Full Report
The child sextortion group 764 and the global collective of loosely associated groups known as “The Com” are using tools and techniques normally used for financially motivated cybercrime tactics — such as SIM swapping, IP grabbing and social engineering — to commit violent crimes, according to exclusive law enforcement and intelligence reports reviewed by CyberScoop. […] The post Exclusive: Feds are probing 764, The Com’s use of cybercriminal tactics to carry out violent crimes appeared first on CyberScoop.
Analysis Summary
This information details the activities of extremist/criminal groups rather than a single, contained corporate security incident with a clear timeline of compromise and response typical of an IR report. Therefore, the structure must adapt to reflect intelligence findings across multiple actors and chronological markers.
# Incident Report: Exploitation of Cybercrime Tactics for Violent Extremism and Child Exploitation by "The Com" Affiliates
## Executive Summary
Loosely associated global collectives, notably "The Com" and subgroups like 764 and 6996, are misusing cybercriminal tactics (SIM swapping, IP grabbing, social engineering) to commit violent crimes, including child sextortion, grooming, and coercion of self-harm. An intelligence report from March 2023 highlighted the publication of a technical guide ("The Bible") detailing fraud and doxxing techniques, indicating a convergence of cybercrime knowledge with extremist ideologies like Neo-Nazism (M.K.U.). The primary impact is severe psychological, physical harm to minors, and potential societal destabilization, prompting nationwide law enforcement alerts.
## Incident Details
- **Discovery Date:** Ongoing; specific intelligence reports reviewed date up to May 2024.
- **Incident Date:** Specific guidance published in March 2023; FBI alerts in May 2024.
- **Affected Organization:** Not applicable (Focus is on criminal/extremist infrastructure targeting the general public, particularly minors).
- **Sector:** Societal threat, Cybercrime, Domestic Violent Extremism.
- **Geography:** Global (involving US, foreign-allied governments).
## Timeline of Events
### Initial Access (To Victims)
- **Date/Time:** Ongoing process, accelerated by reported publication in March 2023.
- **Vector:** Social engineering, fake online support groups (e.g., fake suicide prevention chats).
- **Details:** Attackers leverage online platforms (e.g., Telegram) to establish contact, often posing as support networks to gain trust.
### Lateral Movement
- **Internal Network Movement:** Not applicable. The "movement" here refers to the spread of criminal/extremist knowledge and recruitment across interconnected groups (764, 6996, M.K.U.).
### Data Exfiltration/Impact
- **What was stolen or damaged:** Personal information (via IP grabbing/doxxing), sexually explicit photos/videos from minors, extortion attempts leading to physical harm, animal cruelty, and coercion toward self-harm/suicide.
### Detection & Response
- **How it was discovered:** Exclusive review of intelligence reports by CyberScoop; intelligence notes produced by Joint Regional Intelligence Center and Central California Intelligence Center.
- **Response actions taken:** FBI tradecraft alert issued in May 2024; law enforcement urged to monitor for these tactics; arrests made for related non-violent cybercrimes (e.g., Snowflake data exfiltration incident in October).
## Attack Methodology
- **Initial Access:** Social engineering (posing as support groups), targeting vulnerable demographics, particularly minors.
- **Persistence:** Use of established group infrastructure (Telegram channels) to maintain control and continue grooming/extortion.
- **Privilege Escalation:** Not applicable in the traditional sense; the escalation involves gaining victim trust to extract sensitive data and coercing dangerous acts.
- **Defense Evasion:** Group obfuscation; leveraging cybercrime knowledge (IP hiding techniques) to conceal attacker locations.
- **Credential Access:** Not detailed as a typical corporate credential theft, but social engineering is used to acquire personal identifying information (PII) for doxxing and extortion.
- **Discovery:** Use of open-source intelligence (OSINT) tools detailed in "The Bible" guide to gather victim intelligence.
- **Lateral Movement:** Spreading influence and membership across linked extremist communities (e.g., M.K.U. and 764).
- **Collection:** Doxxing data, personal information, and private/explicit images/videos of victims.
- **Exfiltration:** Transfer of data for extortion purposes; explicit content removal coordination sought via NCMEC’s "Take It Down" service.
- **Impact:** Severe physical and psychological harm to minors, potential threat to law enforcement/researchers through doxxing, and ideological destabilization.
## Impact Assessment
- **Financial:** Not specified, though related activities like ATM skimming and the Snowflake attack suggest potential high financial costs linked to affiliates.
- **Data Breach:** Highly sensitive PII, explicit images/videos of minors. Volume unknown but widespread across multiple states ("in every state").
- **Operational:** Severe disruption to the emotional and physical safety of victims and families. Threat to public officials/researchers through doxxing/swatting threats.
- **Reputational:** Significant reputational risk for technology platforms used (Telegram, etc.) and increased scrutiny on law enforcement intelligence sharing effectiveness.
## Indicators of Compromise
- **Network indicators:** IP Grabbing techniques utilized (specific IPs defanged).
- **File indicators:** Manual titled "The Bible," published on Telegram, detailing ATM skimming, IP grabbing, doxxing, and grooming.
- **Behavioral indicators:** Creating fake suicide prevention chat groups; systematic coercion of minors into self-harm or animal cruelty.
## Response Actions
- **Containment measures:** Nationwide FBI alerts warning law enforcement about specific 764 doxxing practices (May 2024). Encouraging parents to monitor children’s digital activity.
- **Eradication steps:** Arrests of associated Com members (e.g., Connor Moucka in connection with Snowflake attacks). Dissemination of intelligence reports to law enforcement agencies.
- **Recovery actions:** NCMEC's "Take It Down" service to assist victims in removing illicit images online.
## Lessons Learned
- **Key takeaways:** Cybercriminal skills are being overtly weaponized by violent extremist groups to achieve physical and psychological harm, moving beyond typical financial motivation into terrorism classifications. The threat is broad and embedded ("this is everywhere").
- **What could have been done better:** Improved proactive intelligence sharing across fusion centers immediately upon identification of converged tactics (cybercrime + violent extremism).
## Recommendations
- **Prevention measures for similar incidents:** Enhanced monitoring of known extremist forums/channels (Telegram) for the dissemination of how-to guides ("The Bible") related to fraud, doxxing, and social engineering. Increased public awareness campaigns targeting minors regarding online support groups and IP/PII protection.