One email, one wire transfer, 1.8 million euros vanished into thin air. The story of how digital criminals robbed the cultural heart of Florence.
It’s August 2024. Fabrizio Lucchetti, director of the Opera di Santa Maria del Fiore, is overseeing restoration work on the Eugeniano Complex, just steps from the Duomo. An ambitious, necessary project requiring considerable investment. The Opera—the ancient institution founded in 1296 that has safeguarded Florence’s architectural jewels for seven centuries, from the Cathedral to Giotto’s Bell Tower, from the Baptistery to the Opera Museum—has signed a contract with a construction company for 1.8 million euros. Everything is proceeding according to plan. Or so it seems.
Emails flow back and forth between the Opera and the company. Invoices, bank details, payment instructions. Apparently legitimate communications, but concealing a sophisticated deception. Because those emails are actually being intercepted. In the digital silence, someone is reading every message, studying every detail, waiting for the right moment to strike.
When it’s time to make the wire transfer, the Opera receives the account details for transferring the funds. Nothing seems unusual. The payment is authorized: 1,785,000 euros leave the Florentine institution’s coffers. But that money will never reach the creditor company. It ended up in an account registered to a front man from Brescia with a criminal record, managed by a criminal organization that has turned digital theft into a 30-million-euro industry in just six months.
Anatomy of a Perfect Deception
What the Opera di Santa Maria del Fiore fell victim to is a scam known as “man in the middle” or “business email compromise” (BEC), the modern evolution of the classic CEO fraud.
The mechanism is diabolically simple and effective: criminals insert themselves into email communications between two legitimate parties—in this case the Opera and its suppliers—intercepting messages and modifying them at the opportune moment.
The investigation by the Brescia Mobile Squad, launched in March 2025 following the Opera’s complaint, revealed a sophisticated criminal system.
At the center of the mechanism, two Italian brothers acted as intermediaries, connecting companies needing access to cash with a network composed primarily of Chinese, Italian, Nigerian, and Albanian nationals.
An apartment in Milan, registered to a Chinese woman, served as a “cash storage center.” Companies multiplied, wire transfers were diverted, money was laundered through fictitious operations.
The raid led to the detention of nine people and the seizure of over 700,000 euros in cash. A tenth suspect remains at large. But most of the money stolen from the Opera—approximately 1.4 million of the original 1.8—remains dispersed within the meshes of a transnational criminal system.
From the Florentine Renaissance to the Louvre: When Digital Security Fails
The fraud at the Opera di Santa Maria del Fiore is not an isolated case. A few months later and a few hundred kilometers away, the world’s most visited museum experienced its own security debacle on October 19. Four men disguised as construction workers stole French Crown jewels, valued at 88 million euros, from the Louvre’s Galerie d’Apollon. Seven minutes of action in broad daylight, four minutes inside the museum, and the thieves vanished into the streets of Paris on two scooters.
While French authorities desperately tried to save face, an embarrassing detail emerged that transformed a daring heist into a cybersecurity farce. The password to access the surveillance system of the world’s most prestigious museum was, simply, “Louvre.” Not a complex combination, not an encrypted system. Just the museum’s name.
A 2014 audit by the French cybersecurity agency had already flagged the critical issue. The password was “trivial,” the software obsolete, the systems inadequate. Even the software provided by Thales was protected by the password “Thales.” For over a decade, these vulnerabilities were ignored while the museum invested 169 million euros in art acquisitions and scenic renovations, versus just 87 million in maintenance and security. Only 39% of the galleries were covered by surveillance cameras.
The parallel between Florence and Paris is disturbing. Two cultural institutions of global significance, custodians of priceless heritage, fell victim to digital vulnerabilities that could have been prevented. In the Louvre’s case, ridiculously simple passwords and obsolete systems. In the Opera di Firenze’s case, unprotected email communications and inadequate verification procedures.
Deception Runs on Invisible Networks
BEC fraud has become one of the most profitable tools of global cybercrime.
According to the FBI, between 2016 and 2024 this type of fraud caused losses exceeding $50 billion worldwide. Victims include companies of all sizes, public entities, and nonprofits. Even cultural institutions, traditionally less focused on cybersecurity, are paying an increasingly high price.
The mechanism is insidious because it exploits trust. There’s no need to hack complex systems or write sophisticated code. You just need to intercept communications —often through targeted phishing or email account compromise—observe payment flows, wait for the right moment, and insert false bank details. The emails appear authentic because they often are: they come from the legitimate accounts of the parties involved, compromised without the victims’ awareness.
In the Opera di Firenze case, the criminals demonstrated meticulous patience. They studied the projects, understood the procedures, intercepted communications. Only when the moment was ripe—when a significant wire transfer was about to be authorized—did they replace the bank details with those of the account controlled by the organization. A surgical operation, invisible until it was too late.
The Weak Link: The Human Factor
The Louvre’s director, Laurence des Cars, candidly admitted the “weaknesses” in the museum’s perimeter security after the theft. But the real weakness, both in Paris and Florence, was the superficial approach to digital security. Having cameras isn’t enough if the password to access them is “Louvre.” Having payment procedures isn’t enough if you don’t verify bank details through channels other than email.
The problem is cultural before it’s technological. Too many organizations, especially in the cultural and public sectors, view cybersecurity as a bothersome cost rather than a necessary investment. Staff training is neglected. Verification procedures are considered bureaucratic and time-consuming. IT security budgets are sacrificed in favor of more “visible” projects.
Yet, as the Florence and Paris cases demonstrate, the consequences of this negligence can be devastating. Not only financially—the Opera lost nearly two million euros, the Louvre priceless jewels—but also in terms of reputation and credibility. The damage to their image is incalculable.
The Response: A Conscious Digital Posture
After discovering the fraud, the Opera di Santa Maria del Fiore immediately reported the incident, actively cooperating with authorities. The promptness enabled an investigation that led to the arrest of nine people and partial recovery of the funds. But the lesson is clear: post-incident response isn’t enough. Prevention is needed.
Organizations must adopt stringent verification protocols for every financial transaction. Confirm bank details through multiple channels—not just email, but also phone calls to known numbers, messages on alternative platforms. Implement multi-factor authentication for all email accounts and sensitive systems. Use complex passwords, change them regularly, never use obvious or predictable terms.
But above all, training is needed. Staff must be trained to recognize the signs of a possible scam: emails requesting urgency, requests to change bank details, communications that seem legitimate but contain subtle anomalies. Vigilance must become second nature.
Investing in Digital Culture
The Florence and Louvre cases demonstrate that no institution, however prestigious, is immune to digital threats. Criminals don’t distinguish between multinationals and museums, between banks and cultural foundations. In fact, cultural organizations are often easier targets precisely because they’re less equipped to defend themselves.
Digital security is no longer optional.
It’s as fundamental a necessity as fire insurance or physical alarm systems. It requires investment, certainly, but the cost of a robust IT security system is infinitely lower than the potential damage from a breach.
And it requires a mindset shift.. Cybersecurity cannot be relegated to an isolated IT department.. It must permeate the entire organization, from leadership to operational staff. Every person who uses a computer, manages emails, or authorizes payments is potentially the first line of defense—or the first weak link.
The Opera di Santa Maria del Fiore, custodian of Renaissance masterpieces, and the Louvre, temple of world art, have paid a high price for this lesson. But their experience can serve as a warning. In an increasingly digitized world, where transactions travel on invisible networks and criminals operate beyond all borders, digital training remains the best defense against increasingly widespread and sophisticated attacks.
Because in the end, whether it’s ridiculously simple passwords or intercepted emails, the greatest vulnerability always remains the same: unverified trust. And in an era where digital deception has become a billion-dollar industry, verification has become vital for the very survival of organizations.
