Iran-Linked Threat Actors Leak Visitors and Athletes' Data from Saudi Games
Summary:
On June 22, 2025, the threat group known as "Cyber Fattah" leaked thousands of records stolen from the Saudi Games, a major sporting event in Saudi Arabia. The data, consisting of SQL dumps, included personal information of athletes and visitors. The group gained unauthorized access to the phpMyAdmin backend and exfiltrated records from the Saudi Games 2024 registration system. Resecurity attributes the breach to an Iranian-linked information operation aimed at spreading propaganda against the United States, Israel, and Saudi Arabia. The attack was publicized via Cyber Fattah's Telegram channel shortly after DDoS attacks on Truth Social, following U.S. airstrikes on Iranian nuclear sites. The Saudi Games, a key initiative under the Kingdom's Vision 2030 strategy, featured over 6,000 athletes and 53 sports. It aims to develop a competitive sports generation in Saudi Arabia. The data breach involved sensitive information including passports, ID cards, medical certificates, bank records, and IT staff credentials. The incident is part of a broader pattern where Iran and its proxies exploit high-profile social and sporting events to promote destabilizing narratives.
The breach was first noted on the dark web in early May 2025. The actor known as "ZeroDayX" used a burner profile to distribute the stolen data, a tactic often used to obscure attribution. Some of the stolen information was monetized privately by individuals likely aligned with Iranian interests. According to Resecurity, these actors are often underpaid and seek to profit independently, increasing operational risk. Through human intelligence sources, Resecurity obtained the full dataset, which goes beyond the limited information publicly leaked.
Security Officer Comments:
Cyber Fattah’s activities reflect a growing trend of ideologically driven hacktivism in the Middle East, where cyber warfare is used to advance political agendas. The group, identifying as the “Iranian Cyber Team,” has previously collaborated with other pro-Iranian and anti-Israel entities such as 313 Team, LulzSec Black, and Cyber Islamic Resistance. Its past campaigns have included attacks on Israeli infrastructure and defacements featuring Hezbollah-linked propaganda. This attack also underscores the increasing threat landscape facing international sporting events. Hackers target such events for various reasons including financial gain, political messaging, espionage, and disruption.
Suggested Corrections:
To mitigate threats like the breach of the Saudi Games, organizations should begin by restricting and closely monitoring access to backend systems such as phpMyAdmin. These interfaces should never be exposed to the public and must be protected using IP allowlists, multi-factor authentication, and VPN access controls. Sensitive data stored in databases should be encrypted both at rest and in transit, with strict role-based access controls to limit who can view or export information. Regular vulnerability assessments are essential to detect misconfigurations or exploitable flaws before threat actors do. To catch intrusions early, security teams should deploy deception tools such as honeypots and decoys, and ensure all activity is logged and monitored through a centralized SIEM platform. Organizations should also be prepared for information operations by monitoring the dark web and hostile propaganda channels, and be ready to respond with coordinated communications if a breach occurs.
Link(s):
https://www.resecurity.com/blog/art...k-visitors-and-athletes-data-from-saudi-games
On June 22, 2025, the threat group known as "Cyber Fattah" leaked thousands of records stolen from the Saudi Games, a major sporting event in Saudi Arabia. The data, consisting of SQL dumps, included personal information of athletes and visitors. The group gained unauthorized access to the phpMyAdmin backend and exfiltrated records from the Saudi Games 2024 registration system. Resecurity attributes the breach to an Iranian-linked information operation aimed at spreading propaganda against the United States, Israel, and Saudi Arabia. The attack was publicized via Cyber Fattah's Telegram channel shortly after DDoS attacks on Truth Social, following U.S. airstrikes on Iranian nuclear sites. The Saudi Games, a key initiative under the Kingdom's Vision 2030 strategy, featured over 6,000 athletes and 53 sports. It aims to develop a competitive sports generation in Saudi Arabia. The data breach involved sensitive information including passports, ID cards, medical certificates, bank records, and IT staff credentials. The incident is part of a broader pattern where Iran and its proxies exploit high-profile social and sporting events to promote destabilizing narratives.
The breach was first noted on the dark web in early May 2025. The actor known as "ZeroDayX" used a burner profile to distribute the stolen data, a tactic often used to obscure attribution. Some of the stolen information was monetized privately by individuals likely aligned with Iranian interests. According to Resecurity, these actors are often underpaid and seek to profit independently, increasing operational risk. Through human intelligence sources, Resecurity obtained the full dataset, which goes beyond the limited information publicly leaked.
Security Officer Comments:
Cyber Fattah’s activities reflect a growing trend of ideologically driven hacktivism in the Middle East, where cyber warfare is used to advance political agendas. The group, identifying as the “Iranian Cyber Team,” has previously collaborated with other pro-Iranian and anti-Israel entities such as 313 Team, LulzSec Black, and Cyber Islamic Resistance. Its past campaigns have included attacks on Israeli infrastructure and defacements featuring Hezbollah-linked propaganda. This attack also underscores the increasing threat landscape facing international sporting events. Hackers target such events for various reasons including financial gain, political messaging, espionage, and disruption.
Suggested Corrections:
To mitigate threats like the breach of the Saudi Games, organizations should begin by restricting and closely monitoring access to backend systems such as phpMyAdmin. These interfaces should never be exposed to the public and must be protected using IP allowlists, multi-factor authentication, and VPN access controls. Sensitive data stored in databases should be encrypted both at rest and in transit, with strict role-based access controls to limit who can view or export information. Regular vulnerability assessments are essential to detect misconfigurations or exploitable flaws before threat actors do. To catch intrusions early, security teams should deploy deception tools such as honeypots and decoys, and ensure all activity is logged and monitored through a centralized SIEM platform. Organizations should also be prepared for information operations by monitoring the dark web and hostile propaganda channels, and be ready to respond with coordinated communications if a breach occurs.
Link(s):
https://www.resecurity.com/blog/art...k-visitors-and-athletes-data-from-saudi-games