Racing Into Danger: Advanced Cyber Threats Targeting Formula 1 Fans and Teams Ahead of the Dutch Grand Prix

Cybercriminals are exploiting Formula 1’s expanding digital ecosystem with sophisticated attacks including deepfake CEO impersonations, malicious mobile apps, hospitality fraud rings, NFT/crypto scams, telemetry data interception, and supply-chain compromises ahead of the Dutch Grand Prix. Protective measures recommended include deepfake detection, external digital risk monitoring, strict vendor vetting, and fan guidance to only use verified sellers and official apps. #CloudSEK #Ferrari

Keypoints

Deepfake attacks have targeted F1 executives (e.g., attempted impersonation of Ferrari CEO Benedetto Vigna and deepfake content involving Toto Wolff), prompting adoption of challenge‑response verification and AI detection tools.
Malicious unofficial F1 mobile apps (ghost apps, fake games, unofficial streaming apps) install hidden malware, request excessive permissions, and persist as background processes to deliver further payloads or display scams.
Coordinated hospitality fraud networks used professional-looking sites and misleading VAT/discount claims to swindle customers of over £1 million before regulators shut down linked operators.
NFT and cryptocurrency schemes (fake team tokens, rug pulls, sleepminting, wash trading) leverage prominent crypto sponsorships in F1 to deceive investors and fans, with regulatory changes potentially creating exploitable confusion.
Telemetry and race data are high-value targets: risks include RF jamming, sensor-stream corruption, poisoning of AI strategy models, and exposure via leaked API tokens, misconfigured cloud storage, or counterfeit portals.
Supply-chain and communications weaknesses surfaced in 2024 phishing compromises of FIA email accounts, exposing sensitive regulatory, medical, and contractual information across teams and stakeholders.
Fans face expanded travel and accommodation fraud (phantom operators, dynamic pricing manipulation, package bundling fraud), exemplified by the 2024 Camping F1 Ltd collapse leaving many without refunds.

MITRE Techniques

[T1534 ] Data from Information Repositories – Attackers targeted telemetry and performance datasets (engine traces, aerodynamic metrics, tyre models) by seeking leaked API tokens and misconfigured cloud buckets: ‘monitoring for leaked API tokens or RF configuration files on forums and paste sites, spoofed “Race Guide” or team portals harvesting logins, and misconfigured cloud buckets’.
[T1608.001 ] Stage Capabilities: Malware – Malicious F1 mobile applications installed hidden background processes and downloaded additional payloads from C2 servers: ‘communicate with remote command-and-control servers, and can download additional malware payloads post-installation’.
[T1190 ] Exploit Public-Facing Application – Hospitality fraud and counterfeit websites used professional-looking sites to impersonate authorized sellers and harvest payments: ‘creating professional-looking websites with legitimate design… collecting VAT payments without proper registration’.
[T1586 ] Compromise Infrastructure – Fraud rings established resilient, connected operations that recreated entities after shutdowns to continue scams: ‘operators quickly establish new entities when one company is shut down’.
[T1380 ] Social Engineering – Deepfake CEO impersonation and deepfake porn aimed at reputation abuse and high-value fraud used AI-generated audio/video for executive impersonation: ‘AI “deepfake porn” using his likeness’ and the Ferrari near-miss resolved with a challenge-response check.
[T1476 ] Boot or Logon Autostart Execution – Ghost apps and hidden mobile apps operated without visible icons and launched scam webpages or background tasks to persist on devices: ‘ghost apps – malicious applications that install without visible icons, periodically opening scam webpages’.
[T1598 ] Phishing for Information – Phishing attacks targeted FIA email accounts to gain access to sensitive communications and data: ‘phishing attacks compromised two email accounts, potentially exposing personal data of drivers, team members, and stakeholders’.

Indicators of Compromise

[Domains ] hospitality fraud websites and fake seller domains – examples: Prive Global Events impersonation sites, Foresea Limited-related domains (and other reseller sites tied to the ring).
[File Names/Apps ] malicious mobile app identifiers and ghost apps – examples: fake F1 game apps and unofficial streaming app package names that run hidden background processes (and additional unnamed malicious packages).
[Credentials/API Tokens ] leaked telemetry access tokens and exposed keys – contexts: API tokens and RF configuration files posted on forums or paste sites used to access telemetry streams.
[Payment Details/Banking ] fraudulent vendor payment instructions – contexts: VAT collection without registration and bank-transfer requests for hospitality packages (examples include scam invoices used by the ring and similar booking frauds).
[Project/Token Names ] fake NFT/team token launches – examples: counterfeit fan token project names impersonating official teams and rug-pull NFT collections tied to F1 themes (and other bogus collections).