The investigation into the cyberattack that struck the Grandi Navi Veloci ferry Fantastic in December 2025 is entering a new phase and taking on a fully international dimension. In early January 2026, the Genoa Public Prosecutor’s Office ordered further seizures of IT material in Latvia. The operation was carried out within the framework of European judicial cooperation with Eurojust, which is coordinating between national authorities, and represents a key step in reconstructing the technical chain behind the attack.
According to investigators, the malicious software was allegedly installed on the IT systems located on the bridge of the Gnv Fantastic, one of the ro-pax vessels in the Gnv fleet deployed on international Mediterranean routes. Investigators are examining whether the material seized in Latvia can be linked to the development phase of the malware or to tools used to introduce it into onboard systems, a hypothesis that strengthens the theory of a planned, rather than isolated, action.
The case began when Grandi Navi Veloci detected anomalies in the ferry’s IT systems during routine ship-to-shore communications. Based on the investigative reconstruction, technical checks reportedly led to the identification of malware capable of enabling unauthorised remote access, with potential implications for navigation and control systems. Following these findings, Gnv filed a formal complaint, triggering the investigation coordinated by the Genoa Public Prosecutor’s Office.
From the earliest stages, investigators focused on the Fantastic’s critical systems, considered particularly sensitive both for navigational safety and for the overall management of onboard operations. The working assumption is that the attack required advanced technical expertise and direct knowledge of the vessel’s IT architecture, an element that prompted investigators to explore possible links with individuals and operational infrastructures abroad. The extension of the investigation to Latvia stems precisely from the analysis of digital flows and devices already acquired during searches conducted in Italy and other European countries.
During the checks, Gnv stated that it had promptly identified and neutralised the intrusion, with no operational consequences for services or for the safety of passengers and crew. However, judicial authorities are continuing to examine the nature and objectives of the attack, assessing whether the incident may form part of a broader pattern of cyber threats targeting the maritime sector and transport infrastructure.
