Overview
The Cyber Centre assesses that the FIFA World Cup 2026TM will almost certainly be targeted by a range of cyber threat actors, including cybercriminals, non-state actors, and state-sponsored actors. The tournament will run from June 11 to July 19, 2026, and will include 104 matches with 48 teams across 16 cities in Canada, the United States, and Mexico.Footnote 1 Due to its unique blend of global visibility, complex supporting infrastructure, and symbolic importance, the FIFA World Cup 2026TM is a high-profile target for cyber threat activity. The tournament’s broad attack surface – including physical and digital systems, surrounding business ecosystem, and supply chain partners – provides many opportunities for cyber threat actors to advance their ideological, geopolitical, and financial objectives.
Key judgments
- We assess that cybercriminals will almost certainly exploit the public engagement and the popularity of the FIFA World Cup 2026TM to support financially motivated cyber threat activity against individuals and organizations. Cybercriminals use major events like the FIFA World Cup 2026TM as topical lures and pretexts for phishing campaigns and social engineering attacks. They target both individuals and organizations to steal credentials, commit financial fraud, and exploit data. Cybercriminals will very likely attempt to extort organizations associated with or supporting the event through disruptive attacks, including ransomware.
- We assess that ideologically motivated non-state cyber threat actors, commonly referred to as hacktivists, will very likely engage in disruptive cyber attacks against organizations associated with the FIFA World Cup 2026TM, including distributed denial-of-service (DDoS) attacks and defacement attacks against websites and other digital services to draw attention to domestic issues within host countries, environmental causes, or international conflict.
- We assess that there is a roughly even chance that state-sponsored cyber threat actors will conduct disruptive cyber threat activity against the FIFA World Cup 2026TM as a strategic tool in broader geopolitical confrontations. Our assessment of the likelihood of this activity may change based on the development of ongoing conflicts and geopolitical tensions involving host nations and participating countries.
- We assess that cyber threat actors will very likely leverage the public interest and media coverage of the FIFA World Cup 2026TM to spread disinformation and narratives supporting their strategic interests, including through campaigns that leverage AI-generated content and deepfakes.
Cyber threats to individuals
We assess that cybercriminals almost certainly present the primary cyber threat to patrons and spectators of the FIFA World Cup 2026TM via event-themed financial fraud and scams. Cybercriminals use events like the FIFA World Cup 2026TM as topical lures and pretexts for phishing campaigns and social engineering attacks. They target both individuals and organizations to steal credentials, commit financial fraud, and exploit data. Individuals who fall victim to cyber-enabled fraud and scams may suffer financial loss or have their personal information exposed, which can lead to further identity theft and other fraudulent activity.
Cybercriminals use event-related lures, such as travel discounts, exclusive livestreaming access, sports betting opportunities, or fraudulent offers for tickets, merchandise, or short-term rentals to entice victims to engage with phishing messages and malicious advertisements, websites, or event-related mobile applications.Footnote 2 For example, security researchers at a private cybersecurity firm reported that phishing attempts against victims in the Middle East and North Africa doubled ahead of the 2022 FIFA World Cup, with cybercriminals impersonating athletes and FIFA ticket offices.Footnote 3 As of August 2025, another cybersecurity firm identified over 4300 likely fraudulent domain registrations related to the FIFA World Cup 2026TM, many strategically combining host city names with tournament years (e.g. “fifawcdallas.com”) and other key words like “football” or “FIFA”.Footnote 4 Many of these websites attempt to replicate FIFA’s branding, logos, and designs. The impact of these campaigns can be amplified when cybercriminals impersonate well-known entities including athletes, team affiliates, official organizers and sponsors, or local authorities. For example, cybercriminals have repeatedly exploited the likeness of Cristiano Ronaldo, a popular professional footballer, in numerous scams tied to sporting events. Using artificial intelligence (AI), cybercriminals have created deepfake videos that convincingly impersonated the athlete to promote fraudulent financial schemes on social media.Footnote 5
The threat from short message service (SMS) blasters
SMS blasters are portable devices that can be used to send mass amounts of “smishing” messages to nearby cellphones. These messages can contain malicious links that are used to harvest credentials, personal information, or financial details from victims.Footnote 6
In April 2026, arrests were made following the discovery of an SMS blaster used within the Greater Toronto Area over the course of several months.Footnote 7 It is estimated that tens of thousands of devices connected to the blaster, with over 13 million network disruptions. Similar reports of SMS blaster scams have emerged from many countries including the United Kingdom, New Zealand, Vietnam, Thailand, and Greece.Footnote 8
An SMS blaster deployed around an event like the FIFA World Cup 2026TM would allow threat actors to send out massive volumes of smishing messages to patrons. These messages may appear as coming from legitimate sources like event organizers, rideshare providers, or local authorities and could be used to maximize the reach of fraud campaigns. Because SMS blasters act as a rogue cellular tower, nearby phones may also temporarily lose their connection to legitimate networks, potentially limiting access to emergency services, such as 911, for periods ranging from a few seconds to several minutes.
Cyber threats to organizations, businesses, and governments
Cyber threat actors exploit heightened public attention and reputational stakes associated with events like the FIFA World Cup 2026TM to further their financial, ideological, or geopolitical objectives. Cyber threat activity related to the FIFA World Cup 2026TM will very likely target the broader ecosystem of organizations around the tournament, including:
- travel and hospitality sectors: hotels, airlines, ticketing systems, and other booking platforms that handle sensitive data (e.g. credit card information, guest details)Footnote 9
- organizers and participants: venues, agencies and regulators, and competing teamsFootnote 10
- services and sponsors: high profile brands and service providers associated with the tournamentFootnote 11
- infrastructure owners and operators: various critical infrastructure sectors including municipal transportation, energy and utilities, water and wastewater, and telecommunicationsFootnote 12
Cyber threat actors are also likely to exploit the publicity surrounding the FIFA World Cup 2026TM to amplify the perceived impact of their disruptive activity, even when the intended targets have no direct link to the competition. For example, on the eve of the 2026 Winter Olympic Games opening ceremony in Italy, more than 120 targets were affected by cyberattacks, including hotel portals in Cortina d’Ampezzo, the region hosting alpine skiing events, and the websites and digital systems of numerous Italian foreign ministries and consulates in major cities worldwide.Footnote 13 In a Telegram post, the group responsible said that the operation was retaliation against Italy’s “pro-Ukraine” stance.Footnote 14 Although none of the compromised systems were directly part of the Olympic infrastructure, the attack occurred at a highly visible time and against entities within the broader Olympic ecosystem. As a result, the media and the public quickly labelled them as attacks against the Olympics, creating the impression that the competition itself was under attack. In most cases, disruptive cyber attacks around major events result only in temporary or localized effects.
Ransomware
We assess that cybercriminals will very likely attempt to extort organizations associated with or supporting the FIFA World Cup 2026TM through ransomware attacks. Cybercriminals opportunistically exploit major events to increase their leverage and extract ransom payments from organizations under pressure to keep services running. For example, during the 2024 football season, Italy’s Bologna Football Club publicly announced a ransomware attack on its internal security systems, which resulted in the loss of 200GB of data, including strategic documents, sensitive player information, financial records, and confidential data related to stadiums.Footnote 15 By encrypting critical systems or stealing data and demanding payment for their release, ransomware attacks can result in data loss, operational disruptions, or delays to event proceedings.
Distributed denial-of-service attacks
Non-state actors will very likely engage in distributed denial-of-service (DDoS) attacks against infrastructure related to the FIFA World Cup 2026TM, including official websites, streaming platforms, ticketing systems, and broadcasters, to overwhelm and render services unavailable to legitimate users. For example, during the 2024 EUFA European Championships (The Euros), cyber threat actors conducted a DDoS attack against a Polish public television broadcaster, disrupting broadcasts of key matches involving the Polish national team.Footnote 16
Defacement attacks
Non-state cyber threat actors will likely conduct defacement attacks against the official websites or social media accounts of businesses and organizations during the FIFA World Cup 2026TM. By hijacking the online presence of event organizers, sponsors and host governments to insert ideological or geopolitical messaging, threat actors seek to reach widespread audiences, drawing attention to their causes. Real-world digital signage including dynamic displays, digital posters, and video walls around FIFA-venues or nearby tourism and transit hubs may also be targeted. For example, during the 2024 Summer Olympic Games, an Iranian cyber group compromised a French digital signage provider in a failed attempt to display photo montages critiquing the participation of Israeli athletes in the sporting competition.Footnote 17 In October 2025, three Canadian airports were affected by a similar compromise against a third-party provider resulting in pro-Hamas messaging being broadcast in passenger terminals through flight information displays and public address systems.Footnote 18
State-sponsored cyber attacks
We assess that there is a roughly even chance that state-sponsored cyber threat actors will attempt to conduct disruptive cyber threat activity against the FIFA World Cup 2026TM. The potential for a state-sponsored disruptive cyber attack increases when a major event coincides with conflict or heightened geopolitical tensions, particularly if a host nation is directly involved in or closely aligned with a party to the conflict. Disruptive cyber operations have previously been deployed by state-sponsored cyber actors to achieve strategic effects.Footnote 19 These actions are typically motivated by political or cultural aims, the opportunity to promote an agenda on a global stage, foreign policy considerations, or to retaliate against the host or participating countries.Footnote 20
Ongoing geopolitical conflicts have increased the likelihood that state-sponsored cyber threat actors will target the tournament and related services with disruptive cyber operations.Footnote 21 These actors likely view the FIFA World Cup 2026TM and its associated infrastructure as symbolic targets for retaliation and capability signaling.Footnote 22 Whether states involved in ongoing conflicts participate in the tournament is a key variable. Our assessment of the likelihood and potential impact of state-sponsored disruptive cyber activity against the competition may change based on the status of hostilities involving event hosts and participating nations.
Disinformation and influence activity
Cyber threat actors will very likely use the FIFA World Cup 2026TM as a basis for disinformation activity and influence campaigns, exploiting the tournament’s intense public interest and extensive media coverage to amplify ideologically or geopolitically motivated messaging. These campaigns are often fueled by both domestic and international tensions and ongoing social, political, or ideological grievances.
We assess that cyber threat actors will almost certainly leverage fake or deceptive AI generated articles, images, and videos (including deepfakes) into their online influence campaigns.Footnote 23 For example, ahead of the 2024 Summer Olympics, cyber threat actors released a likely deepfake video denouncing the International Olympic Committee.Footnote 24 This video was accompanied by a fabricated, although not necessarily AI-generated, video of US officials warning of public safety threats against local transportation around the event.Footnote 25 These campaigns are designed to pollute the online information space, seeking to undermine institutions and sow doubt and division in targeted societies.
Outlook
Major international sporting events like the FIFA World Cup 2026TM provide many opportunities for cyber threat actors to exploit the high degree of visibility and public interest around the tournament to further their financial, ideological, or strategic objectives.
Many cyber threats can be mitigated through awareness and cyber security best practices. The Cyber Centre encourages all fans, attendees, athletes, government officials, and organizations associated with the FIFA World Cup 2026TM to take appropriate measures to protect their systems against the cyber threats detailed in this bulletin.
About this document
This Cyber Threat Bulletin is intended for the cyber security community. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information visit the Traffic Light Protocol.
Contact
For follow-up questions or issues, contact the Canadian Centre for Cyber Security at contact@cyber.gc.ca.
Assessment base and methodology
The key judgements in this bulletin rely on reporting from multiple sources, both classified and unclassified. The judgements are based on the knowledge and expertise in cyber security of the Canadian Centre for Cyber Security (the Cyber Centre). Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. The Communications Security Establishment Canada’s (CSE) foreign intelligence mandate provides us with valuable insight into adversary behaviour in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgements.
Our judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use terms such as “we assess” or “we judge” to convey an analytic assessment. We use qualifiers such as “possibly”, “likely” and “very likely” to convey probability.
The assessments and analysis are based on information available as of June 3, 2026.
Estimative language guide
The chart below matches estimative language with appropriate percentages. These percentages are not derived via statistical analysis, but are based on logic, available information, prior judgements and methods that increase the accuracy of estimates.
Long description - Estimative language chart
- 1 to 9% Almost no chance
- 10 to 24% Very unlikely/very improbable
- 25 to 39% Unlikely/improbable
- 40 to 59% Roughly even chance
- 60 to 74% Likely/probably
- 75 to 89% Very likely/very probable
- 90 to 99% Almost certainly
Useful resources
Refer to the following online resources for more information and for advice and guidance.
Guidance for individuals
- Device security for travel and telework abroad - ITSAP.00.188
- Mobile device guidance for high profile travellers - ITSAP.00.088
- Protecting yourself from identity theft online - ITSAP.00.033
Guidance on phishing attacks
- Don't take the bait: Recognize and avoid phishing attacks - ITSAP.00.101
- Phishing scams you’re more likely to encounter when travelling
Guidance on SMS blasters
- Protect your devices from SMS blasters - ITSAP.00.104
- Smishing: Protect yourself from SMS attacks - ITSAP.00.103
- Reporting spam text messages to 7726
- Protect your devices from IMSI catchers - ITSAP.00.106
- Cell site simulators - ITSM.00.108
Guidance for organizations, businesses, and governments
- Report a cyber incident
- Security considerations for critical infrastructure - ITSAP.10.100
- What to do when your organization has been compromised by a cyber attack - ITSAP.00.009
- Cyber incident reporting guidelines: Key information sharing requirements – ITSM.00.140
Guidance on ransomware
- Ransomware playbook - ITSM.00.099
- Ransomware Threat Outlook 2025-2027
- Ransomware: How to prevent and recover (ITSAP.00.099)
Guidance on DDoS and defacement attacks
- Defending against distributed denial of service (DDoS) attacks – ITSM.80.110
- Distributed denial of service attacks - prevention and preparation - ITSAP.80.110
- Website defacement - ITSAP.00.060
Guidance on disinformation and influence activities
- Online disinformation - Canada.ca
- How to identify misinformation, disinformation, and malinformation (ITSAP.00.300)