Cybersecurity at the World Cup: Understanding and Preventing Cyber Threats at Major Events
A conversation with Saman Zonouz, director of the Online Master of Science in Cybersecurity Cyber-Physical Systems track, about how to secure high-profile events and what fans can do to protect themselves.
Over the past several years, major events like the World Cup have become prime targets for cybercriminals, political hacktivists, and state-sponsored adversaries seeking to interrupt operations, threaten safety, and steal money and data. These high-profile events attract large crowds and depend on numerous interconnected digital and physical systems to operate smoothly. Even small vulnerabilities in these systems can create opportunities for cybercriminals to cause widespread disruption in both the public and private sectors.
We spoke with Saman Zonouz, director of the Online Master of Science in Cybersecurity (OMS Cybersecurity) Cyber-Physical Systems track, about what it takes to secure a major sporting event, the role AI plays in this environment, and the research his team is conducting at the Cyber Physical Systems Security Lab (CPSec), which he leads.
Can you talk about the importance of critical infrastructure security and a major sporting event like the World Cup?
A modern stadium is not just a building. It is a dense knot of digital and physical systems stitched together: ticketing and access control, lighting and scoreboards, broadcast feeds, payment terminals, building management for power, cooling, and fire safety, along with the surrounding city of transit lines, traffic signals, telecommunications, water, and electricity that keep a packed venue functioning. Each host city layers its own infrastructure on top. When all of that is connected, operated under enormous public pressure, and placed on the world stage, the result is both an irresistible target and the setting for a single event where a digital failure can have very physical consequences.
What are the most common types of cyberattacks associated with high-profile sporting events?
Most attacks aim at wallets. Financially motivated cybercrime is by far the highest-volume threat. This year, security researchers and the FBI reported hundreds of fake World Cup websites impersonating official FIFA portals, along with fraudulent ticketing pages, counterfeit travel and hotel offers, malicious apps disguised as match schedules, and a fast-growing wave of QR-code scams. These campaigns work because they exploit urgency. Fans who cannot get tickets through official channels are exactly the people most likely to click on a too-good deal.
A step up in seriousness is ransomware. Criminal groups target the organizations around the event, sponsors, hospitality companies, broadcasters, and the clubs themselves, because an organization under deadline pressure is more likely to pay. In 2024, an Italian football club publicly disclosed a ransomware attack that exposed hundreds of gigabytes of sensitive data. Layered on top are distributed denial-of-service attacks (DDoS), which flood ticketing, federation, and host-city services to knock them offline, often as a noisy political statement.
The other category we worry about most at the Cyber-Physical Systems Security Lab (CPSec), it's the one that extends from the screen into the physical world. The clearest precedent is the 2018 Winter Olympics in Pyeongchang, where malware later known as Olympic Destroyer struck during the opening ceremony. It disrupted Wi-Fi, took down the official website so spectators could not print tickets, interfered with broadcast systems, and even grounded drones intended for the show. No one was hurt, but the goal was disruption and embarrassment at a pivotal moment. That is the template a serious adversary studies.
Who are the primary threat actors in this space?
The most likely and most numerous are ordinary cybercriminals chasing money through fraud, theft, and extortion. Above them sit hacktivists, ideologically driven groups that use DDoS and website defacement to make a point, several of which openly recruit volunteers for campaigns timed to global events. At the top are nation-states and state-aligned actors, who are less interested in money than in geopolitical signaling, disruption, and the chance to embarrass a host nation in front of the world. Olympic Destroyer was ultimately attributed to a state intelligence service, and analysts tracking 2026 have flagged the possibility of state-nexus operations against the infrastructure surrounding the World Cup.
There is one more category that sits at the seam of physical and digital threats, and it is the focus of a research collaboration the CPSec lab has pursued with Georgia Tech colleague Ryan Shandler. The team has studied how extremist and hybrid threats target interdependent critical infrastructure, and how the public reacts to those attacks. The concern is not only a clean network intrusion. It is the pairing of a physical disruption, including the threat from unauthorized drones over a venue, with a cyber component designed to amplify fear and confusion. At an event built around the emotions of a global audience, fear can be the goal in itself.
What kinds of systems or data are most at risk?
I think about risk in three layers. The first is the data layer that everyone notices: ticketing platforms, fan identities and login credentials, payment and financial information, broadcast pipelines, and the access-control and biometric systems that decide who gets through a gate. Compromise here means fraud, identity theft, and operational embarrassment.
The second layer is the one my field spends its time on, and it is where IT security collides with operational safety. It’s supporting critical infrastructure: the power and water utilities, the telecommunications networks that will be pushed to their limits by millions of simultaneous users, municipal transportation, and the building-management systems that control lighting, cooling, fire response, and physical access inside venues. Many of these are run by programmable logic controllers, the small, rugged computers that translate code into physical action. The CPSec lab has shown that such controllers can be compromised in ways people assume are impossible, including malware that runs from an ordinary web browser to reach industrial systems, and attacks that hide in the physics of a process rather than in the firmware where defenders look. The lesson is that an attack on a device most fans have never heard of can manifest as something very tangible, like a system that no longer behaves the way operators expect.
The third layer is transportation, which deserves its own mention at a tournament spread across sixteen cities. Moving enormous crowds safely depends on traffic systems, transit, airports, and increasingly on connected and automated vehicles. This is exactly the domain of a large National Science Foundation project that I help lead on resilient distributed cyber-physical systems, and of work my group is doing with the Georgia Department of Transportation on detecting cyber threats to transportation networks. The same questions the lab asks there apply directly to a host city on match day.
What role does proactive monitoring or threat intelligence play leading up to the event?
This is where defenders earn their salaries, and the work starts long before the first whistle. Attackers register lookalike domains and stand up phishing infrastructure months in advance, which means the defensive window opens early. Good threat intelligence turns that lead time into an advantage: taking down counterfeit sites, watching for leaked credentials, and sharing indicators of compromise across host cities, sponsors, and infrastructure operators so that an attack seen in one place can be blocked everywhere else.
The CPSec lab's research adds one important wrinkle for cyber-physical systems. You cannot monitor only the network logs. A sophisticated attacker who is careful in the digital world can still leave what the team likes to call physical breadcrumbs, small deviations in train network operation, sensor readings, timing, or control behavior that betray a process being manipulated.
My group has built detection methods that watch the physics itself, including techniques that monitor a controller's behavior and forensic methods that reconstruct an attack from the physical evidence it leaves behind. During an event that cannot be paused, real-time detection paired with a fast, safe response is far more valuable than a perfect explanation that arrives a day too late.
How do technologies like AI change the threat and defense strategies?
AI is changing both sides of the field at once. For attackers, it lowers the cost of being convincing and fast. It writes cleaner phishing code in any language, powers deepfakes that can spread disinformation during high-visibility moments, accelerates reconnaissance, and helps automate the discovery of weaknesses. The security community is already seeing mobile-first, AI-assisted campaigns that scale faster than human analysts can manually investigate.
For defenders, AI is essential for exactly the same reason: the attack surface of this tournament is too large for people alone to watch. AI can flag anomalies at machine speed, triage a flood of alerts, and correlate weak signals scattered across many systems. The approach I advocate, and the one my lab builds toward, is to fuse AI with control theory and the physics of the system being protected.
A detector that understands the physical laws an electric grid or a controller must obey is much harder to fool than one that only studies traffic patterns, and my team is using similar ideas to automate vulnerability discovery and patching in energy systems. It’s important to remember that AI is a powerful tool, not a magic shield. It can be deceived by adversarial inputs, and overconfidence in it is its own risk. The goal is to make skilled human defenders faster and sharper, not to replace their judgment.
What is the real difference between an attack that steals data and one that threatens public safety?
This distinction sits at the heart of the lab's work, and it is worth making plain. An attack on confidentiality steals secrets. An attack on safety moves atoms. When bits start controlling physical things, like power to a stadium, a cyber incident stops being only an information problem and becomes a public safety and national security problem. A stolen credit card is a bad day. A loss of lighting and communications in a venue holding tens of thousands of people is something else entirely.
What can fans and travelers do to protect themselves?
A great deal and none of it requires being a security expert:
- Buy tickets and book travel only through official channels and treat any unexpected limited-time deal as a warning sign rather than a lucky break.
- Update your phone and laptop before you travel so known vulnerabilities are patched.
- Be skeptical of QR codes and of links arriving by text or social media, since both are favorite delivery methods this year, and avoid installing apps from anywhere but official stores.
- Turn off automatic Wi-Fi joining, and be cautious on public networks in airports, hotels, and fan zones. Turn on multi-factor authentication for your email, banking, and ticketing accounts, because it blocks the great majority of credential theft.
- If you get an unexpected login prompt or password-reset message, slow down and verify before you act. The simplest mental model is the one the lab teaches its students: attackers exploit attention and urgency, so the safest thing a fan can do is stay a little skeptical and unhurried.
