Victim of crypto ransomware? Here’s what to do

by · February 11, 2023

Victim of crypto ransomware? Here’s what to do

In recent days, the mainstream news channels, quite sensationally, have reported the hacking of a number of institutional websites, Italian and other, which hackers from all over the world allegedly executed by resorting to crypto-ransomware.

Not surprisingly, the Italian tax authorities have also raised the issue of ransomware just days before the attack.

They did so in a response to interpello, No. 149/2023, expressing an opinion on the tax consequences of a case where a company, a victim of crypto-ransomware, was forced to pay a substantial “ransom” to regain possession of data that is essential to the operation of the business.

The unfortunate taxpayer, a victim of this extortion, approached the Italian tax authority (Agenzia delle Entrate) with a questionnaire, asking whether the costs he was forced to incur were deductible. That is, whether tax must be paid even on the amounts paid to the extortionists.

The taxpayer company (a victim of this crime), in seeking clarification from the Agenzia delle Entrate, argued in detail why, in their view, what it paid to extortionists should not be included in the calculation of the company’s taxable income.

Despite the taxpayer company’s arguments, however, according to the tax authorities, these costs could not be deducted from the total income which determines the formation of the tax base on which taxes, and in particular IRES and IRAP, are applied.

Let’s try to better understand why and under what conditions.

The tax treatment of crypto ransomware

Let’s start from a primary point: the reasoning of the company that formulated the question is based on very serious arguments that, on a strictly legal level, deserve to be shared.

Central to this reasoning lies in the fact that Italian law, in the case involving the commission of crimes, excludes the possibility of deducting the costs. However, this preclusion applies only to those costs which are mainly incurred by committing the crime.

This is the question of so-called “crime costs”.

Now, as is known, the Italian legal system is also subject to the taxation of income received as a result of offences, including criminal offenses (art. 14 co. 4 Ln 537/1993).

Nevertheless, it expressly excludes costs incurred as a result of the commission of a crime from being deductible (art. 14 co 4 bis Ln537/1993), regardless of whether the commission of the crime results in taxable income.

The scope of this exclusion faces some limitations, due to some provisions that have subsequently intervened, adjusting the focus of the operation of this principle.

See also  Former SEC Chief Counsel Says Agency Needs to Clarify Its Crypto Compliance Rules

Article 2 DL 16/2002 determined that this preclusion only applies to costs “directly used to perform acts or activities that qualify as a non-negligent crime” whereas previously it included costs arbitrarily and generically “attributable to facts, acts or activities that qualify as a crime.”

Consequently, the inability to deduct costs today only covers cases of malicious crimes and not also cases of punishable crimes.

In order for the deduction ban to be triggered, it is also a prerequisite that the prosecutor has prosecuted the case, alternatively that the judge has issued a prosecution decision, or even that a ruling has been made that there is no prosecution due to the limitation period.

Conversely, in the event of an acquittal, the deduction ban subsequently disappears, and thus the taxpayer accrues the right to be reimbursed for any taxes that he or she may have paid in the meantime as a result of a lack of deductions for such costs and associated interest.

It is worth mentioning that the Italian tax authority itself, in Circular No. 32/E of 2012, clarified that “crime costs” are not deductible only for those individuals who have committed the crime or in whose interest the crime was committed.

These are the general regulations. Based on the consideration of the specific case that has been submitted to the tax authority for processing, it must be taken into account that several facts are represented in the prospectus given by the taxpayer which are of particular relevance.

The first is that crypto-ransomware, according to what the taxpayer writes in his request, would have made unavailable (by blocking access, encrypting or deleting them) documents and data crucial to the company’s operations.

The second is that the disclosure of confidential business data, also crucial to the life of the company, was threatened.

A third relevant circumstance is that the victim of the blackmail, before arriving at the decision to pay the ransom, should have tried to find a way to recover the data and stop the cyberattack by reporting the matter to the authorities and looking for technical solutions suitable for the purpose (even if it is not clarified exactly what kind of solutions these were), but was unable to find any.

Therefore, according to the representation given by the taxpayer, the cryptocurrency payment was, on the one hand, an unavoidable cost. On the other hand, it was undoubtedly functional to achieve the twofold objective of restoring access to the stolen documents and data and preventing (potentially damaging to the company) dissemination of the confidential data.

See also  Crypto activity explodes in Russia and Ukraine due to war, study shows

The Italian tax agency (Agenzia delle Entrate), despite all this, refuses to deduct these costs.

Why does the tax authority refuse to deduct these costs from the tax base?

The basic justification for this refusal lies in the fact that in the case presented by the taxpayer there would not have been conclusive evidence that the costs were incurred in connection with transactions that could contribute to the generation of income.

In other words, the tax authorities do not deny that if one is exposed to blackmail using crypto-ransomware that has a direct effect on the economic activity carried out, the costs incurred are to avoid or limit the damage of the criminal act. deductible.

However, it claims that it is the responsibility of the taxpayer to prove that the costs incurred are closely related to the business being run.

And in the case at hand, according to the ‘Agenzia delle Entrate’, the questioning company did not sufficiently document the fact that the cash costs incurred for the purchase of Bitcoin first, and the transfer of Bitcoin later, were “closely linked to remuneration for a factor of production (the services that the hackers allegedly has undertaken to perform).”

It also adds that the mere fact that the cost was accounted for in various risk provisions is not in itself sufficient to provide such evidence.

Although it is not possible to know how the company that posed the question to the interpellation actually documented the actual existence of the threat, the nature of the threat itself, and that the costs were closely related to the payment of the ransom, the interpellation notice points out that a complaint to the authorities (presumably, to the judicial authority) would have been filed.

Unless the point lies in the fact that the circumstances of the filing of the complaint were not documented, it seems that for the tax authorities even this is not sufficient to prove the connection (therefore the cohabitation) of the costs incurred as victims of ransomware extortion.

Therefore, it is clear that in the unfortunate event that one ends up as a victim of such a crime, it is most advisable to be prepared and put oneself in a position to document the facts and the direct connection in an extremely strict and timely manner. between the extortion inflicted, the impact on the activity carried out and the costs incurred, if one does not want to risk, in addition to the damage, the mockery of having to pay tax on the ransom.

See also  Crypto becomes a recurring campaign issue for Hochul - The Legislative Gazette

The ways of documenting extortion, the connection between the costs incurred to defend against it and, ultimately, the inherent nature of these costs with the economic activity carried out, at the practical level can be the most diverse, and obviously depend of the specific situations.

These can be the screenshots of the hackers’ messages to document the threat and the address of the wallets to which the ransom should be transferred (provided that the attacked systems allow it); it could be the use of expert reports from digital forensics experts who are able to document the extent of the damage, the practical consequences of the attack, but possibly also reconstruct the steps to convert fiat money into cryptocurrencies and the subsequent transfer of the criminals’ wallet itself through reverse chain analysis . Among these, however, the fact that a report has been submitted to the judicial or police authorities describing and detailing the facts should be primary evidence to establish that extortion has taken place and that the costs of the extortion are directly related to business activities carried out.

The assessment of ways of proving the facts and the functional relationship between the costs incurred as a result of the crime and the economic activity carried out certainly requires a careful assessment on a case-by-case basis, even with the support of competent professionals.

The fact remains that in this assessment, even in the light of this latest interpellation answer, it would be good to take into account that the Italian tax authorities have chosen to set the list high, probably higher than necessary, on the burden of proof.

Perhaps, if you are ever pressured by ransomware, remember to ask the hackers to issue a regular invoice.

Related posts:

  1. You are not late to earn from crypto, invest in this project now
  2. AVAX Price Retraces 15% After Crypto Leaks Selloff, But Avalanche Can Still Bury Bulls
  3. Binance Booms As Crypto Tax Crushes Indian Exchanges
  4. ‘Before you dive into crypto’ – Maria Sharapova shares her advice for youngsters who want to try cryptocurrency

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Headline Posts