Blog article
See all stories »

World Cup: When Russia plays, what happens to Global Cybercrime?

The World Cup! The largest, most anticipated sports event in the known universe. Millions of football fans are passionately supporting their national teams.

But what are Cybercriminals doing in the mean time? Jumping their digital prey while the victims are following the football? Or rather rallying around the flag, supporting their national team and ceasing their cyber attacks like in ancient times, when cities guranteed free passage during the Olympic Games?


Three National Teams, Nine Games, Clear and Consistent Change in Behavioural Patterns 

BioCatch, who works with some of the largest banks in Brazil, Mexico and England, builds a behavioural profile of online banking users and alerts when someone or something penetrates the digital account. These are huge banks with dozens of millions of active online users on aggregate, and hundreds of online fraud attacks per day.

Analysing the level of cybercrime attacks during national team matches results in fascinating insights!

To start with, during each of the days in which the national teams of Brazil, Mexico and England played in their groups, the overall level of online banking activity in the respective country dropped like a stone.

When comparing the number of sessions during the match day with that of the same day on the previous week, the general traffic level has dropped by double digit figures. People were far less busy banking online than the norm.

The drop was so significant in Brazil – a 36% decline – that our monitoring system actually alerted on a lower-than-expected level of activity in one of the major banks. The tech support team thought it’s some sort of malfunction and contacted the bank; the response, coming in a Whatsapp message, was: ‘all is well, traffic is low because the entire country is watching the national team play football’.

Know Your Criminals

Looking at the level of online fraud during the 9 match days shows an even more interesting picture.

In two of the countries the number of online fraud attempts dropped by a few dozen percentage points compared to same day in the prior week, while in the third country the number of cybercrime attacks actually increased. And there’s a perfectly logical explanation as of why.

Here are the results, divided into rounds in the group phase:


Round 1 


Brazil (June 17, 1-1 vs. Switzerland): -39%

Mexico (June 17, 1-0 vs. Germany): -70%

England (June 18, 1-1 vs. Tunisia): +6%


During the three matches of the first round in group stage, there was a massive decrease of cybercrime attacks against online banking customers in Brazil (39%) and Mexico (70%). During the match day of England, however, cyber attacks increased by 6% compared to the prior week.


Round 2 



Brazil (June 22, 2-0 vs. Costa Rica): -33%

Mexico (June 23, 2-1 vs. South Korea): -90%

England (June 24, 6-1 vs. Panama): +5.5%


The same interesting phenomenon was observed in the second round of the group stage. Significant decline in online fraud activity occurred during the days where Brazil (33%) and Mexico (90%) played. When Southgate’s side played, Cyber attacks increased by 5.5%.


Round 3



Brazil (June 27, 2-0 vs. Serbia): -21%

Mexico (June 27, 0-3 vs. Sweden): -87%

England (June 28, 0-1 vs. Belgium): +24%


At the last round, the South American teams did not disappoint and carried out with a similar trend, while Cyber attacks in England jumped by 24%.


Location, Location, Location

So what’s the deal here? Why did the cyber criminals targeting Brazil and Mexico curb their offensive, while the ones targeting England gear it up?

The answer stems from the identity of those criminals.

Most cyber attacks in Latin America are local. Brazilian online banking users are targeted by local crime rings in Brazil, and the same applies to Mexico, where the majority of fraud originates within the country. In these cases it makes sense for the Olympic Truth to be kept: the attackers are patriotic Brazilians and Mexicans who share the national pride, feeling this isn’t the right time to pick up on fellow countrymen, and as a result – hold their fire. The love of football in Latin America crosses races, believes and cultures, and the joint interest creates a temporal social solidarity, leading to a more restrained online aggression.

It’s also likely that many of the cybercriminals are busy themselves with cheering up the national team and watching the match, but we’ve noticed that the drop of fraud attempts doesn’t just happen at the specific hours of the match, but rather throughout the entire match day. This should support the notion that we’re witnessing a modern variant of the ancient Olympic Truce.

The majority of attacks on British banks, however, originate from East Europe. These people do not share the same ecosystem, do not feel part of the same community, and have no particular attachment to the England dream of bringing football home. They see the temporary distraction of the World Cup as a rare opportunity to catch people off guard.


The Russian National Team Mystery

Another intriguing piece of data emerges when looking at the level of cybercrime attacks against banks in the UK. On the day prior to the starting whistle of the World Cup, the number of attacks peaked; in fact, it was the busiest day in all of June. It’s as if the fraudsters wanted to clean their desks before the start of the tournament.

The following day had Russia play in the World Cup opening match. The number of attacks dropped by over 66%. A similar trend was observed each time the Russian national team played a match in the group stage.

What’s driving this peculiar behaviour? We’ll let the readers drive their own conclusions.

To summarise, hackers and Internet thieves are, first and foremost, human beings, and it makes perfect sense that they are football fans like any of us. The decrease measured in online fraud attempts targeting Brazil and Mexico is caused by the fact the attackers in those countries are typically local, sharing the national pride and sense of destiny just like their victims, and probably also watching the matches themselves. In these cases the Olympic Truce is held.

The same isn’t true for those who attack the English users. They’re outsiders, foreign to the notion of alignment around the England national football team, and see the World Cup as an opportunity to increase the success rate and damage of fraud attacks. As for the interesting correlation between fraud levels in the UK and the times when Russia’s national team plays, we’ll let the readers be the referees of that...


Comments: (1)

Janne Jutila
Janne Jutila - Signicat AS - Espoo, Finland / Oslo, Norway 17 July, 2018, 08:391 like 1 like

Highly interesting and funny piece of research - if it is fair to say so in the context of such a grim subject. Pity that foodball didn't come home yet...

Uri Rivner

Uri Rivner

CEO and Co-Founder

Refine Intelligence

Member since

14 Apr 2008


Tel Aviv

Blog posts




This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all

Now hiring