How Intelligence is Keeping Soccer Fans Safe
As millions of fans fill stadiums across three countries, law enforcement agencies are turning to shared intelligence to stay ahead of physical and cyber threats alike.
Millions of soccer fans from across the globe continue to fill the seats of 16 stadiums across the United States, Mexico, and Canada to watch the World Cup. On top of that, 19 billion viewers are expected to watch the matches on TV and via streaming services. To be blunt, an event of this scale is completely unprecedented.
That scale also means that security teams have to think about this event differently. Dramatically expanded digital and physical threat surfaces, and a massive influx of sports fans from across the globe mean that law enforcement needs to adopt a proactive, intelligence-led approach in order to ensure that everyone has a great time and gets home safely.
No single agency can do this alone. Since the spring, Penlink has hosted a standing World Cup Working Group, a recurring forum where analysts from law enforcement, fusion centers, and public safety agencies across the country compare notes on emerging threats, share tradecraft, and troubleshoot in real time. The group has grown to more than 150 participants from 35 agencies, and tonight, as USA takes the pitch, that same collaborative network will be watching alongside the fans.
All venues must balance the entertainment and convenience of the fans with those same fans’ physical security. Moreover, even softer targets, like watch parties, transit systems, and areas immediately outside of the venues, are far more difficult to control and secure. These environments create a perfect storm for opportunistic attacks.
During recent Penlink working group sessions, analysts have walked through live examples of this exact challenge, mapping the area around a venue in expanding rings, from the stadium itself out through transit corridors, hotels, and the bars and gathering spots where fans watch even when they don’t have tickets. It’s a reminder that securing “the venue” really means securing an entire neighborhood.
The accessibility of drone technology introduces a new category of threat for large-scale events. Unauthorized drones can be used for both general disruptions, as well as actual attacks. With venues spread across 16 cities and 3 countries, maintaining consistent counter-drone strategies becomes especially challenging.
Law enforcement partners working the tournament have already reported hundreds of unauthorized drone incidents intercepted around event sites, a sign of just how real this threat category has become, even in the tournament’s early weeks.
Like all international sporting events, hosting the World Cup means creating a potential stage for political expression. Geopolitical tensions are running high all across the planet, and these tenuous situations only raise the risk of politically motivated violence. At the same time, even peaceful protests have the potential to disrupt transportation, alter crowd flows, and strain security resources.
Whenever large, international events are held, human traffickers seize the opportunity, exploiting the anonymity, demand, and economic surges that come with them. Transient populations moving between host cities and across countries for matches create a particularly strong trafficking target. Platforms like PLX help investigators surface case connections across jurisdictions, connecting networks that might otherwise go unnoticed. For a closer look at how trafficking patterns emerge around major sporting events, see Penlink’s analysis of trafficking risk at the World Cup.
With high prices, limited supply, and nearly 500 million requests for World Cup tickets, fraud is inevitable. Fraudulent tickets, cloned QR codes, and successful phishing attempts from cybercriminals open the door to both financial loss and physical security risks, particularly when unauthorized individuals gain access to controlled spaces.
The accessibility of generative AI has significantly lowered the barrier to creating convincing disinformation. During a global event like the World Cup, false narratives about security incidents, political protests, and public safety can spread rapidly across social media, influencing crowd behavior, damaging reputations, and complicating incident responses.
This isn’t hypothetical. During the tournament’s opening weeks, agencies in the Penlink working group flagged an AI-generated hoax threat campaign that spread rapidly across social platforms, underscoring how quickly false narratives can move once a match is underway, and how critical it is for security teams to verify before they react.
This is exactly the kind of gap the working group exists to close: no single agency sees the whole picture, so shared intelligence and tradecraft become force multipliers.
Before the event begins, open-source intelligence (OSINT) helps security teams build a baseline understanding of risk. By analyzing historical activity, known threat patterns, and digital signals, investigators can separate credible threats from background noise and prioritize resources accordingly. Platforms such as Tangles support this work by continuously monitoring open, deep, and dark web sources for relevant signals.
One recurring challenge working group members have identified: officials track official venue names, while the public overwhelmingly uses colloquial ones, searching a sponsor’s name rather than a stadium’s official title, for example. Bridging that gap is exactly the kind of tradecraft agencies are sharing with each other in real time.
During the event, OSINT provides real-time visibility into what is happening on the ground. Generative AI platforms like CoAnalyst help security teams track crowd sentiment, geolocate incidents as they unfold, and quickly identify or debunk viral content before it drives panic or misinformation.
After the event, OSINT supports investigation and accountability. Analysts can identify individuals, map how disinformation or threats spread, and build evidence packages that inform future security planning and response strategies. Analysts in the working group describe this as getting “left of boom,” going back after an incident to capture the exact language, spelling, and platform used, then building that into future detection.
The World Cup is here. Fans are filling stadiums, city plazas, and bars to share their enthusiasm for soccer and their nation. Opportunistic scammers, hackers, traffickers, and terrorists are planning their next move. With intelligence-led strategies, and a network of agencies working together rather than in isolation, security teams can stay ahead of these threats, protecting fans and securing every moment of the event.
See how Penlink’s PLX Connect brings this kind of intelligence-led coordination to your agency, and Request a demo to get started.