Organizations that don’t secure their cloud environments and software-as-a-service (SaaS) platforms are inadvertently funding violent crime and the exploitation of minors.
An analysis this week from Flashpoint of the disturbing cybercriminal group known as The Com confirms that as major Russian groups have splintered and withered away in recent years, the new class of predominantly North American cybercriminal groups that has emerged all trace back in one way or another to the same source. Sometimes these threat groups go by different names: ShinyHunters, Lapsus$, or Scattered Spider. As previously reported, sometimes they combine into a single, inelegant unit — “Scattered Lapsus$ Hunters” — betraying that they in fact come from the same place. Regardless, these overlaps also suggest an increasingly disturbing reality. The Com’s own hacker wing, “Hacker Com,” supports its other, more disgusting projects: generating and trafficking child pornography, murder, and a laundry list of other hobbies for sociopaths. And though investigators generally stop short of tracing Scattered Lapsus$ Hunters funds to those specific other crimes, Flashpoint researchers argue that the line between The Com’s splinter groups (which are often made up of English-speaking teenagers) and its violent crimes is blurry and in some cases nonexistent. And that, in turn, is radicalizing the young people involved and dragging them into a horrific world of pain and misery.
So sure, Scattered Lapsus$ Hunters has been responsible for some of the most significant, costly cyberattacks across the US economy lately. They’ve separated from the pack by effectively targeting the cloud and SaaS platforms organizations across the Western world rely on most, like Okta, Salesforce, and Microsoft365. But beyond the consequences for victims, their crimes should be seen as a cost to society, Flashpoint argued.
What Is The Com Criminal Collective?
The Com is a diffuse ecosystem of neo-Nazis, pedophiles, neo-Nazi pedophiles, the odd high-ranking government employee, and their entrapped or trafficked victims.
Though spread across the world, the majority of members live in North America. As mentioned, they skew young, in part as a consequence of its recruiting strategy. The Com often recruits from gaming communities and social media, and it does a lot of grooming, soliciting, and sextorting of children, some of whom it converts from victims to members.
In the big picture, The Com can be thought of in three subsets. There’s the “IRL Com,” responsible for physical attacks like muggings and arson. “Extortion Com” is where new members are recruited, using indoctrination and sextortion to manipulate children into creating pornography, gore, or acting violently. Hacker Com is the arm responsible for breaching brand-name corporations, but also carrying out all kinds of other cybercrimes: SIM swaps, distributed denial-of-service (DDoS) attacks, and ransomware, among others.
How The Com Supports Violence & Sex Crimes
Crucially, IRL, Extortion, and Hacker are not siloed from one another.
“The overlap is significant, and the way governments have subdivided them has caused a lot of confusion and under-prosecution of crimes,” explains Unit 221B CEO Allison Nixon, who’s been pursuing The Com for 15 years. “I understand why governments do this, but the general public should understand that any given hacker in The Com has a much higher than average probability of possessing or forcing the creation of CSAM [child sexual abuse material], and sextorters in The Com have a much higher than average probability of engaging in fraud for their income.”
The Com’s hackers have also been known to cross over and take part in the other sorts of crimes their fellow members specialize in. According to the FBI’s Internet Crime Complaint Center, members “often participate in criminal activity encompassed in more than one subset and maintain relationships with members in multiple subsets simultaneously, in case their skills are beneficial. The members within these subgroups typically have a shared interest, ideology, or goal and work together.”
Without getting into the gory details, Nixon gives an example of how “Some of the earliest innovators of 764” — an associated network of neo-Nazi sextortionists — “have gone on to extort companies after they got out of jail. This is why they need to stay in. The proceeds of their crimes are reinvested back into the criminal enterprise, which is how they can pay for infrastructure and pay to send people to physically attack rivals.”
What’s Happening in The Com Today?
The Com’s major hacking activity has lulled in recent weeks, according to BlackFog founder and CEO Darren Williams. Scattered Spider, for example, has been mum ever since its historically costly attack on Jaguar Land Rover. But it would be a mistake to believe they’re dormant.
“These individuals work for multiple [groups] at the same time. So they will chop and change based on which ones are most successful at the time. So this is not very unusual,” Williams says. Hackers belonging to these groups may well be preparing for their next major campaign, or actively exploiting targets under different banners.
Across the whole of The Com, Nixon is seeing just as much criminal activity as ever, with new tactics and techniques arising “always.”
“The most compelling trend that I think will have major consequences is the ability for these guys to systematically locate and deploy physical assets to locations,” she says. “To decide they want to send a kid to assault someone’s home, or break in, or connect to a specific Wi-Fi network, and locate a kid in their criminal social networks that is both willing and able to do this.”

Comments are closed