The Alarm That Came Too Late: Early Detection and the Rise of Nihilistic Violent Extremism

← Blog Home
Table of Contents

Case 1: When a father in Vancouver, British Columbia, watched his teenage daughter's personality change over just three months (her body carved with names, her worldview transformed into something unrecognizable) he turned to police, hospitals, and mental health experts for help. No one could explain what was happening to her. His daughter, Penelope, died by suicide just days before her sixteenth birthday. As CNN reported in February 2026, the father believes she might have survived if authorities had recognized the threat earlier. "As a society," he said, "we're not recognizing the predator." 

Case 2: 14 year olds are known to cause occasional trouble at home. While worrying for parents, that transgression is as much a part of being a teen as is heartbreak.  Unfortunately, a family  in Recife, Brazil experienced something well beyond angst - attempted murder - . The son was radicalized into stabbing his own father by two friends made on online gaming platforms. What initially were harmless chats about skins and points, turned into a stream of gore, CSAM and terrorist propaganda, driving him to go from idea to act in just a few months.  The father thankfully survived, and the perpetrators , themselves minors, were arrested later.  

A New Category of Threat

These cases are just two of hundreds worldwide, part of a threat network known as 764. It emerged around 2021 and has since grown into one of the most disturbing extremist phenomena law enforcement has encountered. The U.S. Department of Justice and the FBI have classified it under a new umbrella term: Nihilistic Violent Extremism, or NVE. Unlike jihadist or white-supremacist movements, NVE has no coherent political program. Its ideology – to the extent one exists at all – is the absolute destruction of society, not in service of a vision for what comes after, but as an end in itself.

764 is not a conventional organization. As the U.S. Department of Justice has documented in multiple prosecutorial filings, it has no headquarters, no public leadership, no website, and no single operating platform. Instead, it functions as a decentralized network of loosely connected individuals who share tactics, content, and victims across gaming platforms, encrypted messaging applications, mainstream social media, and private online communities. According to the Polarization & Extremism Research & Innovation Lab (PERIL) at American University, which created the NVE Tracker to document these cases, 764 is better understood as an ecosystem than an organized group — one that sits at the intersection of child exploitation and violent extremism. Importantly, 764 is only one group in a broader ecosystem of NVE actors, positioned under the umbrella network known as "The Com" or "The Community," alongside dozens of splinter and affiliate groups such as 8884, No Lives Matter, and Maniac Murder Cult. 

The Growth Curve

The data gathered by PERIL's NVE Tracker shows a threat that has expanded rapidly since 764's creation in 2021. PERIL's June 2026 report documents 104 incidents linked to the 764 network across 19 countries. Arrests connected to the group jumped in 2024 – corresponding with an official alliance between 764 and No Lives Matter which together produced a manifesto encouraging real-life violence – and jumped again in 2025.

Those 104 documented cases represent only what has reached the public record through arrests, indictments, and verified reporting. As PERIL notes, "the real scale is likely much larger, with orders of magnitude more victims who require support." Reporting is especially difficult because many perpetrators are minors, and information regarding their crimes is accordingly limited.

The amorphous, non-hierarchical structure of NVE actors makes targeting a single group or account ineffective: the beliefs, content, and members persist across other channels. PERIL identified 52 distinct groups across its 104 documented cases, with a third of 764 members having direct links to multiple groups simultaneously — a design feature that ensures the expedited spread of materials throughout the network and makes disruption through individual arrests structurally insufficient. 

How the Grooming Works

The architecture of 764's harm is methodical. According to FBI public safety alerts and court documents, perpetrators target vulnerable youth (primarily between the ages of 8 and 17)  by infiltrating spaces where children already feel marginalized: gaming servers, online communities for those with eating disorders or depression, Discord channels and Telegram groups deceptively presented as safe spaces.

The FBI has described the grooming process in detail: predators establish trust through romantic or friendly relationships, then gradually coerce victims into sharing sexually explicit images. Once that material exists, it becomes leverage. Victims are then blackmailed into producing escalating content: self-harm, harm to animals, sexual exploitation of siblings, and worse.  They do so under threat of harm to their families, threats of having the images distributed to family and friends, or threats having their personal information posted as public "doxing."

The Institute for Strategic Dialogue (ISD), in evidence submitted to the UK Parliament's Home Affairs Committee, noted that platform dynamics actively accelerate the problem: "Platform systems serve to catalyse such movements, including the algorithmic amplification of harmful content to users who may not otherwise have seen it. Memes, aesthetics and gaming motifs lower barriers to entry, normalise violence and foster in-group identities, and help extremists evade moderation." 

Where the Abuse Happens

PERIL's relational network mapping of 104 cases identified connections across 23 platforms. Discord was the most heavily used, appearing in 61 documented cases, followed by Telegram in 40. But those encrypted platforms are where abuse is escalated, not where victims are first found. Initial contact more commonly takes place on Roblox (12 cases), Instagram (13 cases), Snapchat (14 cases), and TikTok (5 cases) – mainstream platforms where children already spend their time, and where perpetrators can pose as friends or potential romantic partners.

This two-stage architecture – recruitment on open platforms, escalation on encrypted ones – creates a detection challenge that no single platform can resolve alone. By the time abuse is occurring on Discord or Telegram, the child has already been separated from the communities where early warning signs might have been visible.

This meticulous process of abuse is repeated globally, every day, despite no central coordination. This is partially due to the circulation of “manuals” , where leaders documented successful strategies to inflict harm. They’re also constantly updated, even if the original author was arrested, someone new takes up the mantle.  Beyond grooming, there are active manuals also for murder and terrorism. One of them, the “Haters Handbook” claims to have provided the means to almost 50 murders since 2017.  

The Scale of the Problem

The numbers are stark. As of early 2026, the FBI was running investigations tied to 764 and its offshoots across all 56 of its field offices, studying over 350 subjects nationwide. The network's international reach spans dozens of countries, making it, in the words of the Global Terrorism Index 2026, "particularly insidious."

Of PERIL's 104 documented cases, 54 occurred in the United States, spanning 25 states. Pennsylvania, New York, California, Tennessee, and Michigan recorded the highest numbers. But the online nature of the threat means harm is not confined to state lines: perpetrators and victims are routinely in different parts of the country, or different countries entirely. A Dutch court recently sentenced a 22-year-old man from Spijkenisse to seven years in prison plus compulsory psychiatric treatment for the sexual extortion of at least 60 girls aged 13 to 20. He never left his house. Of his 57 identified victims, only one lived in the Netherlands; most were in the United States, with others in Canada, Germany, and Montenegro. The investigation began with a tip from American authorities to Rotterdam police.

U.S. cases have also moved well beyond child exploitation. PERIL documents at least four 764 network members who have targeted U.S. schools – including two minors who plotted attacks at their own schools and one teen who carried out a school shooting. Additional U.S. incidents have included a bomb plot targeting a busy shopping center and two stabbing attacks on unsuspecting victims.

Multiple governments have responded with formal designation. In December 2025, Canada listed 764 as a terrorist entity. New Zealand and the United States have taken similar steps. The UK's courts have described 764-affiliated defendants in terrorism-adjacent terms – a court in England referred to 764 as a "Satanic, Far-Right extremist group" in its sentencing remarks.

In the United States, prosecutions have accelerated. A San Antonio-based leader of the affiliated 8884 network pleaded guilty in late 2025 to racketeering and multiple counts of child sexual exploitation. A Maryland member was sentenced to 30 years in prison in June 2026 for sexually exploiting minors online. A Florida member pleaded guilty to distributing and possessing child sexual abuse material after participating in 764 extortion operations for approximately two years.

Yet prosecutions, by definition, come after harm has already occurred. Every conviction represents a child (if not multiple) who was not protected in time.

Who Are the Perpetrators?

One of the most significant and underappreciated findings from PERIL's data concerns the age of perpetrators. Traditionally, online child exploitation has been understood as a crime committed by older adults. The 764 data challenges that assumption directly. The median perpetrator age in PERIL's dataset is just 19 years old. The youngest publicly documented perpetrator is 12.

As PERIL's report notes, many 764 participants are barely older than their victims, and some began as victims themselves before being groomed into perpetration. The victim to perpetrator cycle is not incidental to the network's design. It is part of how it sustains and expands itself.

This finding has direct consequences for how trust and safety professionals and policymakers should frame their responses. Enforcement-only approaches that target perpetrators cannot adequately address a network where perpetrators are themselves often children in need of intervention.

Why Detection Fails

The core challenge 764 poses to trust and safety – whether at the level of individual platforms, families, or law enforcement – is that it was designed to evade recognition.

Its decentralized structure means there is no single network to take down, no central server to seize, no leader whose arrest will cause the enterprise to collapse. ICCT researchers Tanya Mehra and Menso Hartgers have noted that 764 "operates at the intersection of violent extremism, child exploitation, and other forms of extreme violence," making it poorly suited to the categorical frameworks most content moderation and law enforcement systems use. CSAM moderation teams, extremism units, and cybercrime divisions each see only a fragment of the activity.

The ISD, in its submission to the UK Parliament, identified a structural failure: "Non-ideological threats, by nature, cannot be addressed by policies and programmes focused on ideological disengagement." Counter-terrorism infrastructure in Western countries was built, in the aftermath of 9/11, to identify and disrupt groups with coherent political or religious agendas. NVE has neither. A child being groomed into self-harm by 764 may not look, to an algorithm or a caseworker, like a radicalization case at all.

The UK case of the Southport attacker illustrates the cost of this gap. The attacker was a teenager who, despite multiple contacts with schools, social services, and police, did not meet the intervention threshold under the UK's Prevent program. His behavioral and online patterns were similar to those seen in violent extremist contexts, but the system was not calibrated to catch them.

Terrorism scholar Simon Purdue identified this problem as early as July 2022, as cited by Just Security: "Ideological nihilism, by its very nature, seeks to erode and ultimately remove the self-preservation instinct that acts as the last bulwark preventing many extremists from committing acts of mass violence." Without an ideology to track, traditional indicators simply do not fire.

What Early Detection Would Actually Require

The FBI's own public guidance on 764 provides a list of behavioral warning signs for parents: scarring in patterns with 764-related terms or platform names; unexpected gifts or messages from unknown contacts; sudden withdrawal from family; unexplained changes in mood or behavior. PERIL's report adds to this list, identifying warning signs for parents and educators: deep online friendships or romantic relationships with strangers that isolate an individual; secrecy and visible distress when separated from devices; hidden accounts or apps, especially encrypted ones; and engagement with violent content, gore, or communities discussing eating disorders or self-harm.

These are the signals of harm already underway, and signs that grooming has progressed to coercion. For trust and safety professionals, the challenge is identifying the harm before it reaches that point.

Chernov Hwang, writing in the Global Terrorism Index 2026, argued that addressing NVE "will require a whole of government and a whole of society approach, including the youths themselves." She is specific about platform responsibility: "Social media platforms must both be partner and held accountable for failures to act."

The ICCT has recommended that platforms work on two fronts: improving their ability to identify "implicit extremist content" (material that does not trigger CSAM or explicit violence filters, but serves as gateway or grooming material)  and developing mechanisms to trace cross-platform abuse, which would allow analysts to identify the linkages between accounts and networks that are currently invisible when each platform looks only at its own data.

The GNET Research analysis applying Significance Quest Theory to NVE suggested that platforms also have a role in providing alternative referral pathways: "Social media companies may be able to play a role in offering these avenues, especially when said behaviours are often exhibited on their platforms." Australia's Office of the eSafety Commissioner has pushed technology companies toward greater transparency about their responses to extremist content, and expressed frustration that more action is not taken proactively.

PERIL's conclusion is perhaps the starkest framing of what early detection requires in practice: "Disrupting this emerging threat is not possible by arresting offenders alone. The growing involvement of younger individuals in NVE-related activity amplifies the need for prevention and intervention strategies that can address risks before violence occurs, requiring policymakers to complement, even prioritize, investments in resilience-building, early intervention, and community-based prevention over traditional enforcement approaches."

Reaching young people (especially those who are isolated or struggling) before manipulative communities do can prevent both victimization and, in turn, future perpetration.  

The Cost of Waiting

Just Security, in a May 2025 analysis of NVE and American counterterrorism, noted that FBI Director Christopher Wray testified as early as April 2021 about counterterrorism cases that were "more about the violence than the ideology" suggesting the pattern was visible to law enforcement years before the public vocabulary to describe it existed. The NVE designation, formally used in a U.S. sentencing memorandum for the first time in March 2025, fills a gap in coordination, allowing investigators across jurisdictions to "speak the same language." But naming the problem is not the same as detecting it early enough to prevent harm.

The father in Brazil  was told repeatedly that the institutions around his son did not understand what was being done to him. The family, the police, and the school each saw a fragment of what was happening and did not recognize the whole. By the time the whole thing became visible, it was too late.

At TrustLab, our first encounters with NVE, a year ago, were especially puzzling. It challenged all the labels that organize our work. It's terrorism, but it's also minor safety, mental health, sextortion, scamming and self-harm. By any single policy angle, it's already worrying. But only when we leverage all of them the monumental scale of this threat becomes visible. It won't be solved by simply banning enough profiles. 

Trust and safety work is premised on the idea that harm can be anticipated, not just prosecuted. The growth of 764 and nihilistic violent extremism is, among other things, a test of that premise.  A test of whether platforms, governments, and civil society can build detection systems adequate to threats that were specifically designed to slip between their categories. The evidence so far suggests the gap remains wide. Closing it is not optional.

Early Detection in Action

We at TrustLab are committed to meeting this sophisticated threat with advanced, cross-platform intelligence:

  • DetectAI: Our cutting-edge AI detection suite is designed to identify patterns of grooming, digital coercion, and automated harmful content generation across diverse media formats before abuse escalates. By monitoring multi-modal signals, DetectAI helps platforms flag predatory behavior dynamically, keeping children safe on mainstream surfaces.

  • TrustLab Abuse Graph: Because groups like 764 operate as a fluid ecosystem across dozens of splinter groups and platforms, tracking individual accounts is highly ineffective. DetectAI leverages the TrustLab Abuse Graph to map out systemic threat networks across the digital landscape. By analyzing actor behavior, entity relationships, and cross-platform footprints, the Abuse Graph empowers Trust & Safety teams and law enforcement to look beyond isolated incidents and dismantle the interconnected infrastructure driving decentralized violent extremism.

To learn more about DetectAI and the TrustLab Abuse Graph, get in touch with us.

Sources

Meet the Author

Dr. Lucas Almeida

Senior Threat Intelligence Scientist at TrustLab

Related Posts & Articles

No items found.

Let's Get Started

See how TrustLab helps you protect your business reputation and ROI.

Get a Demo