5 min read

When Hackers Join the Game: The Emerging Cyber Dimension of Sport Diplomacy

When Hackers Join the Game: The Emerging Cyber Dimension of Sport Diplomacy

Sport as a Diplomatic Instrument, Now With a Digital Front Line

Sport has long functioned as a proxy battlefield for national prestige. States have used Olympic medal counts, World Cup hosting rights, and high-profile victories to project strength, legitimacy, and soft power for as long as international sport has existed in its modern form — from Cold War-era Olympic boycotts to the intense diplomatic stakes surrounding World Cup hosting bids today. What's changing is the terrain on which that contest now plays out. As sporting organizations, leagues, and national federations have become thoroughly dependent on digital infrastructure — ticketing systems, broadcast technology, athlete data, sponsorship negotiations, transfer dealings — they have also inherited an entirely new attack surface, one that intersects directly with the diplomatic and geopolitical stakes that make sport matter to states in the first place.

This emerging cyber dimension of sport diplomacy deserves serious attention for a simple reason: the same qualities that make sporting events diplomatically significant — global visibility, national symbolism, enormous sums of money moving across borders, and tight, inflexible timelines — are precisely the qualities that make them attractive targets for cyber operations, whether criminal, opportunistic, or state-aligned.

Two Cases That Illustrate the Threat

The November 2020 ransomware attack on Manchester United offers a useful illustration of how a purely criminal cyberattack can carry consequences that ripple into reputational and even geopolitical territory once a club operates at sufficient scale and visibility. The attack hit the club's systems on November 20, 2020, forcing it to shut down affected systems to contain the damage; the club described the operation as sophisticated and confirmed it was working with the UK's National Cyber Security Centre to investigate and recover. While Manchester United maintained that supporter data did not appear to have been compromised, UK media reports in the following weeks claimed that attackers had accessed sensitive material from the club's scouting system, including confidential information on transfer targets. Because Manchester United is listed on the New York Stock Exchange, the incident also carried potential exposure under U.S. Treasury sanctions guidance on ransomware payments, alongside potential GDPR liability in the UK — meaning a single ransomware incident against a football club could plausibly trigger cross-jurisdictional regulatory consequences spanning UK data protection law and U.S. financial sanctions enforcement simultaneously. That overlap is itself a small case study in how thoroughly modern sport now sits inside the same legal and regulatory architecture as any multinational financial institution, despite still being perceived culturally as just a game.

The Lazio case, while smaller in scale, demonstrates a different and arguably more common vulnerability: business email compromise exploiting the financial mechanics of player transfers. In 2018, the Italian Serie A club was tricked into paying roughly €2 million to fraudsters posing as representatives of Feyenoord, the Dutch club from which Lazio had purchased defender Stefan de Vrij. The scammers appeared to have detailed insider knowledge of the outstanding balance owed on the transfer, crafted a convincing email impersonating Feyenoord, and successfully redirected the final installment payment to a fraudulent Dutch bank account. Feyenoord had no knowledge of the email and never received the funds; the money was eventually traced to an account unconnected to either club. Cybersecurity researchers who examined the incident noted that it reflected a now-familiar pattern in football-related fraud: international transfer payments are large, time-sensitive, and routed through email-based negotiation between organizations that don't have long-standing banking relationships with each other — exactly the conditions that make business email compromise schemes effective.

Together, these cases sketch out two distinct but related vulnerabilities in modern sport: operational disruption capable of threatening the integrity or scheduling of competition itself, and financial fraud exploiting the opaque, high-value, cross-border transactions that increasingly define how sporting organizations do business. Both occurred against football clubs rather than nation-states or Olympic committees, which is itself worth noting — much of the most visible cyber harm documented in sport so far has hit club-level and commercial targets rather than the marquee state-versus-state competitions like the Olympics, even though the diplomatic stakes are usually framed around the latter.

Why This Matters for Diplomacy, Not Just Cybersecurity

The natural objection to treating these incidents as a diplomacy story rather than a pure cybersecurity story is that neither the Manchester United nor the Lazio incident has been publicly attributed to a state actor; both look, from available reporting, like financially motivated criminal activity. That's a fair distinction, and it's one worth being precise about. But the diplomatic relevance of cyber vulnerability in sport doesn't require every incident to be state-sponsored to matter strategically. A few dynamics make the connection real even when individual attacks are criminal rather than geopolitical:

First, marquee international events — the Olympics and World Cups in particular — have already demonstrated that they attract state-aligned cyber operations specifically because of their diplomatic visibility, separate from the club-level incidents discussed above. Disruption of an Olympic opening ceremony or a host nation's event infrastructure carries direct reputational stakes for the host government, making these events qualitatively different targets than a single club's email system, even if the attack vector (ransomware, phishing, network intrusion) looks similar on a technical level.

Second, the financial scale of modern sport means that even criminal, non-state cyberattacks can produce diplomatically relevant friction — cross-border financial disputes, regulatory exposure across multiple national jurisdictions, and reputational damage to institutions that function as informal national symbols. A breach affecting a club like Manchester United isn't purely a corporate IT problem; it touches UK data protection regulators, U.S. financial authorities, and a fan base that treats the club's standing as a matter of regional or even national pride.

Third, and most speculatively, the same vulnerabilities exploited by financially motivated criminals — email-based social engineering, ransomware against under-defended IT infrastructure, exploitation of time pressure around marquee events — are technically identical to the tools state-aligned actors would use for espionage or deliberate disruption. The absence of confirmed state attribution in the cases above doesn't mean the attack surface is different; it means the documented motive, so far, has been financial rather than geopolitical. That's a meaningful but narrower claim than saying sport is immune from state-level cyber threats.

The Governance Gap

What both cases ultimately expose is a maturity gap: sporting organizations, even ones operating at the financial scale of a publicly listed Premier League club, have not historically been built or staffed with the cybersecurity rigor of comparable financial institutions, despite handling comparably large, time-sensitive cross-border transactions. Manchester United's own statement noted it had "rehearsed" for a cyberattack and still suffered weeks of disruption; Lazio's finance department processed a fraudulent multimillion-euro transfer without the kind of verification protocol (a simple confirming phone call, for instance) that more mature financial institutions would treat as standard practice for large wire transfers.

This points to a useful research direction: examining not just whether sporting organizations are targeted, but whether the governance structures around international sport — anti-doping bodies, transfer regulation systems, hosting-rights organizations — have kept pace with the cybersecurity maturity expected of comparably resourced institutions in other sectors. Given how directly these organizations now intersect with state diplomatic interests, particularly around hosting rights and major events, that gap is not merely an IT problem for individual clubs to solve internally — it is increasingly a question of how international sport governance should incorporate cybersecurity standards and incident-response coordination as a formal part of how major events and high-value transactions are sanctioned and overseen.

Where the Research Agenda Should Go From Here

Future work in this space would benefit from distinguishing more sharply between three categories that are easy to blur together: criminal cyberattacks against sporting organizations motivated by financial gain (Manchester United, Lazio); state-aligned cyber operations targeting marquee international events for geopolitical or disruptive purposes; and the data governance and regulatory frameworks — GDPR, cross-border financial sanctions regimes, sport-specific governance bodies — that determine how incidents in each category get investigated, disclosed, and resolved. Treating all three as a single undifferentiated "cyber threat to sport" risks overstating the geopolitical dimension of incidents that are, so far, predominantly criminal and financially motivated, while understating the genuinely distinct and higher-stakes risk profile of state-aligned operations against events like the Olympics, where the diplomatic stakes are unambiguous and the attacker's incentives are different in kind, not just in scale.