The World Cup of Malware

Security & Privacy

Thirty-two countries compete in the World Cup every four years, but there’s a global battle going on in cyber space every day.

F-Secure deploys an international network of decoy “honeypot” servers that attract the attention of attackers so we can track the latest cyber threats. After more than a year of running these honeypots, our researchers can say that some countries seem to be on the cyber offense, while everyone needs a strong defense.

So while we’re waiting to find out if France or Croatia wins this year’s Cup, we decided to find out which country winning the World Cup of Malware. And the results were surprising, even to our researchers.

First, let’s jump back to the end of 2017 to do a little seeding:

Solid competitors all around and pretty consistent with what we saw in mid-2017.

But you never know who is going to step up their game, or slip a bit.

When you have you have global honeypot network at your disposal, you don’t have to wait for results. So without any further ado, here are the “winners” of the 2018 World Cup of Malware, based on data pulled just this week:


The United States didn’t even qualify for the actual World Cup, but traffic from IP addresses in the U.S. came in first followed by the Netherlands, France, Iran, Italy and former #1 seed Russia.

Russia’s loss in the quarterfinals of the World Cup was a surprisingly strong showing for the World Cup host. But it’s far less surprising result than the country falling from first seed to sixth place in the World Cup of Malware.

Malware is a bit like the players in the cup when it comes to nationality.

Thierry Henry is France’s all-time record goalscorer, but now he’s a coach for Belgium. Just as a player doesn’t have to play for the country where he or she was born, the presence of a country on the list does not necessarily indicate the people behind an attack are inside that country. There are several methods attackers leverage proxies to cloak their attacks, including VPNs or TOR, and compromised machines or infrastructure.

While there is only so much honeypots can tell us, they provide excellent data revealing high-level patterns and trends, such as how attackers, self-replicating botnets, and other sources find targets.

Leszek Tasiemski, F-Secure’s Vice President of Cyber Security Products R&D, notes that the most prevalent sort of malware are variations of Mirai, which was used to carry out the largest denial of service attacks in history. That attack happened in 2016 but this data confirms that Mirai is still very much active. So IoT devices, like cameras and routers, are still potential targets.

Austria, USA, UK, Ukraine and Germany were the countries were our honeypots caught the most attacks. But Leszek notes that just as much of the world is briefly united in its focus on the World Cup, malware also brings us all together.

Honeypots in all countries get their fair share of various malware samples. And that will probably just as true in 2022 as it is now, unfortunately.


#World Cup

Rate this article

4 votes


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

You might also like