Victim of crypto ransomware? Here’s what to do

In recent days, the mainstream news channels have featured, quite sensationally, the hacker attack on a number of institutional websites, Italian and others, which hackers from all over the world allegedly executed by resorting to crypto ransomware.

Not surprisingly, the Italian tax authorities have also taken up the issue of ransomware just days before the attack.

They did so in an answer to interpello, No. 149/2023, expressing an opinion on the tax implications in a case in which a company, a victim of crypto ransomware, found itself having to pay a significant “ransom” in order to regain possession of data crucial to the conduct of its business.

The unfortunate taxpayer, a victim of this extortion, approached the Italian tax authority (Agenzia delle Entrate) with a questionnaire, asking whether the costs he was forced to incur were deductible. That is, whether taxes should be paid even on the amounts paid to the extortionists.

The taxpayer company (a victim of this crime), in seeking clarification from the Agenzia delle Entrate, argued in detail why in its view what it paid to extortionists should not be included in the computation of the company’s taxable income.

However, in spite of the taxpayer company’s arguments, according to the IRS these costs could not be deducted from the tally of income that determines the formation of the taxable base on which taxes, and in particular IRES and IRAP, are applied.

Let’s try to better understand why and under what conditions.

The tax treatment of crypto ransomware

Let’s start from a primary point: the reasoning set forth by the company that formulated the question is based on very serious arguments that on a strictly legal level deserve to be shared.

The central points of this reasoning lie in the fact that Italian law, in the case involving the commission of crimes, precludes the possibility of deducting their costs. However, this preclusion concerns only those costs that, in essence, are incurred in committing the crime.

This is the issue of so-called “crime costs.”

Now, as is well known, the Italian legal system also subjects to taxation the income that is received as a result of offenses, including those of a criminal nature (Art. 14 co. 4 L.n. 537/1993).

Yet it expressly excludes costs incurred as a result of the commission of a crime from being deductible (Art. 14 co 4 bis L.n.537/1993), regardless of whether the commission of the crime produces taxable income.

The scope of application of this exclusion faces some limitations, due to some provisions that have subsequently intervened, adjusting the focus of the operation of this principle.

Article 2 DL 16/2002 stipulated that this preclusion operates only for costs “directly used for the performance of acts or activities qualifying as a non-negligent crime,” while previously it included costs indiscriminately and generically “attributable to facts, acts or activities qualifying as a crime.”

Consequently, today the inability to deduct costs only covers the case of malicious crimes and not also the case of the commission of culpable crimes.

In addition, for the prohibition on deducting costs to be triggered, it is a prerequisite that the prosecutor has prosecuted the case, or, alternatively, that the judge has issued a decree of indictment, or even that a ruling has been issued that there is no prosecution due to the statute of limitations.

Conversely, in the event of an acquittal, the prohibition against deducting costs is waived a posteriori, and thus the taxpayer accrues the right to obtain a refund of any taxes that he or she may have paid in the meantime as a result of the non-deduction of such costs, and the related interest.

It is worth mentioning that the Italian tax authority itself, in Circular No. 32/E of 2012, clarified that ”crime costs” are not deductible only for those individuals who committed the crime or in whose interest the crime was committed.

This is the general regulatory framework. However, from the point of view of the specific case submitted to the tax authority for examination, it should be borne in mind that several factual circumstances are represented in the prospectus given by the taxpayer that are of particular relevance.

The first is that the crypto ransomware, according to what the taxpayer writes in his query, would have made unavailable (by blocking access, encrypting or deleting them) documents and data vital to the company’s operations.

The second is that the disclosure of confidential business data, also vital to the life of the company, was being threatened.

A third relevant circumstance is that the victim of the extortion, before arriving at the determination to pay the ransom, allegedly tried to find a way to recover the data and stop the cyber-assault by reporting the matter to the authorities and looking for technical solutions suitable for the purpose (although it is not made clear exactly what kind of solutions this was), but failed to find any.

Hence, the crypto ransom payment, according to the representation given by the taxpayer, was on the one hand an unavoidable cost. On the other hand, it was unquestionably functional in achieving the twofold goal of recovering access to the stolen documents and data and preventing the (potentially damaging to the company) dissemination of the confidential data.

The Italian Tax Agency (Agenzia delle Entrate), despite all this, denies the deductibility of these costs.

Why does the tax agency deny the deductibility of these costs on the tax base?

The basic reason for this denial lies in the fact that in the case put forward by the taxpayer, there would not have been conclusive evidence that the costs incurred related to transactions capable of contributing to the formation of income.

In other words, the tax authorities do not deny that in the abstract, if one suffers extortion by means of crypto ransomware that has a direct effect on the economic activity carried out, the costs incurred to avoid or limit the damage of the criminal action are deductible.

It asserts, however, that it is the taxpayer’s burden to prove that the cost incurred is closely related to the business activity carried out.

And in the case at hand, according to the ‘Agenzia delle Entrate’, the questioning company did not adequately document the fact that the cash cost incurred for the purchase of Bitcoin first, and the transfer of Bitcoin later, was “closely related to the remuneration of a factor of production (the services that the hackers allegedly undertook to perform).”

It also adds that the mere fact that the cost was accounted for in miscellaneous risk provisions is not in itself sufficient to provide such evidence.

Even if it is not possible to know how the company that submitted the question for the interpellation actually documented the actual existence of the threat, the nature of the threat itself, and that the costs incurred were closely related to the payment of the ransom, the interpellation notice points out that a complaint to the authorities (one presumes, to the judicial authority) would have been filed.

Unless the point lies in the fact that the circumstance of the filing of the complaint was not documented, it would seem that for the tax authorities not even this is sufficient to prove the correlation (thus, the inherence) of the costs incurred as victims of ransomware extortion.

Thus, it is clear that, in the unfortunate event that one ends up a victim of such a crime, it is most advisable to be prepared, putting oneself in a position to document in an extremely rigorous and timely manner the facts and the direct correlation between the extortion suffered, the impact on the activity carried out and the costs incurred, if one does not want to risk, in addition to the damage, the mockery of having to pay taxes on the ransom amounts.

The ways of documenting extortion, the connection of the costs incurred in defending against it, and ultimately, the inherent nature of these costs with the economic activity carried out, on the practical level can be the most diverse, and obviously depend on the specific situations.

These can be the screenshots of the hackers’ messages to document the threat and the address of the wallets to which to transfer the ransom price (assuming the attacked systems allow it); it can be the use of expert reports by digital forensics experts capable of documenting the extent of the damage, the practical consequences of the attack, but possibly also reconstructing the steps of converting fiat money into cryptocurrencies and the subsequent transfer the criminals’ wallet even through reverse chain analysis. Among these, however, the fact that a report has been filed with the judicial or police authorities describing and detailing the facts should be a primary piece of evidence to establish that extortion has taken place and that the cost of that extortion is directly related to the business activity carried out.

The assessment of ways to prove the facts and the functional connection between the costs incurred as a result of the crime suffered and the economic activity carried out certainly requires careful case-by-case evaluation, even with the support of competent professionals.

The fact remains that, in this assessment, even in light of this latest interpellation response, it will be good to take into account the fact that the Italian tax authorities on the burden of proof have chosen to set the bar high, probably higher than necessary.

Perhaps, if you are ever extorted by ransomware, remember to ask the hackers to issue a regular invoice.

Source: https://en.cryptonomist.ch/2023/02/11/victim-crypto-ransomware/