2026 FIFA World Cup Threats: What Host Cities, Sponsors, and Public Safety Officials Need to Know

Starting tomorrow, millions of people will gather in sixteen host cities across the United States, Canada, and Mexico to cheer on their teams in the 2026 FIFA World Cup. Securing the tournament will require preparing for a mix of physical security risks, cyber threats, scams, protests, politically motivated activity, and reputational disruption tied to one of the world’s most visible sporting events.

The World Cup’s global profile creates an attractive target environment for a wide range of threat actors. Cybercriminals are already exploiting tournament demand through fraudulent domains, fake stores, credential-harvesting sites, and advertising campaigns. Hacktivists and influence operators will likely try to use the event’s visibility to amplify political narratives or claim responsibility for disruptive activity. At the same time, public safety officials must manage the physical security challenges associated with large crowds, soft targets, protests, transportation hubs, hospitality infrastructure, and fan zones.

Together, these risks create a blended cyber-physical threat environment that requires coordination across public safety, cybersecurity, fraud, legal, communications, brand protection, executive protection, travel security, and third-party risk teams.

An assessment of physical, cyber, and fraud threats to the 2026 FIFA World Cup, visualizing various risk categories associated with the event

Figure 1: Assessment of physical, cyber, and fraud risks affecting the 2026 FIFA World Cup

(Source: Recorded Future)

Securing Cities Against Physical Threats

Each host city has a unique security profile and a subsequent set of risks. In Mexico, plans to mobilize as many as 100,000 security personnel across the country’s World Cup sites are intended to deter cartel violence. However, demonstrations, protests, and strikes organized around the games will further complicate the security situation. Demonstrations in the weeks leading up to past World Cups have blocked traffic and caused disruption around venues. The presence of heavily armed or militarized security forces increases the risk that encounters with protesters could escalate into violence.

Chart comparing composite country risk scores for Canada, Mexico, and the United States regarding the 2026 FIFA World Cup.

Figure 2: Composite Country Risk Scores for Canada, Mexico, and the US, compiled for the Threats to FIFA 2026 World Cup report (Source: Recorded Future)

Meanwhile, cities in the US and Canada are preparing for an elevated, though low-probability, threat of violent extremism. US or Canada-based supporters of the Islamic State have targeted sporting events in the past, notably the deadly attack on Bourbon Street in New Orleans, Louisiana, ahead of the 2025 Sugar Bowl. An attack on the upcoming World Cup would likely focus on soft targets such as fan zones, watch parties, and transportation and hospitality infrastructure, where security is less concentrated.

Geopolitical developments may also affect the threat environment. The Iran War elevates the risk of politically motivated activity by actors seeking to use the tournament’s visibility to draw attention to their cause. Recorded Future reporting has identified Iranian hacktivist personas shifting from promoting cyberattacks to physical attacks, such as arson. While this activity has previously centered around Israeli targets, accounts linked with these personas have expanded their online presence to other regions and languages following the start of the Iran War. As of this writing, Insikt Group has not identified evidence of activity connected to the World Cup.

Cybercriminals Already Exploiting World Cup Demand

Cybercriminal exploitation of World Cup demand and branding is already underway. Threat actors are using the tournament’s global visibility to impersonate FIFA, host cities, ticketing providers, retailers, and other organizations associated with the event. These operations create risks for fans, public-sector organizations, sponsors, affiliates, vendors, hospitality providers, transportation companies, and other businesses connected to the tournament.

In one purchase scam campaign active between April and May 2026, Recorded Future identified 33 World Cup-themed domains that lured users through a network of 2,500 online ads. These sites impersonated legitimate World Cup-themed stores to sell users products that did not exist, stealing their payments and credit card information along the way. In addition to fraudulent ads, these sites attracted visitors by compromising legitimate sites that appeared in search engine results and rerouting victims to scam sites.

The impact of these campaigns extends beyond individual victims. FIFA and other impersonated companies risk losing potential revenue from redirected customers and may also suffer reputational damage when customers associate a negative shopping experience with legitimate brands.

As the tournament approaches, suspicious domain registration activity is intensifying. In the weeks leading up to the tournament, over 1,000 suspicious domains had already been registered that used “World” and “Cup.” In a separate campaign, Chinese-speaking cybercriminals cloned FIFA’s official website across 300 domains, likely to harvest soccer fans’ credentials.

Insikt Group is also tracking hundreds of suspicious registrations of event-linked host city domains that cybercriminals could use to impersonate official World Cup sites, commit fraud, conduct phishing, or deploy malware. While much of the activity observed so far has impersonated FIFA brands, threat actors will likely expand operations to include vendors, hospitality and transportation providers, ticketing platforms, sponsors, and affiliates.

Threat actors are likely able to use AI to make impersonation attempts more realistic, increasing the risk that phishing, fraud, and social engineering operations will succeed. These activities introduce direct risks to World Cup sponsors and affiliates through brand abuse, financial fraud, credential theft, customer harm, and reputational damage.

High-Value Attendees and Organizations Face Targeted Cyber Risks

World Cup-related phishing and credential-harvesting activity will likely affect more than fans and consumers. State-sponsored actors may use World Cup-themed infrastructure for targeted espionage against senior government officials, diplomats, security personnel, journalists, executives, sponsors, vendors, teams, and other individuals of interest who are likely to attend or support the games.

Groups like Russia’s BlueDelta, for example, frequently use targeted lure material to harvest credentials from intelligence targets. World Cup-related lures could provide a timely and credible pretext for phishing emails, fake login portals, malicious attachments, or impersonation of legitimate event-related services.

Sponsors, affiliates, vendors, and supporting organizations also face ransomware and extortion risks. Threat actors may target companies associated with the tournament because disruption during a globally visible event increases pressure on victims to pay the demanded ransom. Hospitality providers, transportation companies, retail partners, software providers, ticketing platforms, media organizations, and other third parties may be particularly attractive targets because of their operational roles in the event ecosystem.

Even if core tournament infrastructure remains unaffected, ransomware or credential compromise affecting a sponsor, supplier, or local service provider could create operational disruption, reputational damage, and legal or compliance exposure.

Hacktivists and Influence Networks Look to Score Political Points

Online hacktivists will likely attempt to exploit international attention on the World Cup to amplify political causes. These groups may target host cities, tournament infrastructure, sponsors, affiliates, or supporting companies to maximize visibility and disruption. Many hacktivist operations involve nuisance-level activity, such as distributed denial-of-service attacks or website defacements, but some groups also seek sensitive information to expose in “hack-and-leak” operations.

In some cases, hacktivists have partnered with historically financially motivated groups to demand extortion payments for stolen data, using political pressure to strengthen extortion demands. This likely reflects the mutual benefit these actors see in exploiting high-profile and politically charged narratives to maximize pressure on victims.

Since the start of the Iran War, proxy hacktivists likely linked to Iranian intelligence services have actively conducted disruptive operations against private companies, including an attack on a medical device company that temporarily shut down operations. The connection to expertise and resources within Iranian intelligence makes these hacktivists more likely to carry out an effective attack.

While disruptive cyberattacks are less likely than cybercrime or espionage, even temporary disruptions could fuel negative political narratives. Any disruption, whether malicious or unintentional, is likely to be amplified by overt and covert information networks seeking to damage the reputation of host cities, sponsors, affiliates, or the tournament itself. So far, Insikt Group has observed overt channels, notably state-run television and traditional media outlets, as the most active in promoting narratives that undermine host-country legitimacy.

The combined threat of hacktivists and influence operators increases the risk that a cyber incident, physical disruption, or even a minor service interruption becomes part of a broader political narrative.

Keeping Ahead of the Threats

Public officials, sponsors, affiliates, vendors, and supporting organizations should prepare for the World Cup as a blended cyber-physical security challenge. Host cities should coordinate public safety, emergency management, transportation, venue security, and cyber defense planning. Corporate sponsors and affiliates should coordinate security, cyber, fraud, legal, communications, executive protection, travel, brand protection, and third-party risk teams before the tournament begins.

Monitoring for emerging threats can help organizations anticipate cyberattacks, criminal operations, or physical security concerns before they escalate. Key indicators include new malicious digital infrastructure, suspicious World Cup-themed domain registrations, phishing lures, credential-harvesting pages, increased reconnaissance activity such as network scanning, ransomware claims, dark web activity related to the World Cup, and hacktivist narratives targeting host countries, cities, sponsors, or affiliates.

Organizations should also track geopolitical developments, particularly those related to the Iran War, because political events could increase the likelihood of hacktivist activity, influence operations, or threats linked to political triggers.

The 2026 FIFA World Cup will bring together millions of fans, global brands, government officials, public safety agencies, and supporting businesses across three countries. However, its scale and visibility make it an attractive target for a wide variety of threat actors. Organizations that prepare across cyber, physical, fraud, brand, and communications functions will be better positioned to reduce risk, protect people, and limit disruption during the tournament.

See Threats to the 2026 FIFA World Cup for a full analysis of threats and mitigations.

About Insikt Group^®

Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.