Connect with us

Hi, what are you looking for?



Russia-Linked Hackers Leak Football Doping Files

A group of hackers believed to be operating out of Russia has leaked emails and medical records related to football (soccer) players who used illegal substances.

A group of hackers believed to be operating out of Russia has leaked emails and medical records related to football (soccer) players who used illegal substances.

The group calls itself Fancy Bears and claims to be associated with the Anonymous hacktivist movement. They have set up a website,, where they leaked numerous files as part of a campaign dubbed “OpOlympics.”

“Today Fancy Bears’ hack team is publishing the material leaked from various sources related to football,” the hackers said. “Football players and officials unanimously affirm that this kind of sport is free of doping. Our team perceived these numerous claims as a challenge and now we will prove they are lying.”

The leaked files include emails exchanged between the Fédération Internationale de Football Association (FIFA) and representatives of anti-doping agencies discussing the test results of various football players. The files also provide information on the number of players using illegal substances — without specifically naming any players — and therapeutic use exemptions (TUEs), which allow athletes to take prohibited substances for medical reasons.

The files contain information on several important players allowed to use TUEs at the 2010 World Cup, including Mario Gomez, Carlos Tevez, Juan Sebastian Veron, Dirk Kuyt and Ryan Nelsen. However, the emails dumped by the hackers are dated as recent as June 2017.

Fancy Bear leak

The hackers said they leaked the files to show that more than 150 players were caught doping in 2015, and the number increased to 200 in 2016.

Both the Football Association and FIFA condemned the leak of confidential medical information.

The same hacker group previously targeted the International Association of Athletics Federations (IAAF) and the World Anti-Doping Agency (WADA). The hackers now also described the files as “WADA documents” and some of them appear to originate from the Anti-Doping Administration and Management System (ADAMS). SecurityWeek has reached out to WADA for comment.

Advertisement. Scroll to continue reading.

While the Fancy Bears that took credit for these attacks claim to be hacktivists, researchers have linked the previous leaks to Fancy Bear, a notorious cyber espionage group believed to be sponsored by the Russian government. The threat actor is tracked by various security firms as APT28, Pawn Storm, Sednit, Sofacy, Tsar Team and Strontium.

The first Fancy Bear leak came shortly after investigations exposed state-sponsored doping in Russia. The latest release may have been triggered by similar events.

“Previous Fancy Bear dumps were almost always retaliatory and in response to sanctions from various international sports organizations. When the Russian athletic team was banned from participating in World Athletics Championships in London, embarrassing IAAF doping reports about major Western athletes were made public,” explained Recorded Future’s Insikt Group.

“As international pressure on Russia intensifies, with open calls to strip Russia of World Cup in 2018 and recent the FIFA investigation into suspected prohibited substance abuse of the national soccer team, today’s release was almost guaranteed to surface,” it added. “The message reads very clear and loud – ‘Dare to touch us, we’ll come after you. Don’t expect us to remain silent and maintain status quo’.”

UPDATE. WADA told SecurityWeek that the leaked files do not originate from its ADAMS system. The organization has provided the following statement:

The World Anti-Doping Agency (WADA) is aware that, today, cyber espionage group ‘Fancy Bear’ once again released information; in particular, confidential athlete data regarding Therapeutic Use Exemptions (TUEs) on its website.


As WADA takes data privacy very seriously, the Agency immediately examined the information; and, was quickly able to determine that it is not housed in WADA’s Anti-Doping Administration & Management System (ADAMS).


Stakeholders can rest assured that ADAMS remains secure.


We take this opportunity to reiterate that the TUE process is a means by which an athlete can obtain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition. The TUE program is a rigorous and necessary part of elite sport, which has overwhelming acceptance from athletes, physicians and all anti-doping stakeholders worldwide.

This criminal activity undertaken by the cyber espionage group, which seeks to undermine the TUE program and the work of WADA and its partners in the protection of clean sport, is a clear violation of athletes’ rights.

Related: Russian Hackers May Have Manipulated Leaked WADA Data

Related: Attack on Olympics Anti-Doping Agency Linked to Russia

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.