What happened
In early February 2025, some of Italy’s most prominent business figures reportedly received phone calls from what sounded like the country’s defence minister, Guido Crosetto. The Guardian and Euronews reported that the calls, which investigators believe used AI-generated audio imitating Crosetto’s voice and in some cases came from numbers spoofed to look official, asked the targets to wire around EUR 1 million, supposedly to help free Italian journalists kidnapped in the Middle East, with assurances the Bank of Italy would repay them. Reported targets included Giorgio Armani, Prada’s Patrizio Bertelli, and members of the Beretta, Menarini, and Del Vecchio families.
Massimo Moratti, the former owner of Inter Milan, reportedly made the transfer. Reuters reported that Italian police subsequently traced and froze nearly one million euros that had been wired to a foreign account, with reporting describing a route through the Netherlands and Hong Kong. Crosetto, who first raised the alarm publicly, filed a complaint with the Carabinieri, and Milan prosecutors opened an investigation; Italian media reported that two Dutch nationals, holders of the receiving account, were placed under formal investigation within days, though as of mid-2026 no arrests or charges have been publicly reported. Whether the voice was generated in real time or pre-recorded has not been established, which is why “what investigators believe was AI-generated audio” is as far as the reporting goes. Moratti was reported as saying the call seemed entirely convincing. It was the Arup playbook transposed from a video call to a telephone: a trusted voice, an urgent secret, and a wire transfer.
What an auditable version would have shown
The scam worked because a voice was accepted as an identity and urgency was accepted as authority. An auditable version of the payment chain challenges both. A signed record on the receiving side would capture what authorised the transfer: a phone call, from what number, verified by what means, against which standing procedure for out-of-band confirmation. When the instruction is real, the record shows a verified chain from request to release; when it is synthetic, the record shows exactly where the verification step was skipped, while there is still time to stop the money.
Where the gap was
Nothing between the voice and the wire asked who actually issued the instruction. An AuthorityGate exists for precisely this question: is the source of this instruction authorised to bind the actor, verified through a channel the requester cannot fake, such as a call back to a known number or a counter-signature from a second officer? A voice, however familiar, is not a credential once AI can manufacture it. A ConductRecord preserves each payment instruction and the verification performed on it, so an organisation can prove its process held, or see precisely where it broke.
What governance should have looked like
The defence against synthetic authority is procedural, not perceptual: no human ear can be the control, because the human ear is what the attack is engineered for. Any request that moves money on the strength of a voice needs an independent verification step that a cloned voice cannot satisfy, and a record showing the step ran. The Crosetto scam is the Arup lesson restated a year later, against different targets, in a different channel. The organisations that will withstand the third iteration are the ones whose payment approvals leave a verifiable trail by design.
The reference implementation of AuthorityGate and ConductRecord is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.
Sources
- AI phone scam targets Italian business leaders including Giorgio Armani (The Guardian)
- Italian police freeze cash from AI-voice scam that targeted business leaders (Reuters)
- Scammers clone Italian defence minister’s voice with AI in ransom scheme (Euronews)