Skip to content

Trending tags

The World Cup of Malware

Sandra Proske

13.07.18 3 min. read

Thirty-two countries compete in the World Cup every four years, but there’s a global battle going on in cyber space every day.

F-Secure deploys an international network of decoy “honeypot” servers that attract the attention of attackers so we can track the latest cyber threats. After more than a year of running these honeypots, our researchers can say that some countries seem to be on the cyber offense, while everyone needs a strong defense.

So while we’re waiting to find out if France or Croatia wins this year’s Cup, we decided to find out which country winning the World Cup of Malware. And the results were surprising, even to our researchers.

First, let’s jump back to the end of 2017 to do a little seeding:

Solid competitors all around and pretty consistent with what we saw in mid-2017.

But you never know who is going to step up their game, or slip a bit.

When you have you have global honeypot network at your disposal, you don’t have to wait for results. So without any further ado, here are the “winners” of the 2018 World Cup of Malware, based on data pulled just this week:


The United States didn’t even qualify for the actual World Cup, but traffic from IP addresses in the U.S. came in first followed by the Netherlands, France, Iran, Italy and former #1 seed Russia.

Russia’s loss in the quarterfinals of the World Cup was a surprisingly strong showing for the World Cup host. But it’s far less surprising result than the country falling from first seed to sixth place in the World Cup of Malware.

Malware is a bit like the players in the cup when it comes to nationality.

Thierry Henry is France’s all-time record goalscorer, but now he’s a coach for Belgium. Just as a player doesn’t have to play for the country where he or she was born, the presence of a country on the list does not necessarily indicate the people behind an attack are inside that country. There are several methods attackers leverage proxies to cloak their attacks, including VPNs or TOR, and compromised machines or infrastructure.

While there is only so much honeypots can tell us, they provide excellent data revealing high-level patterns and trends, such as how attackers, self-replicating botnets, and other sources find targets.

Leszek Tasiemski, F-Secure’s Vice President of Cyber Security Products R&D, notes that the most prevalent sort of malware are variations of Mirai, which was used to carry out the largest denial of service attacks in history. That attack happened in 2016 but this data confirms that Mirai is still very much active. So IoT devices, like cameras and routers, are still potential targets.

Austria, USA, UK, Ukraine and Germany were the countries were our honeypots caught the most attacks. But Leszek notes that just as much of the world is briefly united in its focus on the World Cup, malware also brings us all together.

Honeypots in all countries get their fair share of various malware samples. And that will probably just as true in 2022 as it is now, unfortunately.

Sandra Proske

13.07.18 3 min. read


Highlighted article

Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.