The 2026 FIFA World Cup opened June 11 in Mexico City while a live data breach affecting competing nations’ players and an active phishing ecosystem targeting organizers and fans were already operational.
Weeks before the opening match, a threat actor crediting the notorious extortion group ShinyHunters published what it described as the complete Asian Football Confederation (AFC) player database, exposing more than 150,000 passport copies, contracts, verified email addresses, and competition registration records.
AFC members Japan, South Korea, Australia, Iran, and Saudi Arabia are all competing in the tournament. The exposed data directly overlaps with travel documentation and registration records underpinning World Cup participation, according to a Dataminr intelligence brief.
More than 10,000 World Cup-themed domains have been registered since January 2026, according to Arctic Wolf, at a rate of roughly 2,000 per month. While not all are malicious, researchers warn that attackers are using this high volume of infrastructure to hide active phishing and malware operations.
The firm identified a phishing kit targeting FIFA-branded career portals that uses a real-time adversary-in-the-middle (AiTM) relay, a technique that intercepts one-time authentication codes within seconds of generation and defeats standard multi-factor authentication (MFA).
Arctic Wolf also recovered a weaponized PDF targeting Philadelphia host-city staff through QR-code phishing, known as quishing.
The FBI issued a public service announcement in May warning that threat actors were spoofing official FIFA domains through typosquatting to harvest personal and financial data from fans.
Palo Alto Networks’ Unit 42 identified Iran-nexus activity targeting U.S. critical infrastructure, distributed denial-of-service (DDoS) attacks from Russia-linked hacktivist group NoName057(16), and large-scale financial fraud as the primary threat categories facing the tournament.
New analysis reveals a massive network of fraudulent domains capitalizing on the 2026 FIFA World Cup, with 1k+ registered in the past 6 months. Tactics include redirects to shady gambling apps, data harvesting, malvertising, and PUP downloads. Details at https://t.co/Lw0gpfN7SS pic.twitter.com/cYmINLfkqx
— Unit 42 (@Unit42_Intel) May 29, 2026
“Today’s preparations for the World Cup will help strengthen our nation’s readiness for future events, including Freedom 250 and the 2028 Summer Olympics,” Cybersecurity and Infrastructure Security Agency (CISA) acting Director Nick Andersen said.
CISA has completed cyber and physical vulnerability assessments at 10 host stadiums and related infrastructure.
