Executive Summary
The 2026 FIFA World Cup, which takes place across sixteen host cities in the United States (US), Mexico, and Canada, presents a complex threat environment across multiple security domains. The tournament’s global visibility creates opportunities for both financially and geopolitically motivated threat actors to target attendees, affiliated organizations, sponsors, vendors, and event-supporting infrastructure.
Physical security will almost certainly remain the highest priority for event coordinators and local government officials, given the high levels of international attention and the concentration of large crowds in host cities spanning three countries and multiple, distinct security environments. Mexico’s host cities face the highest physical risk due to the persistent presence of local and transnational criminal organizations (TCOs), with elevated concerns around theft, extortion, kidnapping, and fraud. US and Canadian host cities likely face a more limited threat from violent extremists, with greater risks to soft targets such as fan zones, watch parties, transit hubs, and other crowded public areas.
Civil unrest and disruptive protests are also very likely in a majority of host cities. Localized travel disruptions are especially likely in Mexico, where prior demonstrations have already blocked roads near World Cup venues. Large police or military deployments near event sites will likely increase the risk of confrontation.
The most immediate risk to corporate sponsors and affiliates is likely cybercriminal exploitation of World Cup demand and branding. Recorded Future’s Payment Fraud Intelligence team has already identified World Cup-themed purchase scams, fake FIFA-branded stores, and spoofed FIFA and host city domains. Carders are also likely to leverage stolen payment card credentials to fraudulently purchase event tickets and travel-related services for rapid resale and monetization. Efforts to use individuals’ interest in the World Cup to deliver malware or carry out data extortion or fraud will likely accelerate as the tournament approaches. Threat actors will likely continue to use AI-generated content to scale fraud, impersonation, phishing, smishing, and social engineering campaigns.
The concentration of senior government officials, diplomats, security personnel, corporate executives, and media at World Cup events also very likely increases the risk of cyber espionage and disruptive cyber incidents. Russian, Chinese, and Iranian state-sponsored threat groups will likely use the tournament as an intelligence collection opportunity, targeting executives, VIP attendees, national delegations, media partners, telecommunications providers, airlines, hotels, event logistics firms, and commercial affiliates. China is most likely to pursue targeted espionage, while Russia and Iran pose a higher risk of more disruptive attacks through proxy hacktivism.
Influence activity related to the tournament remains largely overt, driven by state media and diplomatic messaging from Russia, China, and Iran. These narratives focus on host-country legitimacy, Iran’s conditional participation, visa and access issues, public safety, immigration, ticketing, and alleged politicization of the event. Covert influence activity has so far been limited and opportunistic, but could increase as the tournament approaches, particularly around geopolitical flashpoints or viral news events.
Organizations involved in or exposed to the World Cup should prioritize proactive monitoring of location-specific physical security risks, protest activity, cybercriminal infrastructure, phishing and credential exposure, malicious traffic, ransomware indicators, and influence operations. Cyber indicators such as increased scanning activity or newly registered domains linked to FIFA or host cities may indicate an expansion of criminal or espionage activity. Developments around geopolitical flashpoints such as the war in Iran may increase the likelihood of attempts to disrupt the tournament through cyber or physical attacks.
Key Findings
- World Cup crowds will likely elevate physical security risks around match venues and fan areas, exacerbated by factors such as TCO activity in Mexico and impending primary elections and 250th Independence Day celebrations in the US.
- Opportunistic criminal activities tied to organized crime very likely constitute the largest physical security risks to Mexico’s World Cup host cities, while US venues face very likely less substantial (but nonetheless tangible) threats from violent extremists, particularly homegrown violent extremists (HVEs).
- Cybercriminal threat actors are exploiting World Cup-themed branding via purchase scams and phishing infrastructures, with AI-generated content likely enabling operations to surpass volumes observed during prior World Cups. Carders frequently use fraudulent ticket purchases and resale schemes as a rapid monetization method for stolen payment card credentials.
- Russian, Chinese, and Iranian state-sponsored threat groups will likely use the World Cup as an intelligence collection opportunity, while Russia and Iran pose additional risks of disruptive cyber operations, particularly from proxies and hacktivist personas.
- World Cup-related influence activity from Russia, China, and Iran is driven overwhelmingly through overt state media and diplomatic messaging, while observed covert activity remains limited, opportunistic, and largely secondary to broader geopolitical narratives about Iran, host-country legitimacy, and US access and security policies.
Country Risk
Insikt Group assessed four categories of country-level risk in World Cup host countries: security and crime data; network intrusion activity, which measures Malicious Traffic Analysis events targeting each country; ransomware attacks targeting victims in each country; and data privacy and surveillance-related risks, accessible in the Recorded Future Intelligence Operations Platform as State Surveillance risk. While public reporting indicates declining crime rates in many World Cup host cities, violent crime risks are almost certainly greatest in Mexico; opportunistic crime, such as theft, likely presents the greatest physical security risk in Canadian and US host cities. By comparison, threats to data security and privacy are likely greatest in the US and Canada, given the higher volume of malicious cyber activity targeting US and Canadian entities. Factors complicating the security environment across World Cup host nations include TCO operations in Mexico; 250th anniversary celebrations in the US; and the lead-up to the US midterm elections in November 2026, including summer primary elections.
