For many companies, big events such as the FIFA World Cup or the Super Bowl are critical for marketing and revenue. However, cybersecurity experts are increasingly concerned about bad actors who could take advantage of any new IT infrastructure spun up for those events.
Just this month, cybersecurity threat intelligence company BforeAI found that bad actors have created malicious infrastructure in preparation for the FIFA World Cup, which will host matches in North American cities such as Los Angeles, Boston, Houston, Philadelphia, Miami, Toronto, and Mexico City in summer 2026.
In BforeAI’s report, researchers identified domains registered for the World Cup, suggesting that attackers are repurposing old domains for new threat campaigns or registering new ones in advance to avoid detection and improve theft success rates.
For example, BforeAI found a webpage that promotes itself as helping fans find hotels and restaurants with electric vehicle chargers for the World Cup, as well as a partnership promotion that encourages companies to apply to participate.
Abu Qureshi, the lead threat intelligence and mitigation researcher at BforeAI, said that bad actors could target enterprises for this event (and others) if they are doing a sponsorship for a related event or if the company is involved in a fan event in a host city.
“For a corporate event to happen, you have to set up new infrastructure,” Qureshi said. “Cybercriminals love when companies have to set up new infrastructure because it means they can get in the middle of that.”
Cause for concern. Qureshi isn’t alone in raising concerns about cybersecurity for enterprises taking part in a large-scale, geographically tied event. Brent Johnson, a cybersecurity and infrastructure security officer for Bluefin, said that these events bring high-value targets for cyberattackers.
Specifically, Johnson said he would be concerned about a company standing up networking infrastructure for an event with lower-level systems that are connected to enterprise infrastructure. That could lead to a breach leaking back to a company’s frameworks and database.
“Setting up new infrastructure is a challenge if you’re not putting some of these security measures in place,” Johnson said. “We’re sitting there with months and years to plan, and putting security controls in place and hardening and configuring these things for specific environments and tuning. How you do that in a major event without much time is quite the challenge.”
VP of portfolio marketing at Checkmarx Eran Kinsbruner agreed that enterprises often are forced into short timelines if they choose to participate in big events.
“When these kind of events are happening, you’re trying to expedite as much as you can, your development, so you can obviously get to market as fast as possible and publish, and make all this noise around it,” Kinsbruner said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“When enterprises are going and doing that, they need to be careful with regards to, what are the shortcuts that are being taken from security and quality perspective? It’s not like you have six months or 10 months, usually it’s a bit less time to prepare.”
The potential consequences of failing to adequately secure event-related infrastructure are massive. In the event of a breach, not only would a company be at risk of losing proprietary information, but the brand damage could prevent the company from participating in future events, according to Johnson.
In the event of an event. If a company desires a corporate affiliation with an event like the World Cup, Qureshi said that it should push as “much as possible” to sanction its involvement with the organization heading up the event. A sanctioned event, specifically as it pertains to sporting events, is one that receives official approval from the organization that is managing the event.
“I would weigh on FIFA, and verify local promotions that are happening with World Cups ties to make sure that my enterprise is using the appropriate avenue to link up with a FIFA-sanctioned event,” Qureshi said.
Qureshi advised companies and their security professionals to register infrastructure with the organization hosting the event earlier rather than later, especially since newer infrastructure should undergo extensive testing.
Even better, companies can rely on what’s already in place. “Rather than setting up a brand new infrastructure, you would utilize existing infrastructure,” Qureshi said. “Leveraging known and existing infrastructure is a much better idea than setting up new infrastructure because then you’re just fighting with the attacker to prove who was first.”
This sort of cyber threat isn’t limited to sporting events. Ticketmaster, the online ticketing platform for events, was the target of hackers who were allegedly able to export 440,000 tickets for the Taylor Swift Eras Tour, leaking 170,000 barcodes as proof that they’d stolen the ticket information.
The attackers told Ticketmaster to pay them $2 million or they’d leak 680 million users’ information and 30 million ticket barcodes for events, including those involving other musical artists and sporting events.
Fisher noted that during this ransomware scheme, bad actors were able to get into the enterprise’s infrastructure, something that could happen to any organization offering online web services.
Qureshi also recommended monitoring for event-specific keyword combinations for infrastructure being set up on the deep web, in places like invitation-only forums, encrypted messaging channels, and underground marketplaces, so that cyber pros can pinpoint who is talking about their enterprise and setting up domains and website content.
“It would be very advisable to get ahead of any sort of activity that you’re seeing about your enterprise environment,” Qureshi said.