Drafted Into Danger: The Cyber Risks Facing Pro Athletes on the Biggest Day of Their Lives
Every spring, dreams come true on draft night. Cameras flash, families cheer, and young athletes officially step into professional sports. But behind the emotional highs, a quieter danger is growing—one that threatens to derail careers before they begin. Digital threats are no longer just problems for league and front offices—they follow the athletes themselves. While every league faces these risks, the NFL and WNBA have transparently acknowledged the cyber threats targeting incoming players. That visibility allows us to assess the landscape, understand the gaps, and offer solutions.
At Victory Cybersecurity Consulting (VCC), we specialize in bridging that divide—connecting athlete protection with real-world cybersecurity measures. The threats may be digital, but the damage is personal, reputational, and financial.
Why Draft Day Is a Cyber Risk Flashpoint
We’ve written about how athletes are increasingly exposed as brands, influencers, and digital entities. Draft day intensifies every angle of that exposure. Public scouting reports, NIL deals, personal social media, and digital performance analytics converge to create a perfect storm of vulnerability.
Malicious actors know this. They exploit the moment for attention, leverage, or disruption. Prank calls, leaked footage, phishing attempts, and doxxing aren’t just random acts—they’re targeted campaigns with specific intent: clout, extortion, sabotage, or simply chaos.
As athletes shift from college programs to billion-dollar franchises, the protection mechanisms around their data and communications don’t always keep up. The firewalls are strong in the front office. The threats often sneak in through the back door—the player’s inbox, cloud storage, or Instagram DMs.
Case Study: NFL Draft Incidents
Laremy Tunsil (2016)
Just minutes before his name was expected to be called in the top five, a video of Tunsil wearing a gas mask bong appeared on his Twitter account. The post was widely believed to be a form of cyber sabotage—either a hack or a leak by someone with access.
The financial fallout was immediate. Tunsil slid to the 13th pick, costing him millions. Had Tunsil or his team known how vulnerable personal accounts could be on the biggest night of his life, steps could have been taken to secure digital assets better. Cyber awareness isn’t just for executives but for everyone in a player’s circle.
This incident underscores the importance of credential management, multi-factor authentication, and perimeter defense around a player's online footprint. Regardless of how it occurred, the account compromise reflected an adversary’s ability to weaponize digital content for maximum impact. Threat actors understand the timing and influence of draft night, making it fertile ground for psychological manipulation and public spectacle.
CJ Stroud (2023)
Reports emerged that Stroud had scored poorly on the S2 cognitive test, a proprietary assessment allegedly leaked to the media. Whether the leak was accurate or intentional didn’t matter. The damage was done, and the conversation around Stroud turned from performance to data privacy.
This incident wasn’t a hack. It was a breakdown in confidentiality—a league or team-level failure to protect a prospect’s sensitive information. Trust erodes quickly when the systems designed to support athletes turn into liabilities.
The S2 leak demonstrates how insider threats or poor data governance can create reputational risks. Information leakage can result from insecure file sharing, misconfigured permissions, or unvetted third-party access. Athletes are data subjects, and their biometric, cognitive, and medical records deserve the same protections as any enterprise's most valuable IP.
Shedeur Sanders (2025)
On draft night, prank callers reportedly disrupted Sanders’ phone line, mocking and distracting the quarterback during one of the most critical moments of his life. Though not as damaging as a leak, it underscored how even mobile-based harassment can penetrate the draft process.
Again, this was a failure of preparation. Teams and leagues must anticipate that high-profile athletes will be targeted and establish protocols to protect them in real time, not after the fact.
Harassment via voice and text reflects how mobile numbers—often linked to data breaches or leaked via social media—can be exploited on critical days. VoIP spoofing, auto-dialers, and SMS bombing are low-effort, high-disruption tactics. Organizations must consider shielding player communications behind managed contact frameworks during vulnerable windows.
Takeaways from the NFL
The risks don’t live inside team servers—they live in personal phones, shared cloud folders, and group chats.
Cyber sabotage isn’t theoretical; it can cost millions and shape narratives.
Every incident shows how easy it is for a moment of chaos to overwhelm years of preparation.
These incidents reveal the lack of a holistic, player-centric cybersecurity protocol. Individual athletes and inner circles must be trained in digital operational security (OPSEC). Cyber maturity in sports must start with onboarding and extend through an athlete’s career, especially during high-risk transition points like draft day.
Case Study: WNBA Draft Incidents
Paige Bueckers (2024)
In the lead-up to her professional career, Bueckers was granted a restraining order against a persistent online stalker. The harassment wasn’t just invasive—it was traumatic.
For athletes, digital presence is part of their brand, but that brand can become a beacon for bad actors. Even with robust team support, players like Bueckers must remain vigilant about what they share, who they engage with, and what protections they have in place. It’s not an easy task, but it’s a necessary one.
Bueckers' case emphasizes the convergence of physical and cyberstalking. Threat actors in these cases often exploit open-source intelligence (OSINT), cross-referencing public posts with location data, live streams, or digital schedules. Countermeasures should include content timing strategies, privacy education, and digital monitoring tools to detect and report malicious behaviors early.
2025 WNBA Draft Class
A Forbes article outlined growing concerns about online harassment aimed at WNBA prospects. While the league has acknowledged the problem, many players still face digital attacks alone.
Solutions can’t stop at acknowledgment. They must scale from the league to individual players. Draft preparation should include cybersecurity briefings, digital footprint audits, and media risk assessments. Empowering athletes to take control of their digital lives is just as critical as teaching them playbooks.
This class-wide issue illustrates the systemic risk landscape facing female athletes. The digital terrain is increasingly hostile, from impersonation accounts to coordinated hate campaigns. Detection and response capabilities must be embedded in league operations, and CTI should be used to monitor extremist chatter and emerging campaigns across forums, social media, and dark web communities.
Takeaways from the WNBA
The emotional toll of digital harassment is real and directly affects performance and well-being.
League-wide transparency is the first step; it’s time for systematic protection measures.
Players must be equipped with the knowledge and tools to defend themselves—not just on the court but also online.
These incidents reveal a gendered threat environment where visibility makes players more vulnerable, not more empowered. Organizations must incorporate user behavior analytics (UBA) and community-based reporting systems that flag threats and track sentiment over time. The path forward is a layered defense and trust-building between players and league cybersecurity teams.
What Can Be Done: Safeguarding Future Stars
At VCC, we believe cybersecurity should be part of every athlete’s development plan. Whether it’s protecting NIL value, maintaining draft integrity, or mitigating harassment, digital safety is part of modern performance strategy.
For Leagues, Teams, and Agents:
Conduct pre-draft cyber hygiene briefings for athletes and their families.
Enforce secure communications protocols during high-profile events.
Monitor social media and flag impersonation or coordinated attacks in real time.
Establish incident response plans for data breaches or malicious leaks.
How VCC Helps:
Cyber risk assessments of players’ digital profiles and account hygiene.
Training modules for players, agents, and families on privacy, safety, and best practices.
Response services to contain and address cyber incidents during vulnerable transitions like draft week.
Conclusion: Draft Dreams, Digital Nightmares
The draft is supposed to be the beginning, not the end, of an athlete’s journey. But in today’s digital world, a single exploit, leak, or prank can alter that path forever. As teams invest millions in talent, they must also invest in protection. The athlete isn’t just a body on the field—they are a digital asset, a brand, and a future.
Because the biggest threat to a player’s career may not be a torn ACL, it may be a login they forgot to secure.
Cyber incidents surrounding the draft are not isolated—they are symptoms of a broader failure to prioritize athlete data protection as a core element of business operations. Leagues must formalize cybersecurity policy frameworks that include player asset protection, data governance, and intelligence sharing protocols. When players are treated as strategic digital entities, we move beyond defense—we enable sustainable growth and resilience in the sports ecosystem.
References:
ESPN. (2016, April 29). Agent: Laremy Tunsil's hacked Twitter account posted gas mask bong video. https://www.espn.com/nfl/draft2016/story/_/id/15423201/agent-laremy-tunsil-gas-mask-tweet-was-hacked
Sports Illustrated. (2023, April 20). NFL Execs Rip Leaking of Texans QB C.J. Stroud’s S2 Test Results. https://www.si.com/nfl/texans/news/nfl-execs-rip-leaking-houston-texans-qb-cj-stroud-s2-test
ESPN. (2025, April 29). NFL fines Falcons, DC Jeff Ulbrich over Shedeur Sanders prank call incident. https://www.espn.com/nfl/story/_/id/44934516/nfl-fines-falcons-dc-jeff-ulbrich-shedeur-sanders-prank-call
Yahoo Sports. (2024, March 26). Emma Raducanu stalker given restraining order after disruptive behavior at match. https://sports.yahoo.com/tennis/article/former-us-open-champ-emma-raducanu-says-ill-be-okay-after-man-with-fixated-behavior-ejected-from-match-given-restraining-order-223650932.html
Forbes. (2025, April 17). The 2025 WNBA Draft Class Enters A League Preparing To Battle Online Harassment. https://www.forbes.com/sites/lindseyedarvin/2025/04/17/the-2025-wnba-draft-class-enters-a-league-preparing-to-battle-online-harassment/