World Cup grudge attackers may have scored Argentine FA access via year-old infostealer infection
World Cup grudge attackers may have scored Argentine FA access via year-old infostealer infection
Publish Date: 2026-07-13 08:02:00
Source Domain: www.theregister.com
Security
Footie fans? Overreacting? There’s a first time for everything
Cybersecurity shop Hudson Rock says the suspected compromise of the Argentine Football Association (AFA) may be linked to an infostealer infection nearly a year earlier.
The incident appears to be the work of an aggrieved football fan, or group of them, after Argentina eliminated Egypt from the World Cup round of 16.
Egypt’s coach and football association complained about several refereeing and VAR decisions, which they said contributed to the result.
The compromise of AFA’s systems was spotted after mass emails were sent from legitimate domains stating that Argentina “stole” the win from Egypt and that “the robbery will not go unnoticed.”
Hudson Rock said it found evidence of an infostealer infection dating back to September 8, 2025, on a device belonging to an AFA software developer who had been employed at the governing body for nearly a decade.
The security shop operates a database of known infostealer victims, and noted that the compromised machine was added to its database the following day.
Whoever was behind the attack, which was claimed by “All Egyptian Cyber Warriors,” they either sat on the credentials for nearly a year, or sought them out after Egypt were controversially eliminated from the World Cup.
Once they procured the credentials and authenticated themselves into the AFA’s systems, Hudson Rock said they “likely had profound administrative control.”
This would have included direct access to phpMyAdmin database management panels, root access to certain AFA databases, access to the management portal of AFA’s training HQ, the AFA media portal, and its competition management system.
After looking at the stolen credentials in their database, the researchers said that weak, easily guessable passwords were reused across several internal systems.
In addition to the compromised emails sent from AFA’s management and…