Skip to main content
Threat IntelligenceEmerging Threats

Cybercriminals, Hacktivists Target 2026 World Cup Infrastructure

Bustling stadium concourse with spectators, staff, and security personnel, and a large video screen in the background.

The 2026 FIFA World Cup will host an estimated five-to-six million in-venue spectators across 104 matches in 16 host cities spanning three nations — a tournament that opens at Estadio Azteca on June 11, 2026, and concludes at MetLife Stadium on July 19, 2026.

A Tournament Built on Many Networks and Municipal Services

The tournament’s technical architecture is a temporary, multi‑ring tournament network grafted onto permanent NFL, MLS, CFL and Liga MX stadium environments. It will draw on a vast, independent supplier ecosystem — stadium operations, security, transit, hospitality, signage, fan‑zone production and last‑mile connectivity — and it depends on municipal services including public transit, signalized traffic, water and wastewater treatment, regional power, airport operations and emergency services. Each of those touchpoints is explicitly within scope for adversaries, multiplying the attack surface across four time zones and multiple regulatory regimes.

Iran‑nexus and OT Threats: Handala Hack Team, CyberAv3ngers

The assessment identifies Iran‑nexus activity as a principal driver of risk for U.S. host cities. The Handala Hack Team is assessed by the FBI and commercial firms to be a front for Iran’s Ministry of Intelligence and Security and executed significant wiper attacks in early 2026. CISA’s joint advisory AA26‑097A confirms an active Iranian‑affiliated campaign targeting internet‑exposed Rockwell Automation and Allen‑Bradley PLCs and Israeli Unitronics Vision Series PLCs at U.S. water, energy and municipal targets — the same categories of infrastructure World Cup host cities will operate under tournament load.

CyberAv3ngers (aka Shahid Kaveh Group, Bauxite, Hydro Kitten and UNC5691) is identified as the IRGC Cyber‑Electronic Command’s industrial‑control‑system arm, with a documented escalation curve that makes municipal OT a primary concern. The assessment explicitly recommends pre‑tournament audits of internet‑exposed PLCs per CISA AA26‑097A, mandated migration off TeamViewer/AnyDesk for OT, default‑credential audits, and 24/7 OT incident‑response retainers. A tabletop scenario flagged as high priority models an Iran‑nexus manipulation of a wastewater PLC overnight before a knockout match producing a public‑health advisory.

NoName057(16) and Pro‑Russian Hacktivism

NoName057(16) has conducted over 3,700 verified DDoS attacks since 2022 and has surged operations around politically symbolic events. The UK NCSC, Eurojust and Europol issued advisories in late 2025 and early 2026; Operation Eastwood (July 2025) disrupted but did not stop the group. Operational characteristics relevant to the World Cup include event‑keying (surges in the 24–72 hours around events), volunteer‑driven scale, and an expansion from pure DDoS into OT targeting via exposed VNC and remote‑access services.

The assessment recommends pre‑positioning DDoS scrubbing capacity, content‑delivery‑network failover and rate‑limiting on all fan‑facing domains, noting NoName057(16) DDoS volumes during Paris 2024 peaked at 190,000 requests/second and recommending that defenders plan for an order of magnitude above that.

Financially Motivated Fraud: Tickets, Hospitality, QR Codes, and PoS

Financial cybercrime is assessed as the highest‑volume, highest‑likelihood threat category. Group‑IB documented more than 16,000 fraudulent domains and 90 compromised Hayya fan‑portal accounts during Qatar 2022. Muddled Libra (operators of ALPHV/BlackCat) and other ransomware groups have shown the hospitality stack — reservations, digital keys, PoS machines and loyalty data — to be high‑value targets.

Ticket fraud typologies to expect include lookalike resale sites, fake social‑media reseller accounts, lottery/giveaway phishing, fake mobile applications and credential‑stuffing against fan portals. Tournament‑specific QR‑code fraud is described as the single fastest‑growing variant, with threat actors likely to deploy fake shuttle passes, parking permits and transit QR codes. The guidance to fans is explicit: buy only on the official FIFA platform or FIFA‑authorized resale partners, verify accommodation listings, treat off‑platform wire transfers and cryptocurrency requests as fraud, and treat transit or parking QR codes with skepticism.

What this means for CISA, host‑city utilities, and fans

  • For CISA, federal partners and law enforcement: the assessment urges pre‑tournament threat‑sharing engagements mirroring ANSSI’s Paris 2024 model and cites active coordination already underway in CISA AA26‑097A, DOJ domain seizures, and State Department reward offers.
  • For host‑city utilities and municipal operators: urgent actions include auditing every internet‑exposed PLC, HMI and SCADA component; changing default credentials; placing PLCs behind segmented firewalls; eliminating direct internet exposure on ports 44818, 2222, 102, 22 and 502; and establishing 24/7 OT incident response for the tournament window.
  • For fans and the traveling public: practical steps from the assessment include using a credit card with chargeback protection for tickets, verifying official FIFA apps against FIFA’s published list, using a reputable VPN or cellular data on public Wi‑Fi, disabling Wi‑Fi auto‑join, and avoiding sideloaded apps.

The assessment’s final, pointed instruction is unambiguous: “The single most important defender posture for 2026 is to assume the attacks will come.” Preparation across jurisdictions, supplier graphs and municipal services — exercised and resourced before kickoff — is the determinative factor between preserved competition and successful adversary disruption.

https://unit42.paloaltonetworks.com/fifa-world-cup-attack-surface/