The Opera di Santa Maria del Fiore was involved in a million-euro BEC (Business Email Compromise) fraud. The incident dates back to 2024 but was disclosed only in December of this year, once investigations had concluded, during a press conference held in the Aula Prosperi at the Brescia Police Headquarters.

Attackers diverted payments to a “money mule” IBAN

The Opera was founded by the Florentine Republic in 1296, with the participation of local ecclesiastical authorities, to oversee the construction of the new Cathedral and its Bell Tower. Since 1777 it has managed the Baptistery of San Giovanni and, since 1891, the Museo dell’Opera di Santa Maria del Fiore. In 1998 it acquired non-profit status.

The fraud involved payments related to the restoration of the Eugenian Complex, home to the Studio Fiorentino and the Faculty of Theology founded by Pope Eugene IV in 1435. In August 2024, the Opera authorized two closely spaced bank transfers totaling €1,785,366, intended to settle the invoice with the Veneto-based company contracted for the works. When the creditor company requested information about the payment, suspicions emerged that the transfers had been diverted.
After intercepting the email exchange between the two legitimate parties, the attackers sent the Opera a fraudulent transfer request, providing the IBAN of an account opened by a “money mule” at a bank branch in Sarezzo (Brescia). The individual, a businessman from Lumezzane previously convicted of money laundering, allegedly received a €50,000 reward for allowing the payments to be credited to his company’s bank account.
The case led to the discovery of a large criminal network—structured around cyber fraud, money laundering, self-laundering, and the issuance of invoices for non-existent transactions—which generated at least €30 million in just six months. The laundering and tax evasion activities, acting as intermediaries between supply and demand, were allegedly led by two Italian brothers based in Brescia, with the support of a crew of individuals of Chinese origin operating mainly in Milan.
The money was laundered through bank accounts in Italy and abroad (China, Luxembourg, Poland, Germany, Spain, Lithuania, Nigeria, and Croatia). It was also redistributed in cash, stored in an apartment in Milan, and transported by couriers (“spalloni”) who delivered it to entrepreneurs struggling to access credit through legitimate channels.
In total, thirteen individuals are under investigation, nine of whom were arrested. During searches, approximately €500,000 in cash was seized. Records also indicate another BEC fraud, worth “only” €15,900, which affected a company in the Czech Republic.

How does the scam work?

BEC fraud is a social engineering attack aimed at deceiving victims through plausible communications based on real facts and data.
The technique it relies on is Email Thread Hijacking, a variant of the MitM (Man-in-the-Middle) attack. Unauthorized access to email exchanges makes it possible to identify threads containing sensitive information about ongoing business dealings, sales transactions, financial operations, and more.
Once the operation of interest has been identified, existing communications are tampered with—or new ones are generated—with the aim of inducing victims to authorize payments to accounts controlled by criminals. This phase has become increasingly effective thanks to the adoption of artificial intelligence agents capable of producing highly credible fake textual and visual content, or of skillfully manipulating authentic material.

Keeping the level of attention high

On the same day the fraud against the Opera di Santa Maria del Fiore was disclosed, Italy’s National Cybersecurity Agency (ACN) reported a campaign targeting organizations based in Italy, aimed at compromising email accounts that are then exploited—via thread hijacking—for BEC fraud.

The criminals had presumably compromised corporate email accounts by exploiting credentials stolen through targeted phishing campaigns, or via password spraying, or dictionary attacks.

The Agency urges users and organizations to carefully verify received messages and to adopt the following additional measures:

• provide regular training sessions aimed at recognizing phishing attempts and distrusting unexpected communications
• avoid accessing internet links or related external content unless the reliability of the resource is certain
• verify the legitimacy of websites requesting the entry of login credentials
• immediately rotate access credentials for all affected or suspicious accounts, ensuring the adoption of adequate complexity criteria in line with current security policies
• implement and enforce strong authentication mechanisms (Multi-Factor Authentication) for all email accounts, to mitigate the risk arising from the compromise of passwords alone
• thoroughly review email mailbox configurations, with particular attention to identifying and removing automatic forwarding or archiving rules not explicitly authorized by the user
• adopt “out-of-band” verification procedures (e.g., direct phone contact using pre-existing numbers) for any request to change bank details (IBAN), even when the communication appears to originate from trusted counterparts.

TS-Intelligence

The information reported is the result of the collection and analysis work carried out by the specialists of Telsy’s Threat Intelligence & Response team with the support of the TS-Intelligence platform, a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is available as a web-based and full-API platform, designed to be integrated into the organization’s systems and defensive infrastructures, with the goal of enhancing protection against complex cyber threats.

The platform’s continuous research and analysis on threat actors and emerging online threats—whether APTs or cybercrime—produces a constant stream of exclusive intelligence, delivered in real time and structured into technical, strategic, and executive reports.

Discover more about our Intelligence services.