Argentine Football Association Compromised via Year-Old Infostealer Infection
The Argentine Football Association (AFA) may have been compromised by attackers who exploited an infostealer infection dating back to September 2025, leading to stolen credentials and administrative access.

The Argentine Football Association (AFA) may have fallen victim to a cyberattack stemming from an infostealer infection that occurred nearly a year prior, according to security researchers at Hudson Rock. The incident is suspected to be the work of disgruntled football fans, potentially motivated by a controversial World Cup match where Argentina eliminated Egypt.
Evidence suggests that a device belonging to an AFA software developer, who had been with the organization for approximately a decade, was infected with an infostealer on September 8, 2025. Hudson Rock's database of infostealer victims flagged the compromised machine the following day. The attackers either patiently held onto the stolen credentials for almost a year or acquired them after Egypt's contentious elimination from the World Cup.
Once the attackers gained access using the compromised credentials, they likely achieved extensive administrative control over AFA's systems. This access would have provided them with direct entry to phpMyAdmin database management panels, root access to certain AFA databases, and control over the management portals for the AFA's training headquarters, media operations, and competition management systems.
Researchers noted that the stolen credentials exhibited a pattern of weak, easily guessable passwords that were reused across multiple internal AFA systems. This reuse significantly amplified the potential impact of the initial infostealer infection, turning a single compromised device into a gateway for widespread system access.
The breach became apparent when mass emails were dispatched from legitimate AFA domains, falsely claiming that Argentina had "stolen" the World Cup win from Egypt. These emails, sent from the afasistemas.com.ar domain, served as an early indicator of the attackers' access and their intent to publicize the compromise.
Beyond the unauthorized emails, Hudson Rock identified posts on cybercrime forums advertising AFA data for sale. The advertised data reportedly included sensitive information such as internal email addresses, phone numbers, user roles, and registration timestamps for staff, professional clubs, and external media partners. While most passwords were securely hashed, a small number were found in plaintext, indicating a significant security lapse.
"The AFA breach is a textbook example of how devastating a single, unmitigated infostealer infection can be," Hudson Rock stated. They highlighted that a compromised developer's machine with high-level access could grant threat actors direct database administration rights and the ability to send authenticated internal communications. The prolonged dormancy of the stolen credentials likely contributed to a false sense of security within the AFA, leaving them unaware of the latent threat.
The AFA acknowledged the incident, stating it was investigating the potential unauthorized access with its IT team after receiving numerous suspicious emails. The organization confirmed it was working to clarify the situation and implement necessary security measures.