Full Report
The UK’s National Crime Agency is warning of a growing cyber and physical threat from homegrown teens
Analysis Summary
# Threat Actor: Sadistic Online “Com” Networks
## Attribution & Identity
The actors are characterized as English-speaking young men operating in online networks referred to as "Com" networks.
* **Associated Groups:** Operate across decentralized, often ephemeral networks on social media and instant messaging platforms.
* **Contextual Note:** While part of a concerning trend, the NCA notes these "young homegrown cybercriminals make up a small proportion of the overall threat picture."
## Activity Summary
These networks engage in a broad spectrum of criminality, combining cyber-attacks with serious offline harms.
* **Criminal Activities:** Cyber-attacks, fraud, extremism proliferation, serious violence, and child sexual abuse (CSA).
* **Cyber-Specific Operations:** Responsible for ransomware attacks, data breaches, and social engineering tactics.
* **Harmful Content:** Sharing extremist, violent, and child abuse material.
* **Coercion:** Frequently coerce victims into physical and self-harm.
* **Trend:** Reports of this threat reportedly increased six-fold in the UK between 2022 and 2024.
## Tactics, Techniques & Procedures
The techniques focus heavily on social interaction and initial access via deception.
* **Initial Access/Compromise:** Phishing, Vishing (voice phishing), and SIM swapping.
* **Social Engineering:** Implied through Vishing and the methods used for coercion.
* **Data Exploitation:** Data breaches and deployment of ransomware.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
* **Sectors:** Broad targeting implied, covering standard cybercrime victims (for ransomware/fraud) and individuals for abuse/coercion.
* **Geography:** Primarily focused on the **UK** and other **Western countries**.
* **Victims:** Thousands of offenders and victims are estimated across the UK, involved in exchanging millions of abusive messages. Specific organizations were not named in relation to cyber incidents.
## Tools & Infrastructure
* **Malware Families Used:** **Ransomware** (mentioned generally).
* **Infrastructure (C2, domains, IPs):** Not specified, but operations are routed through **social media and instant messaging platforms**.
## Implications
The networks present a dual threat, intertwining severe physical/social harm (extremism, CSA, violence) with traditional cybercrime vectors (ransomware, fraud). The rapid increase in reported activity (six-fold increase in the UK 2022-2024) signals a growing domestic threat composed of younger, often homegrown offenders leveraging readily available platforms for illicit coordination.
## Mitigations
* **Combatting Social Engineering:** Increased user awareness and organizational defense against phishing and vishing attacks.
* **Account Security:** Implementing stronger controls to mitigate **SIM swapping** risks (e.g., strict multi-factor authentication, carrier-level protection).
* **Platform Monitoring:** Law enforcement and platforms must collaborate to monitor and disrupt coordination on social media and messaging services related to extremism and CSA.
* **Ransomware Defense:** Standard ransomware prevention and recovery mechanisms are necessary given their involvement in these attacks.