Skip to main content
Emerging ThreatsMalware & Ransomware

Infostealer Infection Enables Argentine FA Breach

Brightly-lit sports facility with subtle computer hint, and staff in background.

"A compromised machine belonging to a developer with high-level access highly likely handed a threat actor direct database administration rights and the ability to send authenticated internal emails," Hudson Rock said.

Hudson Rock traces an infostealer infection to September 8, 2025

The security shop Hudson Rock reported that it found evidence of an infostealer infection on a device belonging to an Argentine Football Association (AFA) software developer, dating back to September 8, 2025. The developer had been employed at the governing body for nearly a decade, the researchers said, and the compromised machine was added to Hudson Rock's database of known infostealer victims the following day.

How the intruders presented themselves and what they sent

The compromise was noticed after mass emails were sent from legitimate AFA domains. The messages accused Argentina of having "stole[n]" the win from Egypt and warned that "the robbery will not go unnoticed." The intrusion was publicly claimed by an actor calling itself "All Egyptian Cyber Warriors." Hudson Rock said the attackers either sat on the stolen credentials for nearly a year or procured them only after Argentina eliminated Egypt from the World Cup round of 16 — a match whose aftermath included complaints from Egypt's coach and football association about several refereeing and VAR decisions.

Depth of access Hudson Rock says the intruders likely had

According to Hudson Rock's analysis, once an actor authenticated into AFA systems with the stolen credentials they "likely had profound administrative control." The access Hudson Rock describes would have included direct access to phpMyAdmin database management panels, root access to certain AFA databases, the management portal of AFA's training HQ, the AFA media portal, and the competition management system. Hudson Rock also reported that weak, easily guessable passwords were reused across several internal systems.

Data advertised on cybercrime forums

Hudson Rock identified multiple posts on cybercrime forums advertising AFA data for sale. The samples listed in those advertisements, the researchers said, appeared to include internal email addresses, phone numbers, user roles, and registration timestamps, along with listings for access to AFA subdomains. Passwords were among the data advertised; Hudson Rock noted that most were securely hashed, but a small portion were in plaintext — a lapse the company called "a significant security oversight."

What this means for technologists, AFA staff and professional clubs, and external media partners

  • Technologists and security teams: Hudson Rock's timeline underscores the risk posed by an infostealer on a high‑privilege developer machine and the danger of credential reuse across internal systems. Detection and remediation of dormant stolen credentials, and review of password hygiene, are immediate priorities suggested by the findings.
  • AFA staff, professional clubs and internal users: The advertised samples reportedly include internal email addresses, phone numbers, user roles and registration timestamps, and listings for subdomain access — all items that could affect employee privacy and operational security if true.
  • External media partners: Hudson Rock singled out the AFA media portal as among the systems to which intruders likely had access; advertised datasets purported to reference external media partners alongside staff and clubs, making confirmation and defensive coordination important for those third parties.

AFA acknowledgement and ongoing work

The AFA told reporters on Friday that it was investigating the compromise with its IT team after many staff received the intruders' emails. "There is a possibility that our account has been subject to unauthorized access," the AFA stated. "We are currently working to clarify the situation and implement the necessary security measures."

Hudson Rock framed the episode as "a textbook example of how devastating a single, unmitigated infostealer infection can be," calling the combination of a high‑level compromised machine and reused weak passwords a "ticking time bomb" that sat dormant for months. The key open question the record leaves is whether the credentials were abused immediately after the September 2025 infection and went unnoticed, or whether they were harvested and only wielded after the World Cup match prompted the mass emails and the public claim by "All Egyptian Cyber Warriors." The AFA's stated investigation and the advertisements spotted on cybercrime forums will be the immediate avenues by which that question is answered.

Original story