Six Nations 2026 Threat Intelligence Bulletin

Threat Intelligence Bulletin: Six Nations 2026

Summary

The Six Nations kicks off at 20:10 on the 5th February at the Stade de France, as Ireland travel to face the French national team in a clash of great rugby nations. The series is played out over 5 weeks from February to March, drawing to conclusion on the 14th. The cyber threat level surrounding the tournament is low; however, the Ekco threat intelligence department have highlighted key areas where cyber security will be of high importance.

Fan-Facing Threats

• Ticketing fraud & credential stuffing: fake resale sites, cloned listings and account-takeovers of official ticketing platforms.
  • Indicators: lookalike domains, sudden resale spikes, unusual refund/transfer patterns.
• Malicious / fake event apps & streaming sites: trojanised mobile apps or bogus “live stream” pages distributing malware or stealing credentials.
  • Indicators: new app package names claiming event access, reports of APK installs, phishing emails with “stream link”.

Venue & stadium infrastructure

• Operational Technology (OT) / ICS exposure: scoreboard, HVAC, turnstiles, lighting and camera controls often run on converged networks and can be targeted to disrupt events or safety systems.
  • Indicators: legacy protocols visible on network scans, unsegmented OT/IT traffic, default creds on ICS devices.
• IP cameras / CCTV compromise: attackers may pivot from weak cameras to other systems or tamper with surveillance.
  • Indicators: unusual camera reboots, firmware downgrades, access from unfamiliar external IPs.
• Ransomware & business-system attacks on venues: attacks that encrypt back-office/ticketing/finance systems and threaten event continuity.
  • Indicators: spikes in outbound connections to C2 domains, mass file renames, ransom notes on shared drives.

Ekco Precautionary Actions

Throughout the Six Nations, Ekco will be protecting clients involved with the event through the following:

• Brand monitoring: Monitoring for typo/brand-squatting and newly registered domains, mentions on the dark web and hacker forums and phishing campaigns.
• Watching public sources: Looking for chatter around fake streams/apps and reports of ticket scams (social media, forums).
• Focusing on threat actors of interest: Cybercriminal groups focused on fraud/ransom, opportunistic DDoS actors, and financially-motivated phishing gangs.
• Monitoring company infrastructure: IP addresses and domains will be checked for increased risk of Denial of Service (DoS) attacks