The Cyber Threat to the 2026 World Cup

Major events present a vastly expanded attack surface—but also tend to act as a mirror, reflecting the geopolitical tensions of the moment. The 2026 FIFA World Cup takes the usual complexity of a major event and multiplies it on three fronts: First, it takes place across three international jurisdictions (the United States, Canada, and Mexico), and 16 host cities within them. Second, it significantly scales the digital attack surface across networks, supporting digital infrastructure and the millions of mobile devices present. And third, it takes place against the backdrop of ongoing geopolitical conflicts, including the Russia-Ukraine war and the now reignited U.S.-Israel-Iran conflict—but also coincides with the United States’ 250th anniversary celebrations. Alone, each front presents its own type of cyber risk, but together, they present a cumulative set of risks that makes securing this tournament somewhat unique.

As CSIS colleagues recently outlined, the physical security threats to the World Cup are diffuse and serious. Cyber threats to the World Cup are somewhat more acute; the key threats are likely to be determined cybercriminals targeting ordinary tournament-goers at scale, or state or hacktivist actors seeking to disrupt the tournament for geopolitical or symbolic value. In any case, should such threats materialize, they risk undermining the three host nations and their projection of public safety. The good news is that as with all major sporting events, preparation and exercising runs deep; authorities at all levels will have anticipated cyber and physical threats well in advance and will be ready to mitigate any cyber incidents, letting the show go on.

The Expanded Attack Surface and Cyber Risks

Cyber threats do not exist in isolation, but as one type of threat amid a highly connected operating environment. In the case of this tournament, the World Cup’s expanded attack surface can be broken down into three strands:

1. the direct digital infrastructure that enables the tournament: for example, FIFA’s website and ticketing systems, digital systems within stadiums (including Wi-Fi and ticketing), broadcasting infrastructure, and commercial cellular networks;
2. the digital infrastructure used by secondary or supporting sites related to the World Cup, such as local transport and transit systems, hospitality, and other local businesses and organizations (and the payment and other electronic systems they rely upon); and
3. the millions of devices present belonging to individuals, whether players themselves, VIPs (including world leaders or senior government officials, security services, and business executives), and regular citizens—providing a rich target set.

These create different types of cyber risk that need careful management, whether operational (i.e., where a direct network goes down); cascading (i.e., where supporting infrastructure goes down, but causes impact beyond that system); or geopolitical (i.e., where a cyber incident is directly linked to conflict, such as threatening diplomatic negotiations). Moreover, these risks will be present in a highly integrated environment, where publicly owned services sit atop commercial vendors and infrastructure, making cooperation between the public and private sectors vital.

The Key Cyber Threats to the 2026 World Cup

Cyber threats to the World Cup will look to exploit individuals, disrupt organizations, and undermine the very image and reputation of the tournament. The key threats can be understood as:

1. Cybercrime: As the Canadian Centre for Cyber Security recently advised, cybercrime is likely to be the primary threat to citizens and organizations at the World Cup. Reporting has pointed to evidence of cybercriminals preparing in advance to exploit patrons; infrastructure was “staged and waiting” to be activated months in advance, including 1,000 suspicious domains registered, and with Chinese cybercriminals cloning FIFA’s website across 300 domains to harvest fans’ information. This comes as no surprise; the 2026 World Cup offers an ideal environment for cybercrime: fast, international transactions in compressed time frames, unfamiliar merchants, high transaction volumes, and little scrutiny online.

   The cybercrime threat is most likely to take shape in the form of cyber-enabled fraud, designed to deceive individuals into giving up their data, personal identifiable information, or financial details. Early evidence points to a broad and creative means of deceiving victims, including the use of fake FIFA websites, social media accounts impersonating athletes, and World Cup–themed lures to deceive victims; buying fraudulent merchandise; job recruitment scams designed to steal credentials; fake livestreaming apps for matches that contain malware; and even fake cryptocurrency tokens and visas. Athletes themselves are no exception; in 2024, Bologna’s team was impacted by a ransomware attack that resulted in a loss of around 200 GB of sensitive data.

2. Disruption: The 2018 Pyeongchang Olympics were hit by cyberattacks, attributed to Russian military hackers, that disrupted the Olympics website, television, and Internet systems. This attack has hung over preparations for subsequent major sporting events. Disruptive cyberattacks on the World Cup could vary in severity; historical examples range from the less severe Iranian compromise of a French digital signage provider in the Paris 2024 Olympics to a distributed denial-of-service (DDoS) attack that briefly disrupted coverage of a Poland-Austria match during the 2024 European Football Championship. Expected attack types include hacktivism (for example, website defacements or DDoS attacks), where the intent is to use the disruption as a vehicle to send politically driven messages.

   More serious disruption will likely be caused by state cyber actors targeting critical infrastructure, including municipal services such as transit, water, or power systems, and even emergency services—ones that are especially vulnerable and tend to be under-resourced, making them low-hanging fruit for determined cyber actors. For example, China compromised a telecommunications provider in the Qatar 2022 World Cup, which could have resulted in severe loss of communications for the tournament were it not averted in time.

   Geopolitical tensions amplify the potential for disruptive cyberattacks. In retaliation for the ongoing U.S.-Iran conflict (including the recent Iranian downing of a U.S. helicopter in the Gulf and U.S. retaliatory strikes), and exacerbated by the United States’ decision to deny visas to the Iranian national team staff, Iran’s motivation to attack the United States will be high. Iran has the capabilities to back up this intent; it has a history of penetrating U.S. infrastructure via cyber operations, and hacktivist actors (thought to be fronts for state intelligence agencies) having recently targeted U.S. organizations (supposedly including transit networks). Whether for Iran, or opportunistic states such as Russia, the World Cup provides a strategic and high-profile target for cyberattacks that can actively undermine and discredit the United States as a host nation by undercutting the notion that it can keep its citizens and international visitors safe.

3. Espionage: Intelligence actors will consider the World Cup a ripe environment for collection. The presence of world leaders, senior government officials, athletes and national delegations, business executives, celebrities, and journalists together in concentrated locations provides an extremely attractive target set for cyber espionage. For example, in the 2026 Milan-Cortina Winter Olympic Games, Russia-linked hackers were found to have targeted the Italian embassy in Washington, D.C., along with hotels and other Olympic sites. Russian, Chinese, and Iranian cyber actors will be the most likely to pursue this type of activity in support of their broader strategic objectives, whether gathering intelligence on specific officials linked to conflict negotiations, dissidents, or citizens of their states, or against specific organizations, including sporting bodies.
    

Attack Types Adjacent to Cyber Operations

The exploitation of major sporting events fits a broader hybrid threat approach: using different levers of statecraft to undermine adversaries. Beyond cyber operations, the furor of social media activity around the World Cup provides a fertile environment for information operations that directly fit this playbook, including disinformation campaigns. Designed to “pollute the information space”—whether by causing chaos, confusion, or disrupting a sense of public safety—state actors will seek to undermine and discredit the host nations and their ability to host the tournament. For example, ahead of the 2024 Paris Olympics, Russian actors released a deepfake video denouncing the International Olympic Committee in retaliation for its exclusion from the games owing to the ongoing Russia-Ukraine conflict, while also utilizing AI-generated videos portraying Paris as a crime-ridden area and making the videos available in multiple languages for broader reach.

This approach bleeds into the physical domain, too; during the Paris 2024 Olympics, internet cables were cut in an act of sabotage, disrupting the provision of Internet services and mobile connectivity across France. Crucially, whether disruptive cyber incidents or adjacent threats, these types of attacks have the potential to generate cascading risk through their secondary impact—such as the social impact that follows, whether societal tensions, chaos, or even public disorder.

Preparedness and Response

Security practitioners in this World Cup will need to coordinate a layered response to any cyber incidents. Thankfully, previous major sporting events—including World Cups, European Football Championship tournaments, and Summer and Winter Olympic Games—provide a valuable baseline and institutional learning to draw upon. For example, in response to over 140 cyber incidents occurring during the Paris 2024 Olympic and Paralympic Games, France stood up a team of 630 cyber security experts, whose work in continuous threat monitoring, analysis, exercising, and joint coordination with private sector partners was critical to ensuring success and provides an excellent blueprint for defensive cyber security of events.

Where this World Cup differs in its cyber security response is the scale and complexity of partners involved in securing its sprawling digital infrastructure. This includes three international jurisdictions; federal, state, and municipal levels domestically; public or private sector owners or operators of critical infrastructure; and commercial vendors.

The U.S. government will be ready. The White House established a task force on the FIFA World Cup in 2025 to oversee efforts to safeguard the tournament, coordinating across the government, private sector, and international partners. As CSIS colleagues have detailed elsewhere, the United States has also designated most of the World Cup games as nationally significant security events (and the final itself as a National Special Security Event), which will ensure a hardened response by unlocking greater intelligence-sharing, monitoring, and emergency preparedness planning. The United States Cybersecurity and Infrastructure Security Agency (CISA) has also been preparing extensively, undertaking training exercises, assessments of cyber and physical vulnerabilities at most host stadiums, and close cooperation with federal, private, and international partners to mitigate cyber risks.

Where the United States risks having fallen short is in relation to resources and funding. CISA’s preparedness and capacity to engage was impeded by the Department of Homeland Security shutdown earlier this year, reducing CISA’s staff down to 40 percent of its operating capacity and hindering information exchanges with partners. And although the Department of Homeland Security made $625 million in funding available for host states and cities in the United States to cover security costs, the grant lacked any sort of provision to mandate eligible entities to enhance their cyber security or resilience to cyberattacks. In a period where the primary concern of many host sites is unauthorized drones, this effectively left cyber security competing with other threat types for the same pool of funding. What may help this shortfall is the application of AI; just as AI is being used to enhance public safety services, it will undoubtedly be applied in a cyber defense context, helping cyber defenders to monitor for threats, analyze live intelligence, and ultimately help to scale their operations.

Conclusion

The World Cup presents a complex and dynamic threat surface that will be a ripe target set for malicious actors. The likes of Russia, China, and Iran actively seek to exploit any major event to undermine other states’ credibility—particularly where those states are oppositional or negotiating partners—while cybercriminals will use such events as pretexts or lures for financial gain.

Despite the range of threats faced across the tournament’s vast attack surface, preparedness levels will be high, and it is unlikely that the more severe or disruptive incidents will materialize. Most importantly, if they do, the priority will be resilience: ensuring core systems have the capacity to absorb attacks if targeted, or to quickly recover if they are hit. The World Cup may also prove to have impacts lasting beyond the tournament; in the longer term, it could ultimately serve as a valuable exercise to raise the overall baseline of cyber security standards in host states and cities. Ahead of the United States hosting the 2028 Olympics in Los Angeles, as well as the 2034 Winter Olympics in Salt Lake City, to be well rehearsed for cyber threats to major, nation-wide events is no mean feat.

Nikita Shah is a senior fellow with the Intelligence, National Security, and Technology program at the Center for Strategic and International Studies in Washington, D.C.