Cyber criminals target World Cup 2026, says Unit 42

Palo Alto Networks' Unit 42 has published research on cyber threats linked to the 2026 FIFA World Cup, describing the tournament as the largest global entertainment attack surface to date.

Financially motivated cybercriminals are likely to pose the biggest risk to fans, businesses and event infrastructure during the competition. Unit 42 identified three main categories of threat: disruption attacks on systems and services, profit-driven crime such as ransomware and fraud, and disinformation campaigns designed to create confusion and anxiety.

The assessment comes as the World Cup expands to 16 host cities across three countries and a 48-team format. Unit 42 said that broader footprint increases the number of digital systems, suppliers and public-facing services that attackers could target.

Among the most immediate concerns are distributed denial-of-service attacks aimed at interrupting operations, website defacements, and attacks on service providers supporting the tournament's digital infrastructure. Such incidents could affect systems used by fans, venues and organisers.

Hospitality is also a particularly exposed sector. Hotels, booking systems and point-of-sale networks have become more frequent targets for ransomware groups, reflecting what Unit 42 described as a cybercriminal ecosystem that has industrialised against the sector since 2023.

That shift matters because major sporting events concentrate travel, accommodation bookings and consumer spending. Criminal groups can exploit that volume through attacks on reservation systems, payment services and other digital tools used by visitors and businesses around host venues.

Three threat types

Unit 42 divided the risks into three broad groups. The first is disruption, where attackers seek to interrupt operations or degrade services. In a tournament setting, that can range from taking websites offline to targeting suppliers whose systems support ticketing, venue operations or communications.

The second category is profit. This is the highest-volume and most likely source of attacks, covering both ransomware incidents in hospitality and scams aimed directly at fans.

The third is disinformation. State-backed propaganda and coordinated narratives could be used over a longer period to undermine trust and heighten public concern around the event.

The warning extends beyond the host countries. Fans following the tournament from Singapore were singled out as potential targets for fake merchandise stores, fraudulent streaming services and phishing attempts delivered through QR codes at public viewing parties.

These tactics reflect a broader pattern in cybercrime, where major entertainment and sporting events are used as bait for fraud. The combination of urgency, limited-time offers and fan enthusiasm often makes consumers more willing to click links, scan codes or make fast payments without checking whether a seller or service is genuine.

Advice for organisations

For businesses and event-linked organisations, the focus should now shift from preparation to live response planning. Unit 42 advised organisations to map risks across supplier networks and host-city operations, test incident response plans against realistic scenarios, and coordinate across jurisdictions before attacks occur.

Organisations should work on the assumption that attacks will happen rather than treat them as a remote possibility. That approach is especially relevant for companies operating in sectors that interface directly with visitors, including accommodation, transport, food services and retail.

Cross-border coordination may prove particularly important because the tournament spans three countries. That creates more complexity for operators managing compliance, incident reporting and operational resilience across multiple legal and technical environments.

Risks for fans

For consumers, the advice centred on avoiding common fraud routes. Unit 42 urged fans to use only authorised streaming channels and avoid unofficial sites or messaging-platform offers advertising free access to matches.

It also warned against buying goods or tickets through Telegram, WhatsApp, social media direct messages or peer-to-peer payment apps. Credit cards with chargeback protection were identified as a safer payment method when purchases are unavoidable.

Accommodation fraud is another concern, particularly when travellers are asked to make off-platform transfers or pay in cryptocurrency. Such requests should be treated as red flags, and property images should be cross-checked against street-level mapping tools before payment.

Public QR codes at events and viewing parties also pose a risk if they redirect users to phishing sites. Unit 42 advised users to be cautious when scanning codes in public settings and to rely on mobile data or a reputable virtual private network when handling account activity on the move.

It also recommended that fans keep phones updated, avoid sideloading application files, and verify any World Cup-related app before downloading it. With scams often built around fake apps and cloned websites, basic checks on software and payment channels may be among the most practical defences available to consumers.

The report said: "The single most important defender posture for 2026 is to assume the attacks will come."