European law enforcement officials have reportedly described a secret U.S. FBI task force called Group 78 dedicated to disrupting Russian ransomware groups using covert disruption tactics. U.S. authorities have not confirmed its existence, but it has reportedly contributed to strains between the U.S. and its law enforcement partners in Europe.
The reporting comes from French national newspaper Le Monde and the national weekly German publication Die Zeit. European law enforcement officials allege the FBI gave a presentation in early November 2024 at the European Union Agency for Law Enforcement Cooperation’s (Europol’s) headquarters in The Hague about a task force dubbed Group 78. The same presentation was allegedly given at a second European Union Agency for Criminal Justice Cooperation (Eurojust) meeting. Group 78 purportedly had two aims. The first goal was to conduct operations in Russia to disrupt members of the Black Basta ransomware group and try to get them to leave Russia in hopes of arresting them. The Black Basta group emerged around mid-April 2022 and was led by the threat actor tramp who worked in the infamous Conti ransomware-as-a-service (RaaS) group. The Black Basta group devastated businesses, governments and organizations through a well-developed hacking and extortion model, extracting at least US $100 million in ransoms.
Another reported aim of Group 78 was to try to turn Russia — which offers sanctuary to cybercriminals — against the group. Russia’s constitution prohibits extradition of its own citizens, and while it has occasionally taken action against cybercriminal actors, the country has failed to take action against ransomware actors within its borders. The quid pro quo with the cybercriminal community is that as long as actors do not conduct attacks within Russia or against Commonwealth of Independent States (CIS) countries — and offer assistance to intelligence agencies if requested — they are left alone. But if cybercriminals decide to travel to a jurisdiction that has extradition treaties with other countries, there is a potential they could face justice.
According to Le Monde, European officials reportedly expressed concern that Group 78 might use illegal or violent means to disrupt groups. If Black Basta actors were subsequently picked up on European arrest warrants, it could imply that Europe sanctioned the actions, which could be at odds with the due course of law and interrupt European investigations.
The image depicts an Intel 471-generated graph of the Black Basta group’s ransomware activity from April 2022 to January 2025.
If Group 78 exists, are there external signs of its activities? The reporting gives examples of possible fingerprints. In December 2024, two cybersecurity journalists — Hakan Tanriverdi of the German magazine Der Spiegel and Valéry Marchive, who is editor-in-chief of LeMagIT, were approached by an anonymous source, “Mikhail,” in mid-December 2024. Marchive described the encounters in a piece Oct. 20, 2025, in which he suspected the source might be U.S. law enforcement. The source claimed to have deep knowledge about Black Basta, sending the journalists documents and messages and the purported real-world identification of tramp: Oleg Nefedov. This was about six months after the Armenian news outlet 168.am reported a 34-year-old identified as Oleg N. had been arrested June 21, 2024, related to charges filed in Washington. Nefedov’s full name appeared in a 168.am story Sept. 30, 2024, concerning alleged improprieties related to the Yerevan Criminal Court of First Instance judge assigned to Nefedov’s case. Nefedov is believed to have left Armenia for Moscow shortly after his arrest after the Armenian court did not act fast enough to continue to detain him.
The Russian Yandex Food delivery service data leak in early 2022 revealed several locations where a person by the name Oleg Nefedov ordered food to be delivered. It was not possible to determine whether Nefedov or the actor’s associates owned or just used the properties. This is a residence in the Moscow region, available for rent for 669,336 Russian rubles (about US $7,450) per month as of March 2025.
There are strong suspicions that Group 78 may be responsible for the leak in February 2025 of 200,000 Black Basta chat messages over a one-year period via a Telegram channel called ExploitWhispers. The leak exposed copious amounts of data about the gang’s structure, its tactics, techniques and procedures (TTPs) and the real-world identities of its top members, including tramp. The messages reveal a range of technical data that formed Black Basta’s operations, including cryptocurrency wallets, domain names, indicators of compromise (IoCs), and exploitation and initial access techniques. The chats also revealed discord in the group, petty quarrels and tangible worries of getting caught by international law enforcement. According to ExploitWhispers, the motivation for the leak was that some Black Basta members were “crossing the line” and conducting cyberattacks against Russian financial institutions.
Russian-speaking threat actors on the DamageLib cybercrime forum have been discussing Group 78, concluding that its reported actions to turn Russia against the group by blaming domestic attacks on Black Basta are implausible. A reputable member of the DamageLib forum wrote Oct. 18, 2025:
“I remember this topic when Black Basta was accused of working against banks in Russia, and some researchers immediately rushed to broadcast this on Twitter. It was immediately clear that this was complete bullshit, which no one would ever buy—neither in the community, nor within the country, and certainly no one would start an investigation based on it.”
U.S. authorities have not confirmed Group 78’s existence. Le Monde writes that the official who allegedly gave one of the presentations to European law enforcement deleted his LinkedIn profile after being contacted by the publication.
As Le Monde notes, U.S. intelligence agencies — as well as those in the other English-language “Five Eyes” countries of Australia, Canada, New Zealand and the U.K. — have been involved in active offensive cyber operations against ransomware groups. The Australian Signals Directorate (ASD), for example, deleted data that 35-year-old ransomware actor Aleksandr Gennadievich Ermakov allegedly stole from a major health insurance company and stored at a bulletproof hosting (BPH) provider while the threat actors associated with Ermakov went out drinking. These operations have been born out of extraordinary circumstances given that a country, namely Russia, refuses to take action against organized cybercriminal groups that have honed a multibillion-dollar extortion model that wrecks businesses and organizations daily. Carefully scoped offensive cyber operations are a tool that can help combat this. Outing the real-world identities of cybercriminals makes it difficult for them to travel and may cause pressure on them inside Russia due to its entrenched corruption. However, these operations are delicate, and one party deciding to go rogue — whether in the private or public sector — could have unforeseen consequences and, as the Europeans reportedly contend, imperil formal justice. In the end, this a team fight, and fractures in the trusted relationships between different law enforcement agencies would benefit cybercriminals.
One of Group 78’s reported strategies was to turn Russia against its cybercriminals. We noted ExploitWhispers alleged Black Basta had attacked Russian banks. However, no evidence has surfaced to substantiate this. It is highly unlikely Black Basta — whose members claimed to have high-level connections, possibly with the Russian government — would take such risks with domestic extortion. But it would seem worth a shot for Group 78 to attempt to undermine Black Basta by, say, stealing its ransomware encryptor and then infecting a Russian bank in a false-flag operation. There’s no public evidence this happened, but it would align with the broad aims to create a hard time for ransomware actors. We’ve published extensive research into Black Basta on our platform. For more information, contact Intel 471.
Check fraud in the U.S. is booming. Fraudsters steal checks and sell them on underground channels where they are purchased, modified and deposited in hopes of a payment. Here's a briefing on this multi-layered crime.
In August 2025, two anonymous researchers released 9 GB of data from a workstation of a likely advanced persistent threat (APT) group. Here’s an analysis of the data by Intel 471’s Cyber Geopolitical Risk team.
Initial access brokers (IABs) sell access to compromised organizations on underground forums. Here's an analysis looking at whether these offers can be correlated to ransomware attacks.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.