Own Goal: Inside the Cyber Risks of the 2026 World Cup

The 2026 FIFA World Cup is being called the largest and most complex cyberattack surface in the history of entertainment. Because the tournament is split across three countries (the US, Canada, and Mexico) and relies entirely on deeply integrated digital infrastructure, cybersecurity experts and law enforcement are already tracking severe vulnerabilities and known threat actors within the space. Those concerns might seem remote for a normal football fan, something for experts to worry about "out there," or something that only affects in-person attendees. However, two common online activities put viewers themselves at risk: illegal streaming and black-market gambling.

As the most-watched sporting event in the world, the World Cup also doubles as a massive "customer-acquisition tool" for sophisticated criminal networks, which offer free pirate streams loaded with ads for related gambling sites. UpGuard researchers examined publicly exposed data related to both kinds of operations and both contained sensitive information about their customers. Data privacy goes beyond the big business concerns of corporations and their intellectual property. It affects everyone in nearly every online activity. Piracy and gambling are no exception.

Pirate Streams

Illegal online streaming is an incredibly well-known, multi-billion-dollar problem for major sporting events, and the 2026 FIFA World Cup is facing unprecedented challenges regarding it. The scale of modern sports piracy is surprising. For example, a June 2026 report tracking the recent UEFA Champions League Final found that while 7 million people watched legally, 16.2 million views occurred via illegal streams. In response, law enforcement agencies launched massive operations ahead of the June kickoff:

• Operation Kratos 2: Co-led by Europol and Bulgaria’s General Directorate Combating Organised Crime, this massive seven-month multi-national operation concluded in late April 2026. It successfully dismantled 9 organized criminal gangs and shut down over 27,000 illegal streaming URLs across 13 countries (including the US, UK, Spain, Italy, and Ireland).‍
• National Interventions: Countries like Vietnam have mobilized specialized task forces specifically to block massive regional piracy ecosystems (like XoilacTV and ThapcamTV). 

While global task forces are aggressively taking down tens of thousands of illicit servers, they are essentially playing a game of whack-a-mole against profitable criminal networks who can quickly spin up new servers and disseminate their availability to customers. 

UpGuard Research

Researchers discovered publicly accessible Elasticsearch systems containing millions of log entries related to illegal streaming operations.  On one such system, a single 1.2GB log file contained 5.5 million documents. UpGuard sampled 1,000 documents from this index to determine the nature of the data. This 1,000 document sample only represented 56 seconds of activity, indicating the large amount of traffic logged on this system.

Document entries included plain text usernames and passwords, as well as client IP addresses and relative destination URLs. Of the 1,000 documents sampled, 84% contained plain text credentials, meaning nearly every transaction had usernames and passwords embedded into it. Furthermore, 181 documents, or 18%, contained source IP addresses for the customer.

Additionally, devices used to stream by customers are also present, painting a picture of the kind of end-user hardware ecosystem being used by players on this site. From our sample, we determined the following breakdown:

A significant share of traffic comes from MAG200 STB user agents, older physical IPTV hardware devices. Interestingly, 21 of the records showed the use of Python scripts hitting the streaming endpoints, indicating some kind of scraping or automation operating alongside actual users.

The ecosystem for these operations is fairly complex. Software companies like Bulgaria’s 1-Stream sell platforms capable of handling massive livestreaming operations. They do not provide any content themselves, just the necessary hosting platform to run a for-pay livestreaming server. These platforms are then deployed on the customer’s own hardware or virtual servers and managed by them. In turn, the primary platform operator can sublet all or part of their streaming capabilities to “resellers,” who in turn sell their streaming service at a markup to end users. One index discovered by UpGuard research was dedicated to such resellers, including information about their usernames and potential identities.

The finances of these operations are difficult to discern, as the monetary transactions do not actually take place on the streaming platform itself. Instead, tokens are handed out by admins as needed, ostensibly in exchange for crypto transactions that take place over Telegram or other private channels.

Piracy is no longer just a hobbyist endeavor. It is run by highly organized syndicates. A massive 89% of ads shown on illegal football streams belong to unlicensed, offshore gambling entities. The streams exist primarily to funnel viewers into high-stakes illegal betting, being entirely funded by those operations and offering their streams to viewers for free.

Illegal Gambling

Because the 2026 tournament is the largest in history (expanded to 48 teams and 104 matches), analysts estimate that legal wagering will hit an all-time high of around $60 billion. However, global gaming bodies and law enforcement warn that the illegal shadow betting market is growing even faster, further threatening consumer safety and the integrity of the game itself.

Unregulated Betting Sites

In Germany, the domestic sports betting association (DSWV) estimates Germans will wager over €1 billion on the tournament, but warns that €300 million to €400 million of that will flow to illegal offshore sites. Unlike traditional, licensed sportsbooks, which require strict identity verification and track suspicious betting patterns, illegal offshore platforms allow completely anonymous, frictionless gambling. 

That anonymity, however, is not the protection it appears to be. "No ID checks don't mean no risk — it means no protection," said Kai Cantwell, CEO of Responsible Wagering Australia.

"People tend to think they're protecting their privacy, but in essence they're giving up the protections that come with betting with a licensed, heavily regulated operator in a regulated environment. Identity verification helps prevent fraud, identity theft and underage gambling, and ensures that the important consumer-protection measures in place in a regulated environment work for the punter and in favour of the punter."

- Kai Cantwell
CEO of Responsible Wagering Australia
‍

‍

Case Study: Polymarket

‍Polymarket perfectly illustrates how the definition of a "regulated" market depends entirely on where a user lives, and how the platform is classified. In late June 2026, attackers drained ~$3M from users after a compromised third-party vendor injected malicious code into its website front-end. Because it operates a regulated arm in the US, Polymarket quickly contained the breach and pledged to absorb the full cost of user refunds.

Crucially, however, Polymarket is not regulated as a sportsbook. While traditional US sports betting is governed by state gaming commissions with strict responsible-gambling guardrails, Polymarket answers to the Commodity Futures Trading Commission (CFTC) as a financial derivatives platform. This creates a bizarre double standard. In August 2025, the Australian Communications and Media Authority (ACMA) blacklisted Polymarket, ordering local ISPs to block the site as an illegal offshore gambling operation.

‍

Meanwhile, in the US, it is treated as a legal financial market, yet it is currently facing a sweeping CFTC investigation for utilizing deceptive influencer marketing to lure in users. For an international punter bypassing blocks via a VPN, you aren't just entering an unregulated market; you are falling into a regulatory canyon between financial trading and sports gambling where no local safety nets apply.

Reports from the Betting & Gaming Council in the UK reveal that illegal gambling advertising has boomed ahead of the World Cup. These sites use cloned branding to trick consumers into believing they are legitimate operations. Stakes with illegal UK operators are on track to double, as these sites aggressively market "no ID checks" and "anonymous play" to younger audiences over social media, notably Telegram, where whole channels exist to distribute new URLs as sites are taken down.

Governments worldwide have also launched emergency crackdowns on illegal gambling operations, specifically timed to the World Cup's opening matches. For example, Malaysia launched Operation Op Soga XI, in which the Royal Malaysia Police in coordination with Bank Negara Malaysia and the Multimedia Commission are performing a nationwide, multi-agency sweep targeting illegal offshore betting syndicates, crypto-based gambling rings, and physical bookmaker networks.

UpGuard Research

Several different gambling operations from countries across the world had publicly exposed log servers detected by UpGuard researchers. An example of one of these servers stored aggregated Graylogs for an online casino backend. Each log file index on the system was between 7-10GB in size, containing 31-38 million records.

Researchers again sampled 1,000 documents from one of the log files to analyze the data. This time the 1,000 document sample covered about 8.5 minutes of time, showing that while the gambling site was not as active as the streaming site, it still amassed a thousand transactions in under ten minutes.

The logs included account and betting details, including bet amounts and accountIDs. Also present were references to specific illegal stream URL referrers and services, again illustrating the ties between the two operations. Another visible tie surfaced with the identification of a crypto wallet proxy for the organization, underlining that for illegal gambling, the mostly anonymous nature of crypto is crucial.

These logs paint a picture of users’ betting activity and habits over time, as well as information regarding what stream they may be using to watch the event. If the user IDs present in the exposed tables can be tied back to a real identity, then an individual’s entire career on the site is there for the taking.

For Cantwell, the gap between an exposed operation like this and a licensed one is the entire point.

"When you bet with a licensed operator, there are rules — laws, policies, and substantial fines and penalties for not complying. When you bet with an illegal offshore provider, you're on your own. We often say you may not retrieve any of the money should you happen to win. There's none of those consumer protections, and none of those financial protections. These sites are often run by criminal networks and cartels operating in tax and regulatory safe havens — a lot of the operators targeting Australia are run out of Curaçao and Russia."

- Kai Cantwell
CEO of Responsible Wagering Australia

Licensed operators, by contrast, are bound by "anti-money-laundering laws, counter-terrorism-financing laws, privacy laws, identity-verification laws," and risk having their licenses suspended and their reputations ruined if they breach those obligations — accountability that simply does not exist for an offshore site leaking its customers onto the open internet.

Illegal gambling at the 2026 World Cup is no longer just about back-alley bookies; it is driven by sophisticated, multi-national tech syndicates operating via crypto and social media. While authorities are blocking tens of thousands of sites, the sheer scale of the tournament provides unprecedented opportunities for the black market to thrive.

Conclusion

Exposed credentials from a streaming site, like those discovered in a publicly accessible Elasticsearch server, can put your account, and any data associated with it, at risk. Likewise, gambling on an illegal site might offer more options or seem more private, but if the backend is inadvertently exposed to the internet, account details and activity are actually quite a bit more public. Just like FIFA, cybercriminals have to rely on a supply chain: hosting, social media, data analysis and so on. The way they handle and transmit their data is just as vulnerable to misconfiguration and insecurity as a corporation, if not more so due to the total lack of regulations and oversight. The ethics of both pirated streams and gambling are debatable, but regardless of one’s opinions on them, the data shows that utilizing black market resources to obtain and wager on the World Cup and other live events will put you at a higher risk for data exposure.

As Cantwell puts it: "A free stream could become a very expensive mistake. If you're having a bet on the World Cup, stick to a licensed and regulated brand in your jurisdiction. What you'll be sure of is that you're getting the appropriate consumer protections, the financial protections, and your data is safe — you're supported and protected."