Full Report
Unit 221B’s Allison Nixon said crackdowns have effectively shown the group that their actions carry real consequences. The post Internet infamy drives The Com’s crime sprees appeared first on CyberScoop.
Analysis Summary
# Threat Actor: The Com
## Attribution & Identity
* **Identification:** A chaotic, sprawling, borderless, grassroots movement described as a "bottom-up social phenomenon."
* **Composition:** Composed primarily of teenagers and young adults. Unit 221B research suggests the most violent participants number in the hundreds or perhaps a few thousand within a much larger associated population.
* **Associated Groups:** Members are affiliated with the child sextortion group **764**.
## Activity Summary
The Com's primary activities have evolved:
1. **Initial Phase (Pre-2021):** Largely financially motivated, transforming from petty thieves to groups leveraging esoteric hacking techniques for significant financial gain (spurred by the 2017 Bitcoin surge).
2. **2021 Onward:** Began an era involving violence and sextortion, often overlapping with high-dollar fraud.
3. **Current Activity:** Includes self-described chaotic "vigilante stuff," which law enforcement is reportedly treating as terrorism. Recent tracked incidents include swatting (e.g., multiple instances in Henrico County, Virginia, tracked to a 14-year-old in England). Leaders of an affiliated sextortion group (764) have recently been charged by the DOJ for directing child sexual abuse material distribution.
## Tactics, Techniques & Procedures
* Social Engineering
* Crypto Theft
* Phishing
* SIM Swapping
* Extortion and Sextortion
* Swatting
* Kidnapping and Murder (Physical Violence)
* Distribution of Child Sexual Abuse Material (CSAM) via affiliated groups.
## Targeting
* **Sectors:** Not explicitly defined by sector, but activities suggest targeting individuals/entities vulnerable to online fraud and crime.
* **Geography:** Activities are widespread across the United States, with incidents occurring in every state (per FBI feedback). Specific recent activity traced to Manchester, England.
* **Victims:** General population targeted for fraud/theft; minors targeted for sextortion and CSAM distribution.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly listed, but techniques point towards tools used for fraud and social engineering.
* **Infrastructure:** Most activity is hosted on independent, criminal-owned and operated websites, with resulting content occasionally surfacing on commercial social media platforms.
## Implications
The Com represents a shift in the cybercriminal underground, moving away from traditional hacker archetypes toward a youth-driven social phenomenon where notoriety is tied to the level of harm and depravity committed. Their youth and perceived low risk (due to minor legal consequences) incentivize recruitment, creating a constantly evolving threat landscape linked to both significant financial crime and severe physical/sexual violence. Law enforcement response is hardening as activities are increasingly treated as terrorism.
## Mitigations
* **Addressing Social/Economic Factors:** Analyzing and addressing the perceived lack of viable career paths for young adults, as economic disparity is cited as a key driver for recruitment.
* **Enforcement Focus:** Continued rapid law enforcement action and arrests, as swift consequences appear to deter participation.
* **Monitoring:** Increased vigilance regarding content migration from private criminal forums onto mainstream commercial social media platforms.