In a bold cyberattack, the Iran-linked “Cyber Fattah” group has leaked thousands of sensitive records from the Saudi Games, one of Saudi Arabia’s largest national sporting events. The breach, announced on Cyber Fattah’s Telegram channel at 6:27 PM PST, exposed personal details of athletes, visitors, and officials, raising concerns about cybersecurity and regional tensions.
This incident, viewed by cybersecurity firm Resecurity as part of Iran’s broader anti-Saudi, anti-US, and anti-Israel propaganda campaign, highlights the growing threat to major sports events worldwide. Here’s a detailed look at the breach, its implications, and what can be done to prevent future attacks.
What Happened?
The attackers, operating under the Cyber Fattah banner, gained unauthorized access to the Saudi Games’ backend systems through phpMyAdmin, a widely used database management tool. They exfiltrated data in the form of SQL dumps, which were later shared on a Dark Web forum by a burner account known as “ZeroDayX.”
The leaked data includes:
- Personal information of over 6,000 athletes and visitors, such as names, addresses, and contact details.
- Scanned copies of passports, ID cards, and medical examination certificates.
- Financial records, including International Bank Account Numbers (IBANs) and bank statements.
- Credentials of IT staff managing the event’s systems.
- Details of government officials involved in the Saudi Games.
The breach was first detected in early May 2025, when non-public claims about the compromise surfaced on the Dark Web. Resecurity, which has been tracking the incident, noted that the SQL dump was created on May 5, 2025, indicating the hackers had access to the data for weeks before the public leak.
Read Full Report: Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
Why the Saudi Games?
The Saudi Games, an annual multi-sport event featuring 53 sports and thousands of athletes, is a cornerstone of Saudi Arabia’s Vision 2030. It aims to improve quality of life, inspire youth, and build a competitive sports culture. The event’s prominence and its ties to the Kingdom’s national agenda made it a prime target for Iran’s information operations, according to Resecurity.
The attack coincides with escalating tensions between Iran and Israel, as well as ongoing rivalries between Iran and Saudi Arabia for regional influence. Cyber Fattah’s actions appear designed to undermine Saudi Arabia’s reputation as a secure host for global events, especially as the Kingdom prepares to host the Esports World Cup 2025, the 2026 Gulf Cup, and aims to bid for the 2036 Olympics.
Who is Cyber Fattah?
Cyber Fattah, also known as the “Iranian Cyber Team,” is a hacktivist group with ties to Iran’s state-supported cyber operations. The group is part of the “Holy League,” a coalition of Middle Eastern hacktivists targeting Israel, Saudi Arabia, and the United States. Its activities align with Iran’s geopolitical goals, including:
- Supporting Shia militias in Iraq and Lebanon.
- Opposing Saudi Arabia’s regional influence.
- Criticizing U.S. policies, particularly over Iran’s nuclear program.
The group collaborates with other threat actors, such as 313 Team, LulzSec Black, and Cyber Islamic Resistance. It has a history of cyberattacks, including defacing Israeli websites and targeting a solar energy company in Israel with help from Iranian and Lebanese hackers.
Recent propaganda from Cyber Fattah has also targeted U.S. President Donald Trump, suggesting a shift toward broader anti-US messaging. The group’s defacements often feature images of Hezbollah’s former leader Hassan Nasrallah and references to Iran’s Supreme Leader, Khamenei.
The Broader Context
This breach is part of a larger trend where hackers target major sports events for financial, political, and strategic reasons. Resecurity highlights several motivations:
- Financial Gain: Sensitive data like PII and financial records can be sold on the Dark Web or used for fraud. Ransomware attacks and ticket scams are also common.
- Political Messaging: High-profile events offer a platform to amplify geopolitical agendas, as seen in Russian cyberattacks on the 2018 Winter Olympics.
- Disruption: Hackers can target ticketing systems, stadium operations, or broadcasts to cause chaos, as demonstrated by recent DDoS attacks on Truth Social.
The Saudi Games breach follows a pattern of Iran-linked cyberattacks exploiting regional tensions. Hezbollah- and Hamas-linked groups have amplified the incident through digital media, spreading narratives of insecurity in Saudi Arabia.
How Did This Happen?
The attackers exploited vulnerabilities in the Saudi Games’ website, likely through misconfigured phpMyAdmin access. This allowed them to extract multiple databases containing sensitive records. The insecure storage of scanned documents, such as passports and medical forms, made the breach particularly damaging.
Resecurity’s investigations suggest the attacker, ZeroDayX, may have acted as a front for a larger operation. The same actor attempted to monetize the stolen data privately, a common tactic among Iranian hackers who often seek extra income due to low state payments.
What’s at Stake?
The breach poses significant risks:
- Identity Theft: Exposed PII, passports, and financial details can be used for fraud or blackmail.
- National Security: Leaked credentials and official records could compromise Saudi Arabia’s event security.
- Reputation Damage: The incident undermines Saudi Arabia’s efforts to position itself as a global sports hub.
- Global Precedent: The attack signals that major sports events, from the Olympics to regional tournaments, are vulnerable to state-sponsored cyberattacks.
With Saudi Arabia set to host the Islamic Solidarity Games, Esports World Cup 2025, and the 2026 Gulf Cup, the breach raises urgent questions about cybersecurity. Could other events be next? How can organizers protect sensitive data in an era of interconnected systems?
Resecurity’s Role
Resecurity, a leading cybersecurity firm, has been tracking Cyber Fattah’s activities since May 2025. Through its HUNTER team, which specializes in threat intelligence and investigations, Resecurity acquired the full dataset and shared artifacts with law enforcement. The firm’s human intelligence (HUMINT) efforts provided critical insights into Iran’s cyber operations.
At the Black Hat Middle East & Africa conference, Resecurity unveiled its Digital Identity Protection (IDP) solution, designed to safeguard consumers and businesses. The IDP service offers:
- Real-time monitoring of the surface, deep, and dark web for compromised data.
- Early-warning alerts for leaked credentials or PII.
- Predictive analytics to detect threats before they escalate.
- Support for incident response and risk management.
Resecurity’s Cyber Threat Intelligence (CTI) services, powered by its Context™ and Risk™ platforms, help organizations identify vulnerabilities and mitigate risks. By tracking threat actors and analyzing indicators of compromise (IoCs), Resecurity equips stakeholders with actionable intelligence to prevent breaches.
Mitigation Strategies
To address the growing threat to sports events, Resecurity recommends:
- Deploy Digital Identity Protection: Use tools like Resecurity’s IDP to monitor and protect personal data.
- Secure Backend Systems: Regularly audit and patch tools like phpMyAdmin to prevent unauthorized access.
- Encrypt Sensitive Data: Store scanned documents and financial records securely to limit exposure.
- Train Staff: Educate IT teams on phishing, credential theft, and other common attack vectors.
- Monitor the Dark Web: Use CTI services to detect early signs of compromised data.
- Prepare for DDoS Attacks: Strengthen website infrastructure to withstand traffic surges.
Organizers of major events, from the Esports World Cup to the Olympics, must prioritize cybersecurity. Simple steps, like enforcing strong passwords and multi-factor authentication, can make a big difference.
Looking Ahead
The Saudi Games breach is a wake-up call for event organizers worldwide. As sports events adopt technologies like 5G and biometric tracking, they become more vulnerable to cyberattacks. Hackers, whether driven by profit or politics, will continue to exploit these opportunities.
For Saudi Arabia, the incident underscores the need to bolster cybersecurity as it pursues ambitious goals like hosting the 2036 Olympics. By investing in solutions like Resecurity’s IDP and CTI, the Kingdom can protect its citizens and maintain its reputation as a global sports leader.
The question remains: Will the international community act to secure major events, or will hackers continue to score easy wins? The stakes are high, and the clock is ticking.