IBC
article here
Alongside financially motivated cyber crime, politically motivated
hacktivists are also likely to target organisations linked to the tournament
through distributed denial-of-service attacks, website defacements and
disinformation campaigns.
The FIFA World Cup will be the largest, most digitally
connected sporting event ever staged. Billions of viewers, millions of devices,
sprawling broadcast infrastructure, and a three‑nation footprint create a
perfect storm of opportunity for cyber-attack.
“This tournament will face more sophisticated, more
automated, and more politically charged cyber-attacks than any event before
it,” warns Darren Anstee, CTO for security at Netscout.
The scale of the tournament across the U.S, Canada and
Mexico dramatically increases the potential attack surface for criminals and
hacktivists alike.
Matt Hull, VP of Cyber Intelligence and Response at
Manchester-headquartered global cyber security firm, NCC Group says the 2026
World Cup will present cyber criminals with “the biggest opportunity to make
money this year”, as threat actors increasingly exploit global sporting events
for fraud, disruption and political activism.
All the host nations recorded an increase in the weekly average number of cyber-attacks in April 2026 compared to both March 2026 and April 2025.
A history of attacks
Cyber-attacks targeting major sporting events are nothing
new. “Pretty much every single one of them over the last 20 years has seen
attack activity,” Anstee explains. The severity varies depending on
geopolitics, the host nation, and even the sponsors involved.
During the 2022 World Cup in Qatar, a China-linked crime
group reportedly
hacked into a major telecommunications provider, syphoning customer data
and with potential to blackout live streaming of the games. Cybercriminals stole
personal data from 15000 Uefa customers during Euros 2024; the French
authorities recorded over 500 cybersecurity events during the Paris Olympics
and earlier this year, Russian hackers targeted
foreign ministry offices and Winter Olympics sites, including hotels in
Cortina.
Anstee explains that attackers begin probing infrastructure
six months before the event and ramp up again three months out.
“During the event, attacks spike around opening ceremonies,
closing ceremonies, and high‑profile matches,” he says. “Some attackers aim for
real disruption like taking services offline and keeping them down. Others
simply want attention, using the global spotlight to amplify their political or
ideological message.”
What makes 2026 different is the combination of geopolitical
tension, automation, and scale. The last five years have seen a surge in
activist‑driven cyberattacks linked to conflicts in Ukraine, the Middle East,
and other flashpoints.
“This is a great opportunity for activists to get out their
messages,” Hull says. “Being able to take down services that are associated
with this event to impact the reputation of North America in general.”
DDoS
A major concern are Distributed Denial of Service (DDoS)
attacks where the aim is to disrupt or take down the live stream. Netscout has
identified over 100 groups actively using DDoS as a tool. Their attack
campaigns, which can last days or many weeks, fall into three major categories.
Anstee explains, “The ones grabbing the headlines happen
when the network is flooded by 20-30 terabits designed to overwhelm
connectivity. If you fill the pipe everything behind it is unreachable.”
So-called ‘state‑exhaustion’ attacks target firewalls and
load balancers with extremely high packet rates, overwhelming their ability to
track connections.
The most sophisticated, and the hardest to detect, are
application‑layer attacks. In this type of attack, bots behave like real users.
They connect over TLS, even logging in and issuing queries.
“They are mimicking normal behaviour but at scale, they
crush the application’s ability to serve legitimate users,” Anstee says. “There
are also more supply‑chain dependencies and more legitimate traffic sources
making geolocation filtering harder. It makes the threat surface bigger and it
makes simple things harder.”
Every digital service associated with the tournament
represents a potential target for DDoS. Not just for financially motivated
attackers, but also for politically and ideologically driven actors looking to
make a statement on the world stage “in the most-viewed country-versus-country
competition.”
Streaming and broadcast platforms
Rights‑holders worldwide are on high alert. They’ve paid
enormous sums for exclusive distribution rights and attackers know that
knocking out a national broadcaster during a key match would cause chaos.
“You might not even need to hit the media itself,” Anstee
says. “If you can’t log into your TV service, you can’t watch the match.”
Attackers increasingly target secondary vendors upstream of
major services which are likely to be less defended. Anstee explains, “If I
knock one of them over, what’s the downstream impact? Does it slow things down?
Stop things in certain regions?”
With the World Cup spread across three countries, the supply
chain is larger and more complex than ever.
Rather than directly targeting FIFA infrastructure, many
attacks are expected to focus on the wider ecosystem supporting the event,
including airlines, transport operators, hotels, payment systems and ticketing
providers.
“All of the things that are critical to making the event a
success are likely to be targeted,” Hull says. “How bad would it be if you
can’t fly over to North America because one of your flights has been cancelled
because of some activist activity? Or you’re over there and you can’t buy your
tickets?”
Criminals are already using the World Cup as bait in
phishing campaigns and fake online stores.
“We’re starting to see through some of our research phishing
links being used with the World Cup as context, fake merchandise sites being
spun up to buy kits.”
Automated attack
The rise of artificial intelligence has also made cyber
fraud more convincing and easier to scale.
“Gone are the days of the dodgy phishing email that’s badly
written,” Hull says. “AI-generated websites, deepfake videos, fraudulent
betting platforms, and fake social media content could all be used to support
scams or spread disinformation during the tournament.”
For consumers, the primary risks are likely to be ticket
scams, fake merchandise websites and payment fraud. But Hull also warns that
successful cyber attacks on infrastructure providers could create wider
disruption for travellers and fans.
“It’s going to be scams essentially. Or they’re going to be
losing money because they bought a dodgy ticket or they’ve purchased from a
website that isn’t legitimate.”
More alarming is the rise of AI‑driven attack tools using
chatbots.
“A novice can now orchestrate a complex, multi‑stage attack
with a single instruction: ‘Disrupt this service tomorrow during business
hours’,” Anstee says
Chatbots can automatically run reconnaissance to select the
most vulnerable points of attacks. They can be programmed to launch attacks at
scheduled times, monitor the ‘success’ or otherwise and adjust tactics on the
fly.
Botnets like Mirai
variants (a range of malware), and the AISURU
botnet (reportedly the most powerful ever), and others now include millions of
compromised devices. “You don’t need high‑rate traffic anymore,” Anstee
explains. “If you’ve got a million and a half devices, each doing a tiny
amount, you can generate enormous impact.”
Parking the bus
The role of cybersecurity specialists is to support the
service providers, broadcasters, and sponsors who form the digital backbone of
the tournament.
“No single layer can stop every attack,” says Anstee. “A 30‑terabit
flood must be handled by the service provider, not the enterprise. But small,
stealthy application‑layer attacks must be caught at the enterprise edge.
Over 540 service providers feed data to Netscout every hour,
generating intelligence on 16 million attacks per year. This allows the company
to identify active botnets, track attack infrastructure and feed intelligence
back to customers in realtime.
Coordination is important too. For events like the World Cup,
service providers, vendors, sponsors, and governments are sharing information.
“It’s one of the reasons you haven’t seen major outages so far,” Anstee notes.
For major organisations involved in the tournament, Hull
advises cyber preparedness should focus on “doing the basics right”, including
password security, resilience testing and incident response planning. But he
also stressed the importance of preparing staff for increasingly sophisticated
social engineering attacks.
Hull says, “Major sporting events like this combine huge digital dependency with emotional public engagement and that creates ideal conditions for cyber-attacks and online scams.”
