournament window Pro-Russian and pro-Iran hacktivist DDoS and defacement targeting of host-city, federation and ticketing services A wiper deployed against tournament IT during a high-visibility ceremony Previous Attacks Against Major International Sporting Events Event Year Operation / Actor Documented Impact / Primary Source Rio Summer Olympics 2016 OpOlympicHacking ; Fighting Ursa (aka Fancy Bear, APT28)
infrastructure 16,000 fraudulent domains
Group-IB identified more than 16,000 fraudulent domains and 90 compromised Hayya fan-portal accounts during World Cup 2022 in Qatar.
organisation PoS
The stack includes reservations, digital keys, point-of-sale (PoS) machines and loyalty data.
‎December 2025
Threat actors used a compromised VPN service to target the UK National Cyber Security Centre (NCSC) and Eurojust in December 2025.
target_region United Kingdom
The UK NCSC, Eurojust and Europol issued co-sealed advisories in December 2025 and January 2026 regarding the hacktivist group.
organisation Eurojust
The UK NCSC, Eurojust and Europol issued co-sealed advisories in December 2025 and January 2026 regarding the hacktivist group.
organisation Europol
The UK NCSC, Eurojust and Europol issued co-sealed advisories in December 2025 and January 2026 regarding the hacktivist group.
‎January 2026
Iran-nexus actors target host city utility infrastructure, specifically wastewater PLCs, to disrupt operations and create a public health advisory.
target_region United Kingdom
The UK NCSC, Eurojust and Europol issued co-sealed advisories in December 2025 and January 2026 regarding the hacktivist group.
UK NCSC's January 2026 alert specifically called out persistent NoName057(16) targeting of UK local-government services.
organisation Eurojust
The UK NCSC, Eurojust and Europol issued co-sealed advisories in December 2025 and January 2026 regarding the hacktivist group.
organisation Europol
The UK NCSC, Eurojust and Europol issued co-sealed advisories in December 2025 and January 2026 regarding the hacktivist group.
industry Government
UK NCSC's January 2026 alert specifically called out persistent NoName057(16) targeting of UK local-government services.
organisation OT Disruption
OT Disruption at Host-City Utility During Match Scenario : An Iran-nexus actor manipulates a wastewater PLC in a host city overnight before a knockout match, producing a service alert and a forced public-health advisory.
organisation Host-City Utility During Match Scenario
OT Disruption at Host-City Utility During Match Scenario : An Iran-nexus actor manipulates a wastewater PLC in a host city overnight before a knockout match, producing a service alert and a forced public-health advisory.
organisation PLC
OT Disruption at Host-City Utility During Match Scenario : An Iran-nexus actor manipulates a wastewater PLC in a host city overnight before a knockout match, producing a service alert and a forced public-health advisory.
financial $10 reward
Federal Layer Federal agencies have signaled awareness: CISA AA26-097A, the DOJ domain-seizure activity against Iranian cyber fronts and the U.S. State Department's $10 million reward offers indicate active coordination.
organisation Recorded Future
The Pyeongchang 2018 Olympic Destroyer destructive case is a clear historical warning: Recorded Future identified that Olympic Destroyer samples targeting the IT service provider were timestamped five minutes ahead of samples targeting the host.
organisation Dragonbridge
People’s Republic of China-aligned Dragonbridge has increasingly experimented with and deployed generative AI tools — such as synthetic audio, AI-generated news hosts, avatars, and images — to scale its political influence operations across social media, though these efforts have ultimately failed to garner significant organic engagement from authentic viewers.
organisation Cascading-Risk Scenarios
Cascading-Risk Scenarios Two specific scenarios merit pre-tournament tabletop exercise.
‎Feb. 28, 2026
Iran's involvement in the U.S.–Israel–Iran kinetic conflict has heightened concerns about potential cyber threats to major international events.
target_region Iran, Islamic Republic of
The U.S.–Israel–Iran kinetic conflict that began on Feb. 28, 2026 has reordered the threat surface for any U.S.-hosted event.
‎late February 2026
Threat actors exploited vulnerabilities in the 2026 World Cup's online ticketing system to gain unauthorized access.
‎February 2026
DieNet launched DDoS attacks against Bahrain and Saudi airports.
organisation DieNet
DieNet has specifically claimed DDoS attacks against Bahrain and Saudi airports and Jordanian banks — transportation and finance targets directly relevant to fan-facing infrastructure.
organisation DDoS
DieNet has specifically claimed DDoS attacks against Bahrain and Saudi airports and Jordanian banks — transportation and finance targets directly relevant to fan-facing infrastructure.
‎between July 2024 and July 2025
NoName057(16) used Russian Federation-associated hacking tools to target Allied Hacktivists between July 2024 and July 2025.
source_region Russian Federation
Russia-Nexus: NoName057(16) and Allied Hacktivists NoName057(16) has been the most operationally consistent pro-Russian hacktivist group since March 2022, with an attributed 3,700-plus targeted hosts to the group between July 2024 and July 2025.
organisation Allied Hacktivists NoName057(16
Russia-Nexus: NoName057(16) and Allied Hacktivists NoName057(16) has been the most operationally consistent pro-Russian hacktivist group since March 2022, with an attributed 3,700-plus targeted hosts to the group between July 2024 and July 2025.
infrastructure 3,700 attributed targeted hosts
Russia-Nexus: NoName057(16) and Allied Hacktivists NoName057(16) has been the most operationally consistent pro-Russian hacktivist group since March 2022, with an attributed 3,700-plus targeted hosts to the group between July 2024 and July 2025.
‎June 11-July 19, 2026
Pre-tournament tabletop exercises with major hotel groups were conducted to inform IT help desk explicit verification protocols.
organisation Mitigation Pre-tournament
Mitigation Pre-tournament tabletop exercises with major hotel groups Explicit verification protocols on IT help desks Segregation of IdP trust from ESXi management Offline runbooks for the property-management system Prioritized Threat Matrix The following matrix in Table 4 consolidates the assessed likelihood and severity of each evidence-backed threat vector for the tournament window of June 11-July 19, 2026.
‎2026/05/28
Threat actors exploited vulnerabilities in the 2026 World Cup's online ticketing system to gain unauthorized access and steal sensitive information.
infrastructure 16 host cities
Across 39 days, 16 host cities in three nations will host 104 matches, an expanded 48-team tournament and an estimated five-to-six million in-venue spectators alongside a global broadcast audience approaching half the planet.
‎June 11, 2026
Threat actors exploited vulnerabilities in the tournament's online ticketing system to gain unauthorized access.
target_region Mexico
The tournament opens at Estadio Azteca in Mexico City on June 11, 2026, and concludes at MetLife Stadium in East Rutherford, New Jersey, on July 19, 2026.
target_region Jersey
The tournament opens at Estadio Azteca in Mexico City on June 11, 2026, and concludes at MetLife Stadium in East Rutherford, New Jersey, on July 19, 2026.
‎early 2026
The Handala Hack Team, a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026.
target_region Iran, Islamic Republic of
The Handala Hack Team, assessed by the U.S. Federal Bureau of Investigation (FBI) and multiple commercial threat intelligence firms to be a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026.
tactic Wiper
The Handala Hack Team, assessed by the U.S. Federal Bureau of Investigation (FBI) and multiple commercial threat intelligence firms to be a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026.
attribution The Handala Hack Team
The Handala Hack Team, assessed by the U.S. Federal Bureau of Investigation (FBI) and multiple commercial threat intelligence firms to be a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026.
attribution the U.S. Federal Bureau of Investigation (FBI
The Handala Hack Team, assessed by the U.S. Federal Bureau of Investigation (FBI) and multiple commercial threat intelligence firms to be a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026.
attribution Ministry of Intelligence and Security
The Handala Hack Team, assessed by the U.S. Federal Bureau of Investigation (FBI) and multiple commercial threat intelligence firms to be a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026.
‎July 19, 2026
The threat actors of concern for the 2026 FIFA World Cup are primarily focused on targeting Israeli-made Unitronics Vision Series PLCs, particularly in U.S. water, energy, and municipal targets.
target_region Mexico
The tournament opens at Estadio Azteca in Mexico City on June 11, 2026, and concludes at MetLife Stadium in East Rutherford, New Jersey, on July 19, 2026.
target_region Jersey
The tournament opens at Estadio Azteca in Mexico City on June 11, 2026, and concludes at MetLife Stadium in East Rutherford, New Jersey, on July 19, 2026.
organisation Threat Vector Severity Primary Actor
Threat Vector Severity Primary Actor Class Phishing, fake tickets, lookalike domains targeting fans Low-medium per fan; cumulative high Cybercriminal FanID/FIFA-portal account takeover Medium Cybercriminal Hospitality ransomware against major hotel operator(s) High Cybercriminal (Muddled Libra (aka Scattered Spider)/high-profile actors) DDoS against host-city, federation or ticketing services Medium Pro-Russian and pro-Iran hacktivist Hack-and-leak/doxxing of officials, sponsors, athletes Medium-high Iran-nexus (Handala) and adjacent personas Wiper/destructive operation against a vendor or venue High-critical Iran-nexus state-backed; Russia-nexus state-backed OT disruption at a host-city utility High Iran-nexus (CyberAv3ngers-class) Disinformation/AI-generated content around matches Medium Multiple state and non-state actors Insider compromise at a tournament supplier High Cybercriminal-for-hire; state-backed Mobile malware via fake apps in official stores Medium Cybercriminal Table 4.
organisation Medium Cybercriminal Hospitality
Threat Vector Severity Primary Actor Class Phishing, fake tickets, lookalike domains targeting fans Low-medium per fan; cumulative high Cybercriminal FanID/FIFA-portal account takeover Medium Cybercriminal Hospitality ransomware against major hotel operator(s) High Cybercriminal (Muddled Libra (aka Scattered Spider)/high-profile actors) DDoS against host-city, federation or ticketing services Medium Pro-Russian and pro-Iran hacktivist Hack-and-leak/doxxing of officials, sponsors, athletes Medium-high Iran-nexus (Handala) and adjacent personas Wiper/destructive operation against a vendor or venue High-critical Iran-nexus state-backed; Russia-nexus state-backed OT disruption at a host-city utility High Iran-nexus (CyberAv3ngers-class) Disinformation/AI-generated content around matches Medium Multiple state and non-state actors Insider compromise at a tournament supplier High Cybercriminal-for-hire; state-backed Mobile malware via fake apps in official stores Medium Cybercriminal Table 4.
organisation Medium Pro-Russian
Threat Vector Severity Primary Actor Class Phishing, fake tickets, lookalike domains targeting fans Low-medium per fan; cumulative high Cybercriminal FanID/FIFA-portal account takeover Medium Cybercriminal Hospitality ransomware against major hotel operator(s) High Cybercriminal (Muddled Libra (aka Scattered Spider)/high-profile actors) DDoS against host-city, federation or ticketing services Medium Pro-Russian and pro-Iran hacktivist Hack-and-leak/doxxing of officials, sponsors, athletes Medium-high Iran-nexus (Handala) and adjacent personas Wiper/destructive operation against a vendor or venue High-critical Iran-nexus state-backed; Russia-nexus state-backed OT disruption at a host-city utility High Iran-nexus (CyberAv3ngers-class) Disinformation/AI-generated content around matches Medium Multiple state and non-state actors Insider compromise at a tournament supplier High Cybercriminal-for-hire; state-backed Mobile malware via fake apps in official stores Medium Cybercriminal Table 4.
organisation OT
Threat Vector Severity Primary Actor Class Phishing, fake tickets, lookalike domains targeting fans Low-medium per fan; cumulative high Cybercriminal FanID/FIFA-portal account takeover Medium Cybercriminal Hospitality ransomware against major hotel operator(s) High Cybercriminal (Muddled Libra (aka Scattered Spider)/high-profile actors) DDoS against host-city, federation or ticketing services Medium Pro-Russian and pro-Iran hacktivist Hack-and-leak/doxxing of officials, sponsors, athletes Medium-high Iran-nexus (Handala) and adjacent personas Wiper/destructive operation against a vendor or venue High-critical Iran-nexus state-backed; Russia-nexus state-backed OT disruption at a host-city utility High Iran-nexus (CyberAv3ngers-class) Disinformation/AI-generated content around matches Medium Multiple state and non-state actors Insider compromise at a tournament supplier High Cybercriminal-for-hire; state-backed Mobile malware via fake apps in official stores Medium Cybercriminal Table 4.
organisation Medium Cybercriminal Table
Threat Vector Severity Primary Actor Class Phishing, fake tickets, lookalike domains targeting fans Low-medium per fan; cumulative high Cybercriminal FanID/FIFA-portal account takeover Medium Cybercriminal Hospitality ransomware against major hotel operator(s) High Cybercriminal (Muddled Libra (aka Scattered Spider)/high-profile actors) DDoS against host-city, federation or ticketing services Medium Pro-Russian and pro-Iran hacktivist Hack-and-leak/doxxing of officials, sponsors, athletes Medium-high Iran-nexus (Handala) and adjacent personas Wiper/destructive operation against a vendor or venue High-critical Iran-nexus state-backed; Russia-nexus state-backed OT disruption at a host-city utility High Iran-nexus (CyberAv3ngers-class) Disinformation/AI-generated content around matches Medium Multiple state and non-state actors Insider compromise at a tournament supplier High Cybercriminal-for-hire; state-backed Mobile malware via fake apps in official stores Medium Cybercriminal Table 4.
organisation Ukraine Peace Summit
Documented surges keyed to politically symbolic events including the NATO Summit , the Ukraine Peace Summit and claims of intent at the Paris 2022 Olympics and the Milano Cortina 2026 Winter Olympics .
organisation the Handala Hack Team
The threat actors of greatest concern for 2026 — the Handala Hack Team, CyberAv3ngers, NoName057(16), Muddled Libra, ALPHV affiliates and the broader Iran- and Russia-aligned hacktivist ecosystem — have all demonstrated their capabilities within the last 24 months.
organisation NATO
Since 2022, NoName057(16) has conducted over 3,700 verified DDoS attacks against governments and critical sectors in NATO member states.
organisation WhatsApp
Do not buy through Telegram, WhatsApp, social media DMs or peer-to-peer payment apps.
organisation Apply
Apply phishing-resistant MFA (FIDO2/WebAuthn) to all corporate, executive and high-visibility employee accounts before kickoff.
organisation MFA
Apply phishing-resistant MFA (FIDO2/WebAuthn) to all corporate, executive and high-visibility employee accounts before kickoff.
organisation WebAuthn
Apply phishing-resistant MFA (FIDO2/WebAuthn) to all corporate, executive and high-visibility employee accounts before kickoff.
organisation Unitronics Vision Series
targeting of Israeli-made Unitronics Vision Series PLCs at U.S. water, energy and municipal targets.
organisation HMI
For host-city utilities and municipal operators Audit every internet-exposed PLC, HMI and SCADA component in water, wastewater, energy and transit operations.
organisation NFL
Each match runs on a temporary, multi-ring tournament network grafted onto pre-existing NFL, MLS, CFL and Liga MX stadium environments.
organisation MLS
Each match runs on a temporary, multi-ring tournament network grafted onto pre-existing NFL, MLS, CFL and Liga MX stadium environments.
organisation CFL
Each match runs on a temporary, multi-ring tournament network grafted onto pre-existing NFL, MLS, CFL and Liga MX stadium environments.
organisation Liga MX
Each match runs on a temporary, multi-ring tournament network grafted onto pre-existing NFL, MLS, CFL and Liga MX stadium environments.
organisation Rockwell Automation
The campaign targets internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) in U.S. critical infrastructure, as well as Islamic Revolutionary Guard Corps (IRGC)
organisation Islamic Revolutionary Guard Corps
The campaign targets internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) in U.S. critical infrastructure, as well as Islamic Revolutionary Guard Corps (IRGC)
organisation IRGC
The campaign targets internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) in U.S. critical infrastructure, as well as Islamic Revolutionary Guard Corps (IRGC)
organisation Mandate
Mandate that no tournament network, at any ring, permits consumer remote-access tools on production infrastructure for the duration of the tournament window.
organisation VMware
Segregate identity-provider trust from VMware ESXi management.
organisation SMS
SMS and TOTP MFA are insufficient against the demonstrated tradecraft of Scattered Spider and Handala.
threat_actor Scattered Spider
SMS and TOTP MFA are insufficient against the demonstrated tradecraft of Scattered Spider and Handala.
organisation Patch mobile
Patch mobile devices.
organisation Additional Resources
Additional Resources
‎the July 19, 2026
The hospitality industry's reliance on remote access tools like TeamViewer and AnyDesk for incident response during the 2026 World Cup pre-tournament audit led to a muddled social-engineering campaign by threat actors.
industry Hospitality
Mitigation Pre-tournament audit of all internet-exposed PLCs per CISA AA26-097A Mandated migration off TeamViewer/AnyDesk for OT Default-credential audits 24/7 OT incident-response retainer Hospitality Ransomware in Final Week Scenario: A Muddled Libra-style social-engineering campaign against a major host-city hotel operator collapses room access, mobile check-in and PoS for 48-72 hours during the run-up to the July 19, 2026, final at MetLife Stadium.
tactic Ransomware
Mitigation Pre-tournament audit of all internet-exposed PLCs per CISA AA26-097A Mandated migration off TeamViewer/AnyDesk for OT Default-credential audits 24/7 OT incident-response retainer Hospitality Ransomware in Final Week Scenario: A Muddled Libra-style social-engineering campaign against a major host-city hotel operator collapses room access, mobile check-in and PoS for 48-72 hours during the run-up to the July 19, 2026, final at MetLife Stadium.
general_metric 48 team
Mitigation Pre-tournament audit of all internet-exposed PLCs per CISA AA26-097A Mandated migration off TeamViewer/AnyDesk for OT Default-credential audits 24/7 OT incident-response retainer Hospitality Ransomware in Final Week Scenario: A Muddled Libra-style social-engineering campaign against a major host-city hotel operator collapses room access, mobile check-in and PoS for 48-72 hours during the run-up to the July 19, 2026, final at MetLife Stadium.
attribution Mitigation Pre-
Mitigation Pre-tournament audit of all internet-exposed PLCs per CISA AA26-097A Mandated migration off TeamViewer/AnyDesk for OT Default-credential audits 24/7 OT incident-response retainer Hospitality Ransomware in Final Week Scenario: A Muddled Libra-style social-engineering campaign against a major host-city hotel operator collapses room access, mobile check-in and PoS for 48-72 hours during the run-up to the July 19, 2026, final at MetLife Stadium.
attribution TeamViewer
Mitigation Pre-tournament audit of all internet-exposed PLCs per CISA AA26-097A Mandated migration off TeamViewer/AnyDesk for OT Default-credential audits 24/7 OT incident-response retainer Hospitality Ransomware in Final Week Scenario: A Muddled Libra-style social-engineering campaign against a major host-city hotel operator collapses room access, mobile check-in and PoS for 48-72 hours during the run-up to the July 19, 2026, final at MetLife Stadium.
attribution OT Default-credential
Mitigation Pre-tournament audit of all internet-exposed PLCs per CISA AA26-097A Mandated migration off TeamViewer/AnyDesk for OT Default-credential audits 24/7 OT incident-response retainer Hospitality Ransomware in Final Week Scenario: A Muddled Libra-style social-engineering campaign against a major host-city hotel operator collapses room access, mobile check-in and PoS for 48-72 hours during the run-up to the July 19, 2026, final at MetLife Stadium.
attribution Final Week Scenario
Mitigation Pre-tournament audit of all internet-exposed PLCs per CISA AA26-097A Mandated migration off TeamViewer/AnyDesk for OT Default-credential audits 24/7 OT incident-response retainer Hospitality Ransomware in Final Week Scenario: A Muddled Libra-style social-engineering campaign against a major host-city hotel operator collapses room access, mobile check-in and PoS for 48-72 hours during the run-up to the July 19, 2026, final at MetLife Stadium.
Tactical Metrics
Metrics
infrastructure
16,000
Fraudulent Domains
Group-IB identified more than 16,000 fraudulent domains and 90 compromised Hayya fan-portal accounts during World Cup 2022 in Qatar.
Metrics
infrastructure
‎Android
Affected Product
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
Metrics
infrastructure
‎Ios
Affected Product
Phishing, Malware and Lure Themes Confirmed lure themes from prior tournaments include: Lottery winnings Ticket cancellations FIFA dispute-resolution decisions Accreditation problems FanID issues Free streaming Counterfeit merchandise Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2. Cybercriminal Vector Primary Targets Phishing/lookalike domains/typosquatting All fans, especially first-time international travelers Fake/resold tickets; FanID account takeover Fans buying outside the FIFA platform Hospitality ransomware (High-profile operators) Hotel chains, property management, casino-resort venues DDoS against host-city, federation or ticketing services Pro-Russian and pro-Iran hacktivist targets Hack-and-leak/doxxing of officials, sponsors, athletes Officials, sponsors, athletes QR-code/transportation/parking fraud Fans moving between host cities Mobile malware via fake apps in official stores Android primarily; iOS via TestFlight Table 2.
Metrics
infrastructure
3,700
Attributed Targeted Hosts
Russia-Nexus: NoName057(16) and Allied Hacktivists NoName057(16) has been the most operationally consistent pro-Russian hacktivist group since March 2022, with an attributed 3,700-plus targeted hosts to the group between July 2024 and July 2025.
Metrics
infrastructure
2,024
Multiple Cybercriminal Groups
Paris Summer Olympics 2024 Multiple cybercriminal and hacktivist groups ; one ransomware actor.
Metrics
infrastructure
16
Host Cities
Across 39 days, 16 host cities in three nations will host 104 matches, an expanded 48-team tournament and an estimated five-to-six million in-venue spectators alongside a global broadcast audience approaching half the planet.
Metrics
financial
10,000,000
Reward
Federal Layer Federal agencies have signaled awareness: CISA AA26-097A, the DOJ domain-seizure activity against Iranian cyber fronts and the U.S. State Department's $10 million reward offers indicate active coordination.
Intelligence Sources
Palo Alto 2026-05-28
Palo Alto 2026-05-28