A colossal digital archive, estimated at approximately 2.3 terabytes, has appeared in the darkest corners of the web. A malicious actor claims to possess it, pointing the finger at Almaviva and a wide range of companies in the Ferrovie dello Stato Italiane Group. The loot, made public on a hidden platform in the Tor network, is being offered as a trophy of a successful compromise. What emerges from the initial analysis of the material is not a simple breach, but a potential information hemorrhage of national significance.
The incident and the communication from Almaviva SpA
The first instinctive reaction, faced with news of this kind, is to look for a precedent. And there is indeed a precedent: the memory of the 2022 attack on RFI, carried out by the Hive ransomware, in which Almaviva was already at the forefront. One might have thought it was a rehash of that material, a resale of stagnant data. But initial technical analyses refute this hypothesis.
The company, released an official statement on the matter.
“In recent weeks, our security monitoring services identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data.
Almaviva immediately activated security and countermeasures through its specialized team for this type of incident, ensuring the protection and full operation of critical services.
At the same time, the relevant authorities—the Public Prosecutor’s Office, the Postal Police, the National Agency for Cybersecurity, and the Italian Data Protection Authority—were informed, and close collaboration is underway with them, our partners, and other relevant entities to ensure maximum coordination in monitoring, investigation, and response activities,” Almaviva stated.
The initial hypothesis of a rerun of the 2022 Hive attack quickly dissipated in the face of the company’s statement and the evidence of the timestamps. The metadata reveals a more recent data leak, with operational, fiscal, and administrative documents updated to October 2025. But it’s the nature and sensitivity of the content that’s astonishing.
“The functionality and services of the affected systems remained fully operational, thanks to the business continuity measures and procedures specifically designed for this type of scenario.
Data security and the protection of our customers, partners, and collaborators remain our top priority, and we will ensure, without prejudice to the confidentiality of ongoing investigations, that we promptly communicate any relevant developments in compliance with the principles of responsibility and transparency,” the company concludes.
The Criminals’ Claims
This collection, in fact, originates from the offices’ network shares (the “shared folders” activated to share files on different workstations within the same intranet).
Examining the directory tree and file names made public by the threat actor, a relentless chronology emerges. This freshness of information is the detail that transforms an alarm into a potential emergency.
In his claim, the criminal describes a war chest consisting of shared corporate repositories, confidential technical documentation, public administration contracts, entire personnel archives, and financial datasets.
The dataset, meticulously organized into folders reflecting the group’s structure, contains not only the usual compressed archives, but also directly exposes the original folders and their contents. The platform used by the criminals is a Tor-based web app built with Vue.js technology and Naïve UI for the interface. The compromise affects the operational and strategic core of the companies. Among the files, documents marked “INTERNAL USE,” “CONFIDENTIAL,” and “EXCLUSIVE” stand out, along with communications covered by professional secrecy and attorney-client privilege.
There are contracts and non-disclosure agreements (NDAs) linking Almaviva to high-profile clients, such as the MINISTRY OF DEFENSE and the ITALIAN AIR FORCE, with specific references to projects like “Venus” in collaboration with companies like Vitrociset and Leonardo. Trade secrets, accident reports, legal documents, and financial bank records were exfiltrated.
The leak reportedly contained passenger data, complete with passport numbers, and a huge amount of information on the personnel of nearly all companies in the FS group, from Mercitalia to Rete Ferrovia Italiana, from Trenitalia to Italferr.
For employees, data such as full names, email addresses, telephone numbers, job titles, salaries, and identification codes were exposed.
The conclusion drawn from the facts is that we are not witnessing the reuse of an old incident. The precise evidence of such recent and operational information paints a different and more insidious compromise scenario: a persistent and long-undetected infiltration.
The incident, which affects a cornerstone of national infrastructure, undoubtedly raises important questions about the security of the state’s technology supply chain, especially in light of the ECB’s recent commissioning of the development of the app that will manage the newly created Digital Euro.