The 2026 FIFA World Cup will be the largest sporting event ever staged. Across 39 days, 16 host cities in three nations will host 104 matches, an expanded 48-team tournament and an estimated five-to-six million in-venue spectators alongside a global broadcast audience approaching half the planet.

The tournament opens at Estadio Azteca in Mexico City on June 11, 2026, and concludes at MetLife Stadium in East Rutherford, New Jersey, on July 19, 2026.

This is the first World Cup to be jointly hosted by three nations. Each match runs on a temporary, multi-ring tournament network grafted onto pre-existing NFL, MLS, CFL and Liga MX stadium environments. It depends on a network of municipal services, including public transit, signalized traffic, water and wastewater treatment, regional power, airport operations and emergency services. Each of those touchpoints is in scope for an adversary.

Based on a review of cyber operations against prior mega-events from 2016 through the Milano-Cortina 2026 Winter Games, this assessment finds that disruptive intrusions, criminal fraud at scale and politically motivated distributed denial-of-service (DDoS) and hack-and-leak operations are highly likely. The only meaningful questions are who, against which targets and at what severity.

There are three drivers in the 2026 World Cup risk picture:

• Iran-nexus activity. The U.S.–Israel–Iran kinetic conflict that began on Feb. 28, 2026 has reordered the threat surface for any U.S.-hosted event. The Handala Hack Team, assessed by the U.S. Federal Bureau of Investigation (FBI) and multiple commercial threat intelligence firms to be a front for Iran's Ministry of Intelligence and Security (MOIS), executed significant wiper attacks in early 2026. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory AA26-097A confirming an active, ongoing Iranian-affiliated campaign. The campaign targets internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) in U.S. critical infrastructure, as well as Islamic Revolutionary Guard Corps (IRGC) targeting of Israeli-made Unitronics Vision Series PLCs at U.S. water, energy and municipal targets. These are the same categories of infrastructure that World Cup host cities will be operating under tournament load.
• Russia-nexus hacktivism. Since 2022, NoName057(16) has conducted over 3,700 verified DDoS attacks against governments and critical sectors in NATO member states. Documented surges keyed to politically symbolic events including the NATO Summit, the Ukraine Peace Summit and claims of intent at the Paris 2022 Olympics and the Milano Cortina 2026 Winter Olympics. Operation Eastwood (July 2025) disrupted but did not eliminate the group. The UK NCSC confirmed continued operations into 2026. The U.S., Canada and Mexico are NATO partners or allies and the World Cup is a politically symbolic event of the highest order.
• Financially motivated cybercrime. Group-IB identified more than 16,000 fraudulent domains and 90 compromised Hayya fan-portal accounts during World Cup 2022 in Qatar. The 2023 Muddled Libra (operators of ALPHV aka BlackCat ransomware) campaign against entertainment organizations demonstrated that the hospitality stack is a target for ransomware operators. The stack includes reservations, digital keys, point-of-sale (PoS) machines and loyalty data. Ticket fraud, accommodation fraud, transportation QR-code fraud and FanID-equivalent account takeover are prime targets at scale across all three host nations.

The Paris 2024 Olympics is a strong example of a recent precedent. French authorities (ANSSI) confirmed at least 140 cyber events during the Games, including 22 confirmed unauthorized intrusions and a ransomware attack against the Grand Palais venue.

None succeeded in disrupting competition, but only because of preparation that began years earlier. Preparation included exercises against 500 Games-linked facilities, and support by sustained government-industry coordination. The 2026 tournament must clear the same bar across multiple jurisdictions, regulatory bodies and languages.

The Bottom Line

Defenders should plan against the possibility of all of the following:

• Cybercriminals targeting fans and the hospitality supply chain
• Iran-nexus disruptive operations against ancillary U.S. infrastructure during the tournament window
• Pro-Russian and pro-Iran hacktivist DDoS and defacement targeting of host-city, federation and ticketing services
• A wiper deployed against tournament IT during a high-visibility ceremony

Previous Attacks Against Major International Sporting Events

Table 1. Previous attacks against major sporting events.

Cybercriminal Threats to Fans and the Tournament Supply Chain

Financially motivated cybercrime is the highest-volume, highest-likelihood threat category for the 2026 FIFA World Cup Games.

Ticket Fraud and FanID-equivalent Account Takeover

Based on the Qatar 2022 Games, there are five categories of ticket-themed fraud:

• Lookalike resale sites
• Fake social-media reseller accounts
• Lottery/giveaway phishing
• Fake mobile applications on official app stores
• Credential-stuffing attacks against the official fan portal

Hospitality and Accommodation Fraud

Attacks against hospitality businesses and platforms, digital key infrastructure, point of sale (PoS) and identity providers and fake short-term rental properties are another potential area of risk.

QR-Code, Transportation and PoS Fraud

Tournament-specific QR-code fraud is the single fastest-growing variant. There have already been observed pre-tournament listing scams, and a high potential for fake shuttle passes, parking permits and official fan transport QR codes that fail when scanned. The geographic spread of the 2026 games in various cities multiplies opportunities for transit-themed fraud relative to single-host-city games.

Phishing, Malware and Lure Themes

Confirmed lure themes from prior tournaments include:

• Lottery winnings
• Ticket cancellations
• FIFA dispute-resolution decisions
• Accreditation problems
• FanID issues
• Free streaming
• Counterfeit merchandise

Expect to see typosquatted FIFA domains, malicious mobile applications, infostealers sold on Telegram, and Telegram-based reseller channels moving money via peer-to-peer payment apps as seen in Table 2.

Table 2. Cybercriminal techniques that are possible during the World Cup.

Geopolitical Threats: Iran-Nexus and Disruptive Hacktivism

The geopolitical context for the 2026 tournament is materially different from any prior World Cup. The U.S.-Israel-Iran conflict has produced a surge in Iran-nexus cyber operations against U.S. organizations. The Russia-Ukraine war and the resulting NATO alignment of all three host nations make pro-Russian hacktivism an additional, parallel risk.

Iran-Nexus: The Handala Hack Team

The Handala Hack Team (aka Banished Kitten, Storm-0842, Void Manticore and Cobalt Mystique) and Ababil of Minab, are just two of several front personas operated by Iran's MOIS directly responsible for wiper attacks, targeting high-level government officials, and doxxing employees of public companies.

Iran-Nexus: CyberAv3ngers and OT Targeting

CyberAv3ngers (aka Shahid Kaveh Group, Bauxite, Hydro Kitten, Storm-0784 and UNC5691) is the IRGC Cyber-Electronic Command's industrial-control-system arm. Its documented escalation curve is the single most important data point for defenders concerned with municipal infrastructure during the FIFA World Cup 2026.

Every World Cup host city in the United States operates municipal water, wastewater and energy infrastructure inside this advisory's threat envelope. A 2024 CISA assessment found over 70% non-compliance with existing safety requirements at U.S. water utilities.

Iran-Nexus: Other Personas and the Electronic Operations Room

Beyond Handala and CyberAv3ngers, multiple Iran-aligned personas — DieNet, APTIran, Cyber Toufan, Cyber Support Front, Iranian Avenger, Cyb3r Drag0nz — have been observed operating through a team named the Electronic Operations Room of Islamic Resistance Axis. This team formed in late February 2026. DieNet has specifically claimed DDoS attacks against Bahrain and Saudi airports and Jordanian banks — transportation and finance targets directly relevant to fan-facing infrastructure.

Russia-Nexus: NoName057(16) and Allied Hacktivists

NoName057(16) has been the most operationally consistent pro-Russian hacktivist group since March 2022, with an attributed 3,700-plus targeted hosts to the group between July 2024 and July 2025. The UK NCSC, Eurojust and Europol issued co-sealed advisories in December 2025 and January 2026 regarding the hacktivist group. Operation Eastwood produced two arrests and seven arrest warrants but did not stop the group, which resumed activity within days.

Three operational characteristics are directly relevant to 2026:

• Event-keying: DDoSia operations have repeatedly surged in the 24-72 hours surrounding politically symbolic events.
• Volunteer-driven scale: DDoSia rewards volunteer participants with cryptocurrency and runs on Windows, Linux, Android and Docker.
• OT expansion: A co-sealed advisory and subsequent UK NCSC alert specifically warns that pro-Russian hacktivists have moved beyond DDoS into operational technology (OT) targeting via exposed VNC and remote-access services.

Information Operations
Major global sporting events have proven fertile ground for state-sponsored information operations aimed at sowing distrust in institutions, embarrassing athletes or nations, and amplifying narratives conducive to strategic interests. Russian influence operations are well established with past reported activities surrounding leaked athlete data, AI-enabled deception and defaming, delegitimization of Ukraine and Ukrainian athletes, narratives of the West against Russia, and pro-Kremlin narratives.

The current conflict in Iran opens the door for potential Iran-based narrative amplification, consistent with its observed hybrid offensive approach, specifically aimed at compounding the division of support for kinetic activity and targeting countries or athletes from Gulf states perceived as adversarial.

People’s Republic of China-aligned Dragonbridge has increasingly experimented with and deployed generative AI tools — such as synthetic audio, AI-generated news hosts, avatars, and images — to scale its political influence operations across social media, though these efforts have ultimately failed to garner significant organic engagement from authentic viewers.

Temporary Multi-City Tournament Infrastructure

FIFA's published tournament structure presents a unique and historically large attack surface. Sixteen host cities span three host nations, four time zones and multiple regulatory regimes. Each match operates a layered, ring-based tournament network grafted onto a permanent stadium environment, depends on a temporary commercial supplier ecosystem and pulls on host-city public services that FIFA does not own. Table 3 lists these rings and the primary cyber risk to each.

Network Rings and What Each Ring Is For

Table 3. Network rings and use cases.

The Supplier Ecosystem

The 2026 supplier ecosystem will be vast. Each host city contracts independently for stadium operations, security, transit, hospitality, food service, signage, fan-zone production and last-mile network connectivity. The Pyeongchang 2018 Olympic Destroyer destructive case is a clear historical warning: Recorded Future identified that Olympic Destroyer samples targeting the IT service provider were timestamped five minutes ahead of samples targeting the host.

Impact on Municipal, State and Federal Infrastructure

Municipal Layer

CISA AA26-097A identifies “Government Services and Facilities (to include local municipalities)” as one of three named target sectors of the active Iran-nexus PLC campaign. Analysis of CyberAv3ngers' targeting found that small municipal authorities are deliberately selected because they manage OT with consumer remote-access tools or expose PLC interfaces directly to the internet. A January 2024 Russian cyberattack on a municipality in Texas resulted in successfully overflowing a water tank after unsuccessful attempts in neighboring water systems. Ransomware attacks on water systems have also occurred.

State and Provincial Layer

Pro-Russian hacktivist DDoS has already demonstrated the ability to take state and local government websites offline for hours. UK NCSC's January 2026 alert specifically called out persistent NoName057(16) targeting of UK local-government services. The U.S., Canadian and Mexican equivalents are inside the same threat envelope.

Federal Layer

Federal agencies have signaled awareness: CISA AA26-097A, the DOJ domain-seizure activity against Iranian cyber fronts and the U.S. State Department's $10 million reward offers indicate active coordination. Defenders should expect and request pre-tournament threat-sharing engagements with CISA, FBI, the Canadian Centre for Cyber Security and Mexico's CERT-MX, mirroring the model that ANSSI ran in advance of Paris 2024.

Cascading-Risk Scenarios

Two specific scenarios merit pre-tournament tabletop exercise.

OT Disruption at Host-City Utility During Match

Scenario: An Iran-nexus actor manipulates a wastewater PLC in a host city overnight before a knockout match, producing a service alert and a forced public-health advisory.

Mitigation

• Pre-tournament audit of all internet-exposed PLCs per CISA AA26-097A
• Mandated migration off TeamViewer/AnyDesk for OT
• Default-credential audits
• 24/7 OT incident-response retainer

Hospitality Ransomware in Final Week

Scenario: A Muddled Libra-style social-engineering campaign against a major host-city hotel operator collapses room access, mobile check-in and PoS for 48-72 hours during the run-up to the July 19, 2026, final at MetLife Stadium.

Mitigation

• Pre-tournament tabletop exercises with major hotel groups
• Explicit verification protocols on IT help desks
• Segregation of IdP trust from ESXi management
• Offline runbooks for the property-management system

Prioritized Threat Matrix

The following matrix in Table 4 consolidates the assessed likelihood and severity of each evidence-backed threat vector for the tournament window of June 11-July 19, 2026. Severity is conditioned on the potential impact to fans, host cities and the integrity of the competition.

Table 4. Prioritized threat matrix of likely cyberattacks.

Recommendations

These recommendations are derived from the threat picture above and from public after-action reporting on Paris 2024 and Milan-Cortina 2026. They are prioritized by impact rather than by category.

For the tournament organization and host-city committees

• Stand up a single, multi-jurisdictional cyber operations center with U.S. CISA, the Canadian Centre for Cyber Security, Mexico's CERT-MX, the FBI, the RCMP and Mexican federal cyber liaison co-located or fully integrated, replicating the ANSSI/Paris 2024 model.
• Inventory the full vendor and supplier graph for each host city and conduct credential-rotation, default-password and remote-access audits across that graph. Prioritize IT service providers and venue operations, which Recorded Future identified as Pyeongchang's primary breach vector.
• Mandate that no tournament network, at any ring, permits consumer remote-access tools on production infrastructure for the duration of the tournament window.
• Pre-position DDoS scrubbing capacity, content-delivery-network failover and rate-limiting on all fan-facing domains. NoName057(16) DDoS volumes during Paris 2024 peaked at 190,000 requests/second; defenders should plan for an order of magnitude above that.
• Run a destructive-malware tabletop. Validate that backups are isolated, immutable and recoverable inside a four-hour window.

For host-city utilities and municipal operators

• Audit every internet-exposed PLC, HMI and SCADA component in water, wastewater, energy and transit operations. Apply CISA AA26-097A and AA23-335A guidance specifically: Change all default credentials, place PLCs behind segmented firewalls and eliminate direct internet exposure on ports 44818, 2222, 102, 22 and 502.
• Engage the FBI, CISA and EPA for sector-specific assessments before kickoff. Where budget is constrained, a single round of vulnerability scans focused on the AA26-097A indicator set is high value.
• Establish 24/7 OT incident response coverage through the entire tournament window.

For hospitality and venue operators in host metros

• Treat the IT help desk as the first line of defense and the most likely point of compromise. Implement out-of-band caller-verification protocols; ban credential resets initiated by phone alone; assume that publicly identifiable employees are reconnaissance targets.
• Segregate identity-provider trust from VMware ESXi management. Previous compromises pivoted from Okta to ESXi to ransomware; that pivot path must be broken architecturally before the tournament, not during it.
• Maintain offline runbooks for property-management, PoS, digital-key and reservation systems. Confirm pen-and-paper fallback works under load.

For sponsors, federations and broadcast partners

• Assume executive personal accounts are in scope for state-aligned hack-and-leak operations.
• Apply phishing-resistant MFA (FIDO2/WebAuthn) to all corporate, executive and high-visibility employee accounts before kickoff. SMS and TOTP MFA are insufficient against the demonstrated tradecraft of Scattered Spider and Handala.
• Pre-build communications response templates for hack-and-leak scenarios; do not draft them under live attack.

For fans and the traveling public

• Buy tickets only on the official FIFA platform or a FIFA-authorised resale partner. Do not buy through Telegram, WhatsApp, social media DMs or peer-to-peer payment apps. Use a credit card with chargeback protection.
• Verify accommodation listings with major platforms; treat off-platform wire transfers and cryptocurrency requests as fraud. Cross-reference street view and listing photos.
• Treat any QR code presented in transit, parking or fan-zone contexts with skepticism. Cross-check with the host city's official transportation app or website before scanning.
• On public Wi-Fi, use a reputable VPN for any account-level activity; better still, use cellular data. Disable Wi-Fi auto-join; remove networks after use.
• Patch mobile devices. Avoid sideloading apps. Verify every FIFA app against the FIFA-published list of official applications.

Final Thoughts

The window for shifting from preparation to live response is closing fast. The 2026 FIFA World Cup conditions are different than at any previous tournament: three host nations, sixteen host cities, a 48-team field, an active U.S.-Israel-Iran kinetic conflict, an ongoing Russia-NATO confrontation and a cybercriminal ecosystem that has industrialized against the hospitality sector since 2023.

The threat actors of greatest concern for 2026 — the Handala Hack Team, CyberAv3ngers, NoName057(16), Muddled Libra, ALPHV affiliates and the broader Iran- and Russia-aligned hacktivist ecosystem — have all demonstrated their capabilities within the last 24 months. This has been proven in public record by what these actors have already accomplished.

Plan for incidents across the full supplier and host-city graph, exercise the response against realistic scenarios and coordinate across jurisdictions before kickoff rather than during the tournament. Where that posture has been adopted, the historical record shows that competition has not been disrupted. Where it has been weaker, adversaries have succeeded. The single most important defender posture for 2026 is to assume the attacks will come.

Additional Resources

• Understanding the Russian Cyberthreat to the 2026 Winter Olympics – Unit 42, Palo Alto Networks
• 2026 Unit 42 Global Incident Response Report – Unit 42, Palo Alto Networks