Unit 42 warns of likely state-linked disruptions, ransomware, and fraud targeting the tournament and multiple city systems
Palo Alto Networks’ Unit 42 warns that the 2026 FIFA World Cup will face a significantly expanded cyber threat landscape due to its unprecedented scale, distributed infrastructure and reliance on interconnected municipal and commercial systems across the United States, Mexico and Canada.
The tournament will span 16 host cities and depend on layered digital and physical networks that include stadium operations, ticketing platforms, transport systems, energy grids, water utilities and emergency services – all of which are assessed as potential targets for disruption or exploitation.
The report assesses that disruptive cyber intrusions, ransomware operations and politically motivated DDoS and hack-and-leak activity are highly likely during the tournament window. It identifies a convergence of threat actors, including Iran-nexus groups targeting industrial control systems and municipal infrastructure, Russia-aligned hacktivist collectives conducting large-scale politically timed disruption campaigns, and financially motivated cybercriminal ecosystems focused on fraud, credential theft and hospitality-related attacks.
A central concern highlighted by Unit 42 is the reliance on existing city infrastructure temporarily adapted for tournament use, effectively creating a “multi-ring” environment in which stadium systems, vendor networks and host-city public services are tightly interdependent. This increases the risk that disruption in one layer could cascade into operational impact across others, particularly during high-attendance matches or globally broadcast events.
The report places the 2026 risk landscape within the context of repeated cyber campaigns against major sporting events over the past decade. Previous incidents include the 2016 Rio Olympics, where Russia-linked actors conducted DDoS activity and leaked anti-doping data; the 2018 Pyeongchang Winter Olympics, where the “Olympic Destroyer” wiper disrupted Wi-Fi, ticketing and broadcast systems; and the Tokyo 2020 Olympics, which saw hundreds of millions of intrusion attempts and sustained phishing campaigns.
More recently, the 2022 FIFA World Cup in Qatar was accompanied by a large fraud ecosystem involving thousands of fake domains and compromised fan accounts, while the Paris 2024 Olympics recorded more than 140 cyber incidents, including intrusions, ransomware attempts and large-scale DDoS activity, though without disruption to competition.
Unit 42 notes that while no major sporting event in recent years has suffered full-scale cancellation or loss of competition integrity due to cyberattacks, the volume, sophistication and geopolitical alignment of threat actors has continued to increase.
The report specifically highlights Iran-linked activity targeting operational technology environments and Russia-aligned hacktivist operations that leverage politically symbolic events to amplify disruption campaigns, alongside a mature cybercriminal market that consistently targets tourism, ticketing and hospitality systems at scale.
Against this backdrop, Unit 42 concludes that the 2026 World Cup will require sustained, cross-border coordination between public and private stakeholders, with particular emphasis on resilience of municipal infrastructure, protection of fan-facing digital services, and segmentation of operational systems to prevent cascading failures across host-city environments.