A new assessment of cyber risks facing the Milano-Cortina 2026 Winter Games has highlighted phishing and spoofed websites as the most common initial access points for attackers targeting global sporting events.
The findings have been detailed in Palo Alto Networks’ Cyber Threats to Milan-Cortina 2026 report, which examined how criminal groups, state-backed actors and hacktivists are likely to exploit the Games’ vast digital footprint.
The research draws on recent Olympic history. During the Pyeongchang 2018 games, attackers disrupted WiFi and digital infrastructure. Ahead of Tokyo 2021, Russian-linked groups attempted to interfere with pre-Games operations. At Paris 2024, analysts observed spikes in DDoS activity, Olympics-themed phishing and online scams. With more than 3 billion viewers expected for Milano-Cortina, the incentives remain high.
The Palo Alto report emphasized how attackers blend speed with deception. Phishing campaigns, often tied to business email compromise (BEC), continue to dominate the early stages of intrusions. Researchers noted that 76% of observed phishing cases relied on BEC, exploiting trust between staff, partners and suppliers across the Olympic ecosystem.
“The biggest risks to large events like the Olympics don’t come from new exploits,” Randolph Barr, CISO at Cequence Security, said. “Instead, they originate from people misusing legitimate apps, identities and corporate processes.”
Common Tactics Observed Around the Games
The Games attract a broad mix of threat actors. Financially motivated ransomware gangs see ticketing platforms, event websites and payment systems as leverage points. Nation-state groups focus on espionage, using the proximity of diplomats and officials to quietly collect intelligence over long periods. Hacktivist groups, meanwhile, seek disruption and publicity.
Examples cited include Dark Scorpius, which has compromised more than 500 victims since 2022 by impersonating IT staff and gaining remote access in as little as 14 hours, and Fighting Ursa, a Russia-linked group known for phishing via spoofed sites and weaponised documents.
Researchers outline several techniques likely to recur around Milano-Cortina:
Phishing and spoofed websites used to harvest credentials
Exploitation of software and API vulnerabilities in complex event systems
Use of previously compromised credentials bought on the dark web
DDoS attacks aimed at ticketing, turnstiles and event websites
For consumers and employees alike, basic caution still applies. “If it sounds too good to be true, it probably is,” Trey Ford, chief strategy and trust officer at Bugcrowd, said. “Buying from reputable sources […] is the only way to avoid credit card theft and counterfeit products.”
