Cyber Threat Actor: Anonymous Italy

Anonymous Italy, also known as Anonymous Italia and LulzSec ITA, is a hacktivist collective based in Italy that operates under the broader Anonymous banner. The group has claimed responsibility for a variety of intrusions targeting Italian institutions across multiple sectors, including healthcare, education, telecommunications, political parties, military veterans’ organizations, banking, and government agencies. Their activities have been reported in cities such as Milan, Naples, Rome, Basilicata, and Emilia‑Romagna, indicating a national focus rather than a specific regional concentration.

The collective’s tactics frequently involve exploiting outdated web technologies and leveraging simple injection flaws, as evidenced by the use of SQL injection payloads like index.html?idpg= to gain access to databases. They have taken advantage of plaintext credential storage, as noted in the San Raffaele hospital incident, and have published stolen data—including names, tax codes, email addresses, usernames, and passwords—on platforms such as Mega, Privatebin, and ghostbin. Communication and publicity are conducted primarily through Twitter accounts associated with LulzSecITA and Anonymous Italia, where they announce operations using hashtags such as #OpSafePharma, #NessunDorma, and #OpBankDump, and they have also employed DDoS attacks against regional government portals in connection with the Trans Adriatic Pipeline project.

Notable campaigns attributed to the actor include the 2024 data leak from Milan’s San Raffaele hospital, the 2020 breach of three Italian universities in Basilicata, Naples, and Rome, and the 2019 exposure of Lyca Mobile customer data comprising identification documents and financial records. Additional operations involve the 2019 dump of Partito Democratico databases, the 2018 release of personal details of Italian veterans, the 2018 disruption of Enac systems, and the 2016 compromise of the primodominio.it domain provider linked to ENAIP. These actions are consistently framed by the group as efforts to highlight security deficiencies, protest specific policies, and demand greater accountability from public and private entities. The actor’s activities remain documented through social media posts and the public release of leaked datasets.