As the World Cup has taken center stage this summer, millions have attended the games in stadiums across North America, and hundreds of millions more have watched from home.
These fans are largely unaware of the unseen battalion of IT professionals working to keep cybercriminals from capitalizing on the worldwide event.
The US Federal Bureau of Investigation in May 2026 issued a public service announcement warning the public about cyber threat actors spoofing FIFA’s website to steal personal information and money from unsuspecting fans.
FIFA’s own systems have proved just as exposed. In June, an ethical hacker who goes by “BobDaHacker” published a blog post explaining how she — and how anyone — could have gained the ability to modify live TV broadcasts during World Cup matches.
The security researcher claimed she simply registered as a player agent on the official agent platform. Thanks to having an account, combined with a flaw in FIFA’s back-end API, she was able to access several internal FIFA platforms, including the system controlling what appears on TV screens worldwide and on commentators’ monitors during live matches.
She reported the flaw on the night of Tuesday, June 16, Japan time, and FIFA fixed the issue a few hours later.
“This incident is a stark reminder that cyber risk doesn’t only stem from sophisticated attacks and sometimes it’s the simplest gaps, like broken access controls, that result in dangerous exposure,” says Danielle Kinsella, technical advisor EMEA at cybersecurity firm Gigamon.
She adds that, given their scale, visibility, and reliance on digital and streaming infrastructure, “organizations must assume identities can and will be misused.”
“This means full visibility across all data in motion is critical, particularly within systems like broadcast infrastructure, where without real-time detection threats can escalate quickly.”
So what makes the World Cup such a target, who can anticipate cyber risk and what lessons can organizations take from this worldwide event?
Who’s at risk?
“The World Cup is the most-watched sporting event on the planet,” says Pete Hannah, vice president of sales at Object First. “1.42 billion people tuned in for the 2022 final, so if an attacker is motivated by disruption, influence or reputational damage rather than simply financial gain, there is no more high-profile sporting event to target.”
Thomas Peacock, director of global fraud intelligence at BioCatch, outlines that excited fans are some of the most vulnerable to attack: “For many, seeing their team play in person at a World Cup is a once-in-a-generation experience. That emotional pull, combined with the fear of missing out, can push fans to act hastily when ticket-buying opportunities present themselves.”
That combination makes fans a prime target for fraud: “scarcity rewires behavior, causing urgency to spike and creating the ideal conditions for social engineering,” Peacock says.
“Fraudsters exploit this imbalance in supply and demand by creating fake ticket sites and phishing campaigns, indistinguishable from legitimate last-chance ticket drops.”
Peacock emphasizes it is on financial institutions to evaluate user intent throughout every moment of every digital banking session, to consistently identify these scams before any money leaves the potential victim’s account.
Hannah says multiple targets may attract attackers, including ticketing, accreditation, broadcast systems and partner-connected platforms, all of which contend with large user populations, complex integrations and tight operational timelines.
“Identity systems are also a common target because a single compromised account can provide access to multiple environments,” he adds.
Comparing to other events
During the Milan Winter Olympics earlier this year, cybersecurity firm Netscout found that distributed denial-of-service, or DDoS, attacks on Italian infrastructure surged 181% over 2025 levels.
DDoS attacks flood websites, servers or networks with overwhelming internet traffic in order to make them fail. The firm found that attacks during the Winter Games period (Feb. 6–23) averaged 720 daily. Moreover, the 2025 baseline was itself elevated by sustained NoName057(16) campaigns. That means the 181% growth was on top of an already high base, not a typical year.
Darren Anstee, chief technology officer for security at Netscout, tells TechInformed, “For every event we see, we tend to see an escalation in the capability of attackers, changing tactics around targeting.”
“Given the various geopolitical tensions around the world, with Russia, Ukraine and what’s going on in the Middle East, we anticipate seeing significant attack activity this summer as well.”
He says it is predominantly hacktivist groups, who have varying strategies when it comes to their targets and goals, that are behind such attacks.
“Some are looking to actually have an impact on infrastructure. Some are simply looking to make noise.”
He explains that in Milan, the firm saw a mixture of targets, including public-facing websites of sporting events, the web presences of major sponsors, transport infrastructure and the services that websites rely on in the background.
“They’re looking for things that are less well defended, where they can have an impact and potentially a bigger knock-on effect.”
Plus, with the World Cup spanning three countries — the US, Canada and Mexico — the threat surface is far wider, he says.
“Some of it will be very well defended … but it’s the broader threat surface where you get more of a problem — attackers will be looking for that weak link, whether it’s one step away from a primary target, two steps away, whether it’s saturating a regional Wi-Fi hotspot, knocking over a payment processing gateway somewhere, or targeting hotel booking sites.”
Or, as BobDaHacker found, accessing FIFA’s systems via its agent website.
Lessons for organizations
Object First’s Hannah says one lesson organizations can take from the event is that resilience depends on recovery.
“On a football pitch, success is determined by how well a team recovers: How well it recovers from a goal down. How well it recovers from the adrenaline rush of scoring. Even how well it recovers from simply losing possession.”
He says event organizers are judged similarly: “Slow recovery from a data incident and downtime simply increases the window for media scrutiny and stakeholder anxiety, which can cause lasting harm.”
“Yet if companies are resilient and can recover quickly, the window for any negativity is greatly reduced and a rapid response could actually strengthen brand reputation.”
The World Cup’s weak points are the same ones enterprises live with, even if it may be on a smaller scale. Sprawling third-party ecosystems, identity systems and the mundane access-control gaps that aren’t being monitored.
The World Cup ends in July, but the exposure doesn’t. CISA, the federal lead for cybersecurity at the 2026 World Cup, says the event is one link in a chain that runs on to the America 250 celebrations and the 2028 Los Angeles Olympics.