5 Major Emerging Risks to Large-Scale Events
Large-scale events operate within a distinct threat landscape driven by the specific set of risks and circumstances that coalesce during major events and gatherings, including large, dense crowds; a compressed timeframe; and heightened emotional response.
Threat actors consistently seek to take advantage of these factors, pursuing cyber attacks, physical breaches, and information operations tied to upcoming and ongoing events, including FIFA World Cup 2026 (FWC26), the 250th anniversary of the United States, and the 2028 Summer Olympic Games in Los Angeles.
In a series of recent white papers, the Center for Internet Security® (CIS®) examined some of the most prevalent emerging risks facing large-scale events along with the mitigation measures event organizers and public safety officials can take to create safer, more secure gatherings. CIS focused on five significant potential risks: unmanned aircraft systems (UAS), deepfakes and synthetic media, lone actor and small-group tactics, digital ticketing platform vulnerabilities, and transportation infrastructure sabotage.
Emerging Risk #1: UAS
The proliferation of commercially available UAS technology has created a viable, diverse, and evolving threat for large-scale public gatherings. The convergence of several factors has fundamentally altered the UAS risk calculus for event security planners. Commercially available drones now extended endurance, increased speeds, and scalable payload capacities at an affordable price.
First-person view (FPV) drones, piloted through real-time video feeds instead of line of sight, have been extensively refined on battlefields in Ukraine and the Middle East, enabling low-cost, high-speed precision strike capabilities increasingly accessible to non-state actors. Concurrently, instructional material for weaponizing commercial drones, including 3D-printed components and improvised payload delivery mechanisms, has proliferated across extremist forums and encrypted messaging platforms.
Threat Environment
Despite investments, significant gaps remain. An airborne threat renders perimeter fences, magnetometers, bag checks, and credential verification irrelevant. Open-air gathering spaces, which will accommodate large crowds, often lack systematic counter-UAS coverage.
Threat Actors
The UAS threat to large-scale public gatherings could emanate from a diverse spectrum of actors with varying motivations, capabilities, and risk tolerances, including jihadist terrorist organizations, transnational criminal organizations, and lone actors.
What to Do about It
Public safety agencies should establish baseline awareness, define detection and mitigation roles, and coordinate with federal partners while integrating UAS considerations into existing frameworks. For more information, read Unmanned Aircraft Systems (UAS): Evolving Risks to Large-Scale Public Gatherings, which CIS produced in collaboration with DroneSec, and Unmanned Aircraft Systems (UAS): Evolving Risks to Large-Scale Public Gatherings Cyber Risks Companion Guide for a deep dive into UAS-related cyber risks.
Emerging Risk #2: Deepfakes and Synthetic Media
Synthetic media enabled by artificial intelligence (AI), including deepfake audio, video, imagery, and text, has emerged as one of the most consequential additions to the threat environment for large-scale public gatherings. Generative AI (GenAI) tools capable of producing highly realistic but fabricated content have become widely accessible since 2020, sharply lowering the barrier to entry for sophisticated influence operations.
Since 2021, the Federal Bureau of Investigation (FBI) has assessed that malicious actors will almost certainly leverage synthetic content to conduct cyber and foreign influence operations, expanding on traditional tactics with greater speed, persuasiveness, and scale.
Threat Environment
Large-scale mass gatherings, including concerts, festivals, political conventions, and sporting events, present especially attractive targets. These venues concentrate large, emotionally charged audiences within compressed information environments where rapid perception shifts can generate disproportionate psychological, operational, and reputational effects. Threats may involve not only fully synthetic deepfakes but also hybrid manipulations that alter authentic content in ways that may be harder to detect and easier to weaponize.
Threat Actors
A wide range of threat actors are positioned to employ synthetic media against large-scale events. Motivations and capability levels vary, but most share a common operational logic: exploit the compressed information environment to amplify disruption or shape the narrative at minimal cost.
What to Do about It
Effective mitigation requires integrating synthetic-media scenarios into existing event security, crisis communications, and information-operations planning supported by defined verification workflows, escalation procedures, communications protocols, and coordinated response mechanisms. For more information and detailed mitigation measures, see our white paper, Deepfakes and Synthetic Media: The Emerging Threat to Large-Scale Public Gatherings.
Emerging Risk #3: Lone Actor and Small-Group Tactics
The symbolic value, media visibility, and perceived vulnerabilities of major sporting events make them prime targets for extremist activity. French authorities foiled at least three plots targeting the 2024 Paris Olympics and Paralympics, with intelligence indicating that Islamic State-Khorasan Province (ISIS-K) was the primary terror threat. ISIS-affiliated individuals planned attacks on soccer stadiums, spectators, police, and Israeli representatives during the 2024 Paris Olympics. In April 2024, the media arm of ISIS-K urged supporters “to recreate the glory” of the 2015 Paris attacks, which included suicide bombings at a soccer match, by targeting other premier sporting events. This has included calls to action surrounding the Union of European Football Associations (UEFA) Champions League, multiple World Cups, and Olympic games. In collaboration with the Institute for Strategic Dialogue (ISD), we assessed the threat from lone actors and small groups to large-scale events ahead of FWC26.
Threat Environment
The most prevalent mass casualty tactics used against soft targets are explosives, firearms, and vehicle ramming attacks (VRA). While explosive attacks are the most common tactic used against soft targets broadly, firearm attacks cause far more fatalities than any other tactic used by lone wolf or small group threat actors. Although enhanced security may prevent individuals from bringing a firearm into a stadium event, using vantage points from high buildings overlooking an outdoor stadium or targeting gathering areas outside of the stadium provide opportunities to evade security. Due to the low skill requirement and ease of acquiring a vehicle, VRAs have emerged as a commonly used tactic for lone threat actors.
Threat Actors
Threat actors have increasingly conducted attacks outside the enhanced security perimeter of modern sporting and entertainment events, targeting areas with fewer security measures. Threat actors have also targeted sporting events in the leadup to the primary event, with perpetrators explicitly tying attacks to the Olympics Games in claims of responsibility. For example, a North Caucasus-based insurgent group affiliated with the broader jihadist movement in Russia conducted a series of bombings in Volgograd, Russia, in the months preceding the 2014 Sochi Winter Olympics.
What to Do about It
Public safety officials and event organizers should consider taking the following steps to safeguard large-scale events, including establishing information sharing protocols with state, local, federal, and international partners; establishing crisis communications capabilities to facilitate rapid information sharing; and reviewing and implementing recommendations from the JCAT’s Large Public Gatherings Attractive Targets for Violent Extremists. For additional guidance, event organizers can review the Cybersecurity and Infrastructure Security Agency (CISA) Mass Gathering Security Planning Tool.
Multi-State Information Sharing and Analysis Center® (MS-ISAC) members can access our white paper on the threat from lone actors and small groups on the CIS Portal. For additional information, contact [email protected].
Emerging Risk #4: Digital Ticketing Platform Vulnerabilities
Large-scale sporting events, including the Olympics and World Cup, increasingly rely on complex, digitally integrated ticketing ecosystems to manage ticket sales, transfers, validation, and venue access at scale. These platforms, including official primary, resale/exchange, and hospitality marketplace systems, face a range of cyber, fraud, and operational risks that could disrupt purchasing, compromise ticket integrity, delay entry operations, or negatively impact the fan experience during high-profile events.
Key threats include cascading platform outages and Distributed Denial of Service (DDoS) attacks, ransomware, supply chain and vendor compromise, insider misuse and social engineering, bot-driven fraud and scalping, credential stuffing, state-sponsored and hacktivist activity, and Internet of Things (IoT)/venue infrastructure compromise.
Threat Environment
Industry data indicates ransomware incidents in the sports and entertainment sector average $4-5 million in potential losses per event, including downtime, remediation, and extortion payments, with supply chain compromise carrying the highest aggregate cost of any attack category, according to Forbes. Proactive resilience, rapid incident response, and robust cross-jurisdictional governance across the ticketing industry are essential to minimize downtime, protect fans, and preserve event integrity. Threats to the ticketing ecosystem include both availability attacks designed to disrupt access or degrade services and integrity attacks intended to manipulate ticketing data, transactions, or user trust.
Key Assessments
In collaboration with the Missouri Information Analysis Center (MIAC), we identified the following key findings:
- Platform resilience and DDoS vulnerabilities present significant operational risk.
- Ransomware and supply chain compromise pose a credible threat to ticketing operations.
- Vendor compromise and third-party integrations represent a likely avenue for customer data breach.
- Insider misuse and social engineering represent a credible and elevated access risk.
- Bot-driven fraud and scalping operations are highly likely throughout the tournament
What to Do about It
To address these risks, we collaborated with the MIAC to recommend organizations undergo pre-event, mid-event, and post-event planning, including conducting tiered security assessments of all ticketing supply chain vendors; maintaining real-time awareness of ticketing platform performance, bot traffic patterns, and dark web activity; and conducing post-event analysis. MS-ISAC members can access our white paper exploring the growing risk to digital ticketing platforms on the CIS Portal. For additional information, contact [email protected].
Emerging Risk #5: Transportation Infrastructure Sabotage
Recent sabotage incidents targeting transportation infrastructure during major international sporting events highlight a credible threat pattern relevant to FWC26 in the United States, Canada, and Mexico. Rail disruptions associated with the 2026 Milan-Cortina Winter Olympics and the 2024 Paris Summer Olympics demonstrate how transportation systems supporting large-scale international events can serve as attractive targets for threat actors seeking to generate disruption, media attention, or symbolic impact.
Threat Environment
Attacks on rail infrastructure during the most recent Olympic Games underscore how transportation infrastructure, particularly rail systems between host cities, can be accessible targets for actors seeking to disrupt high-visibility events without directly breaching venues or stadium security. A broad range of threat actors could emulate these tactics and target mass transit during high-profile events or peak travel periods. Disrupting public transportation can delay fans, staff, teams, and media as well as undermine public confidence in mass transit systems and event security.
Threat Actors
Potential threat actors targeting transportation infrastructure during major international events may include decentralized anarchist networks, anti-globalization extremist groups, militant environmentalist actors, and lone actors motivated by ideological or political grievances.
What to Do about It
Key indicators or warning signs for potential future transportation disruption include increased vandalism or suspicious behavior near signal houses, switching equipment, or cable routes; online messaging that encourages disruption to transportation infrastructure; and sudden increases in false or misleading threat reports during transit disruptions.
For more information and a detailed list of recommendations and resources, review our white paper Transportation Infrastructure Sabotage as a World Cup 2026 Risk Multiplier, which we wrote in collaboration with the Public Transportation Information Sharing and Analysis Center (PT-ISAC), the American Public Transportation Association (APTA), and ISD.
Support Your Large-Scale Event with CIS Expertise
Malicious UAS activity, synthetic media information operations, lone actor violent extremist attacks, ticketing platform vulnerabilities, and transportation sabotage remain active and persistent risks to large-scale events. Large gatherings have a distinct set of risks as well as an opportunity to address those risks to establish a safe and secure environment for venues, attendees, and surrounding communities.
Want to learn more about today’s threats impacting large-scale events and how to safeguard your community?
As of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost MS-ISAC services no longer applies.