[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcETD17VIcYMqGC4iSELpt8zNAyOpmy-gdBl2k92QVbI":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"5a16a33a-bd3a-40a5-a3aa-7cf8c0cadccb","2026 FIFA World Cup: What Public Safety Officials Need to Know","2026-fifa-world-cup-what-public-safety-officials-need-to-know-d46378","Prepare for the 2026 FIFA World Cup with expert analysis of the physical and cyber threat landscape. Discover key mitigation strategies for host city officials to ensure public safety","The 2026 FIFA World Cup presents a significant blended cyber-physical threat landscape for host cities, sponsors, and public safety officials. Threat actors, including cybercriminals, hacktivists, and nation-state-aligned groups, are already exploiting the event's visibility through fraudulent domains, fake stores, and politically motivated campaigns. Public safety officials must also contend with physical security risks such as protests, cartel violence, and potential extremist attacks on soft targets.","2026 FIFA World Cup faces blended cyber-physical threats from cybercriminals, hacktivists, and politically motivated","2026 FIFA World Cup Threats: What Host Cities, Sponsors, and Public Safety Officials Need to Know Starting tomorrow, millions of people will gather in sixteen host cities across the United States, Canada, and Mexico to cheer on their teams in the 2026 FIFA World Cup. Securing the tournament will require preparing for a mix of physical security risks, cyber threats, scams, protests, politically motivated activity, and reputational disruption tied to one of the world’s most visible sporting events.The World Cup’s global profile creates an attractive target environment for a wide range of threat actors. Cybercriminals are already exploiting tournament demand through fraudulent domains, fake stores, credential-harvesting sites, and advertising campaigns. Hacktivists and influence operators will likely try to use the event’s visibility to amplify political narratives or claim responsibility for disruptive activity. At the same time, public safety officials must manage the physical security challenges associated with large crowds, soft targets, protests, transportation hubs, hospitality infrastructure, and fan zones.Together, these risks create a blended cyber-physical threat environment that requires coordination across public safety, cybersecurity, fraud, legal, communications, brand protection, executive protection, travel security, and third-party risk teams. Figure 1: Assessment of physical, cyber, and fraud risks affecting the 2026 FIFA World Cup (Source: Recorded Future) Securing Cities Against Physical Threats Each host city has a unique security profile and a subsequent set of risks. In Mexico, plans to mobilize as many as 100,000 security personnel across the country’s World Cup sites are intended to deter cartel violence. However, demonstrations, protests, and strikes organized around the games will further complicate the security situation. Demonstrations in the weeks leading up to past World Cups have blocked traffic and caused disruption around venues. The presence of heavily armed or militarized security forces increases the risk that encounters with protesters could escalate into violence. Figure 2: Composite Country Risk Scores for Canada, Mexico, and the US, compiled for the Threats to FIFA 2026 World Cup report (Source: Recorded Future) Meanwhile, cities in the US and Canada are preparing for an elevated, though low-probability, threat of violent extremism. US or Canada-based supporters of the Islamic State have targeted sporting events in the past, notably the deadly attack on Bourbon Street in New Orleans, Louisiana, ahead of the 2025 Sugar Bowl. An attack on the upcoming World Cup would likely focus on soft targets such as fan zones, watch parties, and transportation and hospitality infrastructure, where security is less concentrated. Geopolitical developments may also affect the threat environment. The Iran War elevates the risk of politically motivated activity by actors seeking to use the tournament’s visibility to draw attention to their cause. Recorded Future reporting has identified Iranian hacktivist personas shifting from promoting cyberattacks to physical attacks, such as arson. While this activity has previously centered around Israeli targets, accounts linked with these personas have expanded their online presence to other regions and languages following the start of the Iran War. As of this writing, Insikt Group has not identified evidence of activity connected to the World Cup. Cybercriminals Already Exploiting World Cup Demand Cybercriminal exploitation of World Cup demand and branding is already underway. Threat actors are using the tournament’s global visibility to impersonate FIFA, host cities, ticketing providers, retailers, and other organizations associated with the event. These operations create risks for fans, public-sector organizations, sponsors, affiliates, vendors, hospitality providers, transportation companies, and other businesses connected to the tournament. In one purchase scam campaign active between April and May 2026, Recorded Future identified 33 World Cup-themed domains that lured users through a network of 2,500 online ads. These sites impersonated legitimate World Cup-themed stores to sell users products that did not exist, stealing their payments and credit card information along the way. In addition to fraudulent ads, these sites attracted visitors by compromising legitimate sites that appeared in search engine results and rerouting victims to scam sites. The impact of these campaigns extends beyond individual victims. FIFA and other impersonated companies risk losing potential revenue from redirected customers and may also suffer reputational damage when customers associate a negative shopping experience with legitimate brands. As the tournament approaches, suspicious domain registration activity is intensifying. In the weeks leading up to the tournament, over 1,000 suspicious domains had already been registered that used “World” and “Cup.” In a separate campaign, Chinese-speaking cybercriminals cloned FIFA’s official website across 300 domains, likely to harvest soccer fans’ credentials. Insikt Group is also tracking hundreds of suspicious registrations of event-linked host city domains that cybercriminals could use to impersonate official World Cup sites, commit fraud, conduct phishing, or deploy malware. While much of the activity observed so far has impersonated FIFA brands, threat actors will likely expand operations to include vendors, hospitality and transportation providers, ticketing platforms, sponsors, and affiliates. Threat actors are likely able to use AI to make impersonation attempts more realistic, increasing the risk that phishing, fraud, and social engineering operations will succeed. These activities introduce direct risks to World Cup sponsors and affiliates through brand abuse, financial fraud, credential theft, customer harm, and reputational damage. High-Value Attendees and Organizations Face Targeted Cyber Risks World Cup-related phishing and credential-harvesting activity will likely affect more than fans and consumers. State-sponsored actors may use World Cup-themed infrastructure for targeted espionage against senior government officials, diplomats, security personnel, journalists, executives, sponsors, vendors, teams, and other individuals of interest who are likely to attend or support the games. Groups like Russia’s BlueDelta, for example, frequently use targeted lure material to harvest credentials from intelligence targets. World Cup-related lures could provide a timely and credible pretext for phishing emails, fake login portals, malicious attachments, or impersonation of legitimate event-related services. Sponsors, affiliates, vendors, and supporting organizations also face ransomware and extortion risks. Threat actors may target companies associated with the tournament because disruption during a globally visible event increases pressure on victims to pay the demanded ransom. Hospitality providers, transportation companies, retail partners, software providers, ticketing platforms, media organizations, and other third parties may be particularly attractive targets because of their operational roles in the event ecosystem. Even if core tournament infrastructure remains unaffected, ransomware or credential compromise affecting a sponsor, supplier, or local service provider could create operational disruption, reputational damage, and legal or compliance exposure. Hacktivists and Influence Networks Look to Score Political Points Online hacktivists will likely attempt to exploit international attention on the World Cup to amplify political causes. These groups may target host cities, tournament infrastructure, sponsors, affiliates, or supporting companies to maximize visibility and disruption. Many hacktivist operations involve nuisance-level activity, such as distributed denial-of-service attacks or website defacements, but some groups also seek sensitive inform","https:\u002F\u002Fbit.ly\u002F3PPX2kQ","https:\u002F\u002Fwww.recordedfuture.com\u002Fblog\u002Fmedia_1bd1b16a64c5889ff9d94763b1d5354f0c5c0abd7.png?width=1200&format=pjpg&optimize=medium","2026-06-10T14:50:09+00:00","2026-06-10T15:00:21.152+00:00",7,[18,21,24],{"name":19,"type":20},"2026 FIFA World Cup","campaign",{"name":22,"type":23},"Insikt Group","threat_actor",{"name":25,"type":23},"Islamic State","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":26,"icon":28,"name":29,"slug":30},null,"Threat Intelligence","threat-intelligence",[32,37,42,47],{"category":33},{"id":34,"icon":28,"name":35,"slug":36},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":38},{"id":39,"icon":28,"name":40,"slug":41},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":43},{"id":44,"icon":28,"name":45,"slug":46},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":48},{"id":26,"icon":28,"name":29,"slug":30},[50,54,57,60,63,66],{"type":51,"value":52,"context":53},"mitre_attack","T1566.002","Phishing: Spearphishing Attachment",{"type":51,"value":55,"context":56},"T1566.001","Phishing: Spearphishing Link",{"type":51,"value":58,"context":59},"T1071.001","Application Layer Protocol: Web Protocols",{"type":51,"value":61,"context":62},"T1071.004","Application Layer Protocol: DNS",{"type":51,"value":64,"context":65},"T1598.003","TTPs: Search Victim's Organization Online",{"type":51,"value":67,"context":68},"T1598.001","TTPs: Phishing for Information"]