Art

Uffizi under hacker blackmail, works in vaults and doors bricked up

The Public Prosecutor's Office together with the Postal Police and the National Cybersecurity Agency have been investigating the offences of attempted extortion (ransomware) and abusive access to computer systems for weeks

3 April 2026Aggiornato il 3 aprile alle 12:25

I visitatori ammirano i capolavori esposti in occasione dell'inaugurazione delle sale dedicate all'artista rinascimentale italiano Andrea del Sarto al Museo degli Uffizi, il 16 ottobre 2024 a Firenze, Italia. (Foto di Roberto Serra - Iguana Press/Getty Images) Getty Images

3' min read

Translated by AI

Versione italiana

Key points

Museum: "No damage was done and no theft occurred"
Where the hackers operated
Investigations
Political effects
Postal report

3' min read

Translated by AI

Versione italiana

A ransom demanded by hackers. The Medici grand ducal treasure rushed into the Florentine vault of the Banca d'Italia. Doors walled up for greater defence. And maximum confidentiality demanded of the staff. The Uffizi Galleries, one of the world's largest and most famous treasure troves of artistic heritage, are in the trenches to fend off the consequences of the cyber attack of last February, a raid that thoroughly penetrated the defences of Italy's most important museum and may have been preceded by a more devious incursion in the summer of 2025. There is also talk of the theft of passwords and the security plan, but the museum denies such decisive consequences.

The museum: "No damage was done and no theft occurred"

If anything, the Uffizi, due to the effects of the computer blitz, is facing the demand for the payment of a sum - a request from the hackers that would have arrived directly on the mobile phone of director Simone Verde - in order not to sell sensitive data on the darkweb, to anyone, that would be stolen. But so far, says the great museum, largely dismantling the reconstruction that has emerged on the affair, "no damage has been done nor has any theft been carried out" and "there is no evidence of any kind regarding the hackers' possession of security maps".

Where the hackers operated

The weak point exploited by the hackers to gain access to the sensitive data stored on the servers would be a programme accessible from the institutional site, i.e. software that manages the flow of low-resolution images and from which the hackers would trace back - like a 'gang of the hole' that enters banks and jewellery stores from the sewers to rob them, in this case in digital ecosystems - to the servers of the Galleries with the databases.

The investigation

The Public Prosecutor's Office, together with the Postal Police and the National Cybersecurity Agency, has been investigating for weeks for the crimes of attempted extortion (ransomware) and abusive access to computer systems. Acn experts have also arrived in Florence in recent months: a team has been working with the museum's IT technicians to identify how the hackers got in, to clean up the servers and secure the computer systems. The investigation was started with a file against unknown persons and, among the objectives, it is to establish where the perpetrators came from, whether they were based abroad and in which geographical area.

Because of the breach, the great Florentine pole - which extends from the Galleries to the Vasari Corridor, Palazzo Pitti and the Boboli Gardens - has slowly and discreetly turned into a besieged "fortress". The Uffizi also explain that the transfer of the "Medici treasure" to Bankitalia's basement is due to the "building site whose tender was launched in September" - thus not due to the cyber attack - and emphasise that the pieces of the grand ducal collection "had to be cleared out in any case in view of the start of the work", while "the first phone calls on the matter took place between the Uffizi and Banca d'Italia in the autumn".

Basically, a prudential move to a safe place. 'We are not the Louvre', claim the gallery, 'the cameras had been being replaced for a year', 'the situation was nothing like the Louvre'. The Uffizi also explain that 'the walled doors', visible even to visitors, are some of the 'safeguards required by the fire-fighting plan', 'others to avoid excessive permeability of spaces in buildings dating back to the 1500s'.

Be that as it may, there is a certain fear of a more material, physical attack, even though the surveillance is 24 hours a day, seven days a week, and armed (so it has been for centuries).

The political effects

In the political arena, the PD in the Chamber of Deputies asked the Minister of Culture, Alessandro Giuli, to urgently clarify how much the Mic spends on cybersecurity to protect cultural institutions. And the mayor Sara Funaro gave proximity to director Verde 'who is managing a very complex moment' and support for what the municipality could do for the Uffizi.

The Postal Service report

The numbers tell the story of the phenomenon: 51,560 cases, with 293 arrests, 7,590 persons reported and 2,157 searches. These are the numbers contained in the Postal Police report referring to the year 2025. Cybercrime of an economic-financial nature confirmed its presence with 27,085 cases handled and sums stolen exceeding 269 million euro. Finally, 9,250 computer crime events were handled, targeting critical infrastructures, public entities, companies, and private individuals, testifying to the constant pressure on the national cyber perimeter.