Security Threats at the 2026 FIFA World Cup: What Intelligence Reveals Before Kickoff

Tickets for the 2026 FIFA World Cup are being sold on Telegram and credentials tied to fifa.com accounts are circulating on dark web marketplaces. A threat actor is even advertising server access allegedly linked to New York FIFA infrastructure. And the tournament hasn't even started yet.

The 2026 FIFA World Cup will be the biggest in the event's history, and clearly the threat picture is shaping up to match. Across 39 days, six million fans are expected to attend 104 matches in 16 cities spread across the United States, Canada, and Mexico. It's the first time three countries have co-hosted, the first time 48 teams have competed, and the first time the tournament has run this long.

If you're heading to a match, covering the tournament, or living, working, or traveling anywhere near it, the threats facing this tournament are worth understanding. The ZeroFox Intelligence team recently released an assessment of the security environment, and this post breaks down the findings that matter most for fans, no security background required.

A Tournament Unlike Any Before

The 2026 World Cup isn't starting from scratch. The FIFA Club World Cup 2025 and Copa América 2024 were both held in the United States at many of the same stadiums and served as a partial test run. However, the results of those test runs were not reassuring.

During CWC 2025, ZeroFox observed active ticket scam operations running across Facebook, WhatsApp, and third-party sites. During the 2024 Copa América final at Hard Rock Stadium in Miami, tens of thousands of ticketless fans overwhelmed security gates and breached entry points, delaying the match by over an hour despite more than 550 law enforcement officers being on site. The ZeroFox team assesses that many of the threat vectors observed at CWC 2025 will recur during the 2026 World Cup at a significantly amplified scale.

The current geopolitical environment adds layers of complexity that previous tournaments haven't faced: an ongoing U.S.-Israeli war with Iran, trade tensions between all three host nations, domestic political unrest in the United States, and persistent cartel violence in Mexico's host cities.

Put together, that's a familiar set of risks layered on top of an unfamiliar amount of complexity. The organizers are working with a bigger, more complicated security picture than any previous host, and the threats are already taking shape. Read on to see where those risks are showing up first.

Cybercriminals Are Already at Work: What to Look Out For

The cyber threat activity around this tournament started well before the opening match.

On May 27, 2026, the FBI issued a Public Service Announcement warning that threat actors are actively spoofing FIFA websites to steal personal and financial information, including names, email addresses, phone numbers, home addresses, and banking details. The FBI noted that bad actors are using these campaigns to sell fake tickets, harvest credentials, and facilitate broader fraud operations.

The ZeroFox Intelligence team has corroborated and extended that picture significantly. Here’s what the team found:

• Ticket fraud is already happening. The ZeroFox team uncovered an active Telegram channel, "FIFAWorldCup_Tickets," where users are openly trading unauthorized World Cup tickets. FIFA is the sole authorized seller, and tickets are available exclusively through fifa.com. Any other channel carries scam risk.
• FIFA infrastructure is actively targeted. Our team identified 29 recently uploaded infostealer logs containing fifa.com email addresses for sale on Russian Market, uploaded between May 2024 and May 2026. Separately, ZeroFox extracted 88 compromised credentials associated with the @fifa.com email domain and more than 379,360 compromised logins to various fifa.com infrastructure and subdomains, including volunteer and employee accounts, from private threat-actor log repositories between July 2025 and May 2026.
• Dark web actors are claiming access. On March 12, 2026, a threat actor identified as "t2m3g" posted on the dark web forum ReHub advertising unauthorized Remote Desktop Protocol (RDP) and cloud console access allegedly linked to New York FIFA servers. On April 20, 2026, a separate actor named "MDGhost" claimed on the Breached forum to have exfiltrated data from the Royal Moroccan Football Federation, allegedly including passports, FIFA IDs, photographs, and contact details.
• Old breaches are being recycled. On February 8, 2026, a previously reported data set containing over one million 2018 FIFA World Cup attendee records was redistributed on a dark web forum. ZeroFox assesses that threat actors very likely seek out older event data to target current attendees with phishing and spam campaigns, sometimes years after the original breach.

State-Aligned Threats Add a New Dimension

The U.S.-Israeli war with Iran, which began February 28, 2026, introduces a category of cyber risk that wasn't present at previous tournaments: state-aligned hacktivist operations targeting U.S. critical infrastructure.

Handala Hack Team is the most prominent threat collective ZeroFox has observed during the Iran conflict. According to a U.S. Department of Justice release, Handala is considered one of several personas used by a hacking unit within Iran's Ministry of Intelligence and Security (MOIS). The group has repeatedly targeted Western and U.S.-aligned entities, including government infrastructure, in direct retaliation for U.S. and Israeli military action.

Other active groups include Ababil of Minab, which claimed in March 2026 to have breached the Los Angeles County Metropolitan Transportation Authority, allegedly exfiltrating more than 1 terabyte of sensitive user data and wiping 500 terabytes from the agency's infrastructure. In May 2026, the same group claimed to have sabotaged internal networks at Tri-Rail, South Florida's primary commuter rail. A separate collective, 313 Team, claimed distributed denial-of-service (DDoS) attacks in April 2026 against travel platforms including Expedia, VRBO, Hotels.com, and Travelocity.

ZeroFox assesses there is a roughly even chance that these collectives view the FIFA World Cup as an opportunity to apply political pressure by targeting World Cup-adjacent industries: transportation, hospitality, financial services, and media. For context, the 2024 Paris Olympics was targeted by multiple coordinated cyber operations, and ZeroFox assesses the 2026 World Cup faces a comparable or elevated risk given the current geopolitical environment.

Physical and Logistical Security Gaps

Approximately 50,000 police and security personnel will be deployed across three countries to protect six million fans, 16 stadiums, and fan zones for 39 consecutive days. The U.S. government shutdown, which ended April 30, 2026, created significant disruptions to security preparation in the weeks leading up to the tournament.

A reported 1,100 TSA officers quit during the shutdown, with replacements not expected to be available by the start of the World Cup. Federal security grants of $625 million were authorized in July 2025 but faced repeated delays, meaning host cities have only recently begun conducting complex coordinated security drills. DHS also cancelled a program to train law enforcement in drone surveillance around stadiums, a notable gap given that in 2025, an NFL playoff game in Baltimore was paused after a commercial drone was detected flying over the venue.

Fan zones present a particular concern. These large, open-air venues where non-ticketed supporters gather to watch matches on screens have historically been high-risk environments. During Euro 2024 in Germany, fan zones accommodated 12 million visitors and were identified as high-risk locations for opportunistic crime and lone-actor attacks. A planned FIFA Fan Festival at Liberty State Park in New Jersey was cancelled, with security concerns factoring into that decision.

The immigration situation adds another layer of complexity. Four participating nations face complete or near-complete visa suspensions, and fans from more than 50 nations on a restricted list were originally subject to a $15,000 financial bond requirement. That bond was suspended for confirmed ticket holders as of May 13, 2026, but it remains in effect for other visitors. On April 23, 2026, the ACLU, joined by more than 120 organizations including the NAACP, issued a travel advisory warning that foreign visitors may face risks of arbitrary detention, deportation, racial profiling, and device searches.

What This Means for Fans and Organizations

The threats in this assessment are serious, but they're also manageable. Here's where to start, whether you're going to a match or your organization has a stake in the tournament.

For fans attending the tournament:

• Purchase tickets exclusively through fifa.com. ZeroFox has identified active scam operations on Telegram, Facebook Marketplace, WhatsApp, and third-party sites including Fanpass and Football Ticket Net.
• Enable multi-factor authentication (MFA) on all accounts immediately. Credential harvesting campaigns targeting World Cup attendees are documented and ongoing.
• Verify any email or communication claiming to be from FIFA independently before clicking links. The FBI has confirmed spoofing campaigns are active.
• Plan to arrive three to four hours before matches given expected screening delays, and book accommodations now. Surge pricing and shortages are likely across multiple host cities.
• Use a credit card, not a debit card or payment app, for ticket and travel purchases. Credit cards offer stronger fraud protection and chargeback rights if a seller turns out to be fraudulent. 
• Be cautious on public Wi-Fi at stadiums, airports, and hotels. Avoid logging into sensitive accounts on open networks during the tournament.

For organizations with tournament affiliations:

• Monitor for credential exposure across dark web and criminal channels now. Exposed credentials are rarely exploited immediately; they're staged for use when visibility is highest and malicious logins can blend into normal traffic.
• Watch for lookalike domains and brand impersonation campaigns tied to your organization's World Cup involvement. These are typically registered weeks or months before an event.
• Be alert to the targeting of transportation, hospitality, and media infrastructure by state-aligned threat collectives. Organizations in those sectors face elevated risk through the duration of the tournament.
• Brief employees and traveling executives before they go. People affiliated with the event are higher-value phishing targets, and a short heads-up prevents a lot of the social engineering that follows.
• Have a takedown process ready before the event, not during it. Once a lookalike domain or impersonation account is live, speed matters. Knowing how you'll report and remove it ahead of time cuts response time when it counts.

The Good News for World Cup Fans

It's easy to read a list like this and feel like the deck is stacked. It isn't. Nearly every threat documented in the assessment depends on someone making a small, avoidable mistake: buying a ticket from the wrong place, clicking a link in a spoofed email, or reusing a password that's already been exposed. 

The good news is that the fixes are equally small. Buy through fifa.com, turn on multi-factor authentication, and treat any unexpected FIFA message with a healthy dose of skepticism. Those three habits neutralize the overwhelming majority of what scammers are counting on.

It also helps to remember that this is a known quantity. Major tournaments attract opportunists every time, and the security community has gotten very good at spotting the patterns early. The threats surfacing now, before kickoff, are surfacing because people are actively looking for them. That early visibility is exactly what gives organizers, host cities, and security teams time to act before the first match.

For the six million fans heading to a stadium this summer, the takeaway is simple: a little awareness goes a long way, and the tournament itself is still very much worth showing up for. 

The full ZeroFox Intelligence Assessment includes additional findings on physical security, protest activity, and regional risk for host cities across all three countries geared towards cyber and physical security professionals. For a deeper dive, read it in full.