Canada/Mexico/US: World Cup 2026 Cyber Risks Extend Beyond Stadium Systems

• World Cup 2026 will create cyber exposure beyond stadium systems. Ticketing, travel, hospitality, transport, streaming, sponsors, vendors, and host-city services will likely present more accessible targets than core match operations.
• Opportunistic criminal activity will likely be the most persistent cyber threat. Phishing, fake ticketing and travel offers, credential theft, and business email compromise will target fans, vendors, sponsors, broadcasters, hotels, and local partners.
• Nation-state actors (Iran, Russia, China and North Korea) will use the tournament in different ways to advance their strategic objectives.  
• Organizations tied to the event should prioritize identity controls, vendor access, and incident response. Cross-border differences between Canada, Mexico, and the US will make coordination harder.  

Criminally focused activity will likely be the most persistent cyber threat around World Cup 2026, centered on phishing, credential theft, fake ticketing and streaming websites, and business email compromise. Mexico’s Secretariat of Security and Citizen Protection (SSPC) warned in March that cyber criminals were already using search engines, social media, and messaging apps to promote cloned websites, fake travel-agency portals, and false adviser identities.

North Korea

North Korea fits more naturally into the opportunistic, financially motivated category than into the overtly disruptive state-threat tier, despite possessing mature and globally active cyber capabilities. Pyongyang-affiliated groups have demonstrated the ability to conduct large-scale financial theft, long-running phishing campaigns, and intrusions into global financial and corporate networks. While North Korea has not consistently targeted major sporting events for disruptive effect, it has leveraged high-visibility international environments and loosely connected sectors, such as hospitality, travel, and financial services, for fraud and credential harvesting. In the World Cup context, North Korean activity would more likely involve phishing, fraud, or credential theft operations targeting fans, vendors, and partners rather than overt disruption of core event systems.

Iran

Iran-backed actors pose the most politically charged cyber threat. Considering heightened US-Iran tensions and broader conflict dynamics in the Middle East, Tehran and aligned groups present the clearest nation-state cyber threat to the World Cup. Government agencies have warned that Iranian-affiliated actors may target US critical infrastructure and other entities of interest during the World Cup, with precedent from the 2024 Paris Olympics supporting this assessment. Concurrently, groups aligned with the Islamic Revolutionary Guard Corps (IRGC) have employed long-running social engineering campaigns, including impersonation of journalists and event organizers, to steal credentials and gain cloud access. 

Russia 

Russia has a recent history of targeting high-profile sporting events and may seek to embarrass a major sporting event hosted by the US and its allies. Russian cyber threat actors carried out spear phishing and pre-positioning intrusions into Olympic-related networks before deploying the Olympic Destroyer malware, which disrupted IT systems during the opening ceremony of the PyeongChang 2018 Winter Olympics. Russia-linked activity targeted Winter Olympics-related websites and hotels ahead of the 2026 Milano Cortina Winter Olympics. For the upcoming World Cup, Russian objectives are likely aimed at inflicting reputational and political damage, not necessarily long-duration technical destruction of core tournament systems; Russian-backed cyber operations will likely be designed to portray the hosts as insecure or operationally unprepared.

China

China almost certainly views the World Cup as an opportunity to conduct espionage activities and build access pathways to sensitive information. Multigovernmental communiques advise that China-aligned threat actors have spent years pre-positioning in communications, transportation, lodging, and other infrastructure, and that data stolen from those sectors can help Chinese intelligence track targets’ communications and movements. China-linked threat actors are unlikely to attempt overt disruption of the World Cup, as such activity would risk diplomatic and economic repercussions that outweigh the strategic benefit. Rather, they will use the tournament to collect data, build access, and monitor high-value targets tied to governments, transport, telecommunications, and event operations. 

The US, Canada, and Mexico are treating the 2026 FIFA World Cup as a national-level security priority, with cybersecurity embedded into broader public safety and critical infrastructure planning.  

• The US established a White House Task Force on the 2026 FIFA World Cup in March 2025 to coordinate federal preparations. CISA, working with the FBI and sector risk management agencies, is running preparedness exercises with state, local, and private-sector partners. These activities focus on incident response coordination, information sharing, and testing scenarios involving ransomware, DDoS activity, and disruption or manipulation of public-facing digital services tied to the tournament.
• In Canada, Public Safety Canada is coordinating preparations through the federal-provincial-territorial (FPT) framework, with the Canadian Centre for Cyber Security supporting engagement with host cities and critical infrastructure operators.  
• In Mexico, the SSPC, working with the National Guard and national cybersecurity units, is coordinating early warning efforts and has already issued alerts on cyber-enabled fraud targeting ticketing, travel, and accommodation services linked to the tournament.  

Across the three countries, a substantial portion of exposure sits with private-sector operators, including hospitality, transport, telecommunications, and event service providers, which increases reliance on vendor coordination and timely information sharing. Differences in legal authorities and operational procedures across the US, Canada, and Mexico will probably complicate real-time incident response during the tournament period, particularly where shared vendors or cross-border services are involved. The effectiveness of mitigation measures will depend on how well the three governments maintain coordination through joint working structures, sustain communication across agencies and private operators, and maintain visibility across a fragmented and fast-moving operating environment. 

Organizations connected to host-city operations should assume they could become targets even if they are not official FIFA entities; exposure is often inherited through integration into shared systems and vendors rather than active targeting alone. The most effective protections are likely to be cross functional and focused on reducing the blast radius of common failures:

• Treat identity systems as critical infrastructure, as they are the main control point across the ecosystem. Enforce multifactor authentication, tighten privileged access, monitor for credential harvesting, and scrutinize unusual sign-in behavior.
• Segment venue technology, operational technology, and utility-adjacent systems from corporate IT and public-facing services as far as practically possible, understanding that these boundaries can be harder to maintain in temporary event environments where vendors and short-term systems introduce natural overlap.
• The rapid onboarding of temporary partners under compressed timelines can make consistent oversight more challenging; tighten vendor governance across ticketing, streaming, hospitality, payments, and transport.
• Rehearse cross-border incident response, crisis communications, and service-restoration playbooks before the tournament begins. Ensure they account for ransomware, DDoS, leak, and disinformation scenarios, as well as the legal, regulatory, and disclosure differences across Canada, Mexico, and the US that could complicate real-time coordination. 

Leverage intelligence and integrated risk management at complex, multi-city events like the World Cup. 

Learn More