2026 World Cup billed as ‘largest entertainment attack surface in history’

Profit, disruption, and disinformation

The threat landscape surrounding the tournament has been categorised into three primary attack motives: disruption, profit, and disinformation.

While state-sponsored disinformation and disruptive attacks, such as distributed denial-of-service (DDoS) campaigns and website defacements, are significant concerns, Palo Alto Networks noted that financially motivated cyber crime remains the “highest-volume, highest-likelihood threat”. Hackers have heavily industrialised their attacks against the hospitality sector since 2023, setting the stage for targeted hospitality ransomware affecting reservations, point-of-sale (POS) systems, and widespread fan fraud.

However, the global geopolitical climate adds a layer of risk to the host nations’ critical infrastructure. Unit 42's research noted that the recent conflicts in the Middle East have reordered the threat surface for any US-hosted event.

Researchers pointed to Iran-nexus threat groups, such as the Handala Hack Team and the Islamic Revolutionary Guard Corps (IRGC) -affiliated CyberAv3ngers, which have previously targeted internet-exposed industrial control systems.

With the 2024 US Cybersecurity and Infrastructure Security Agency (CISA) assessment finding that over 70% of US water utilities are non-compliant with existing safety requirements, municipal water and energy grids in World Cup host cities remain highly lucrative targets for disruption.

As the tournament moves from preparation to live operations, the window for threat mitigation is closing fast. Unit 42 is urging cyber defenders across the event’s supply chain to map out risks across the entire host-city ecosystem, stress-test their incident response plans against realistic scenarios and ensure coordination across jurisdictions.

History shows that where a strong security posture exists, mega-events operate without significant disruption; where defences are weak, adversaries succeed. Summarising the necessary mindset for security leaders, the researchers warned: “The single most important defender posture for 2026 is to assume the attacks will come.”

Protecting fans in APAC

The cyber threat extends well beyond enterprise networks and municipal grids, directly targeting the estimated five to six million in-venue spectators and billions watching at home.

In a media statement issued from Singapore today, Palo Alto Networks warned football fans across the Asia-Pacific region to maintain strong cyber hygiene. Cyber criminals are actively leveraging the World Cup fervour to push fake merchandise stores, fraudulent streaming platforms, and malicious QR codes at local viewing parties.

To mitigate these consumer threats, Unit 42 advised fans to stick exclusively to FIFA-licensed platforms for streaming, warning against third-party sites, Telegram channels, and peer-to-peer payment apps offering free viewing.

When booking accommodation or buying merchandise, fans should cross-reference listing photos and treat off-platform wire transfers or cryptocurrency requests as immediate red flags, ensuring they use a credit card with chargeback protection for all transactions.

The researchers also cautioned against public QR codes at events and viewing parties, which are frequently used by cyber criminals to redirect users to credential-harvesting phishing sites. On the mobile front, fans are advised to keep their devices patched, use reputable virtual private networks (VPNs) or cellular data when accessing public Wi-Fi, and disable automatic network joining.

Finally, users should avoid sideloading Android applications and ensure any World Cup-related application is cross-checked against FIFA’s published list of official apps before downloading.