National Cybersecurity Agency: cyberattacks in Italy, +53% events in the first half of 2025, in-cidents with impact double, but detection and response capacity is growing.

In the first half of 2025, Italy recorded an increase in cyber events and incidents. According to data published by the National Cybersecurity Agency (ACN), with theH1 2025 Operational Summary - PDF, 1,549 cyber events were recorded, marking an increase of 53% compared to the same period in 2024. Of these, 346 were classified as accidents with confirmed impact, almost double (+98%) compared to the previous year.

 

The increase is linked to a growing effectiveness of detection capabilities by the CSIRT Italia (Computer Security Incident Response Team), also enhanced by the entry into force of Law No. 90 and Legislative Decree No. 138 of 2024. According to the ACN, distributed denial of service (DDoS), data exposure and phishing campaigns weigh the most.

Among the most targeted sectors are the local Public Administration, the Central Public Administration and the Telecommunications sector. A wave of spearphishing targeted the telco sector in April, while a breach at a web service provider involved numerous local authorities in March. The central PA, on the other hand, has been hit mainly by DDoS attacks and phishing campaigns.

 

In the first half of 2025, 91 ransomware attacks were recorded, in line with 2024 (92 attacks). The most serious episodes involved universities, the health and energy sector, digital suppliers for the PA, whose operations were compromised in February, with knock-on effects on other operators.

 

DDoS attacks rose by 77%, from 336 in the first half of 2024 to 598 in 2025. The campaign conducted by pro-Russian actors in June was particularly intense, lasting 13 days and with 275 attacks against 124 targets. Although the impacts were mostly contained, the CSIRT played a decisive role in mitigating the disruptions.

1,530 phishing URLs were detected, with a significant campaign in the energy sector in May. On the data exposure front, 186 episodes were reported (compared to 91 in 2024), with data leaks from streaming platforms, e-commerce and public administrations. The theft of bank credentials put up for sale on illegal circuits is also worrying.

Active monitoring identified 638 IPs exposed to critical vulnerabilities on Citrix NetScaler (such as CitrixBleed 2) and over 1,977 compromised devices belonging to botnets such as IcedID, Smokeloader and Bumblebee. In March, 1,245 Italian video surveillance devices were detected as part of the Eleven11bot DDoS botnet.

 

CSIRT Italy issued 23,144 early warning notices (+9% compared to 2024), promptly alerting affected or vulnerable individuals. In addition, 329 technical notices were published on the official portal, containing countermeasures to mitigate threats. The picture drawn by the ACN photographs a first half of 2025 marked by an intensification of cyber threats, with increasingly targeted and sophisticated attacks. The strengthening of monitoring and prevention activities appears to be increasingly central to the defense of the country's digital security.