The Intelligence War: Nation-State Cyber Threats
John Fokker
RSA Conference 2025 · Day 2 · West Stage
John Fokker, a former Dutch Marine and cybercrime investigator turned Trellix's Head of Threat Intelligence, delivered one of RSA 2025's most operationally grounded keynotes: a real-time case study of Black Basta, the ransomware organization whose leaked internal communications revealed not just criminal tradecraft but what appears to be direct protection from a nation-state government. The session reframed the threat landscape — the boundary between financially motivated cybercriminals and state-sponsored actors has not merely blurred; in many cases, it has effectively dissolved. ---
AI review
Fokker opens with footage of his own police raid and does not let up — the Black Basta case study is the most operationally specific, evidence-grounded threat intelligence session Zero has seen on an RSA main stage in years. The state-protection-of-ransomware-operators argument is not new but the specificity here — leaked chats, real names, the Armenian arrest and 'green corridor' extraction — puts it in a different evidentiary category. This is what a threat intel keynote should look like.