A New Wave of Cyber Criminal: Dissecting “The Com” and Other Homegrown Groups

Phil Muncaster digs deeper into a troubling grassroots movement with a new approach to hacking

When it comes to the cyber threat landscape, Russian actors are usually portrayed as the bogeymen. But over the past few months and years, a more disturbing picture has started to coalesce. A different breed of hacker has emerged – technically proficient, native-English speaking and with an almost nihilistic penchant for violence and human misery.

Sometimes described as “The Com” or “Scattered Spider”, these loosely associated grassroots groups defy easy categorisation. The question is, with the likes of M&S, MGM Resorts, and Santander among their growing list of victims, how big a threat do they pose to CISOs?

Uncovering The Com

UK CISOs may have first heard the moniker “The Com” or “Com networks” following the publication of the latest annual report from the National Crime Agency (NCA) in March. In it, the agency warns of “sadistic and violent online gangs” comprised mainly of teenage boys engaging in acts of extremism, sexual violence and sadistic child abuse. Reports of this emerging threat increased six-fold between 2022 and 2024, with the NCA claiming that girls as young as 11 had been coerced by members into “seriously harming or sexually abusing themselves, siblings or pets”.

“What sets them apart isn’t necessarily technical sophistication, but their boldness, deep social engineering playbooks, and insider-like operational tempo” Ensar Seker

What has this got to do with enterprise cybersecurity? Curiously, Com network members are also blamed for data breaches, fraud, and malware/ransomware attacks. On paper, The Com seems far removed from the highly professionalised world of Russian cybercrime. Yet some of its supposed members use techniques that traditional threat actors would applaud and have been tied to some of the most damaging breaches on record.

Where does it all begin? According to Unit 221B researcher, Allison Nixon, the Com’s members were largely financially motivated until the early 2020s, when sextortion and high-value fraud also became popular. The “bottom-up social phenomenon” now venerates depravity, harm and misogyny – with youngsters recruited because of their naïvety, hunger for attention and money, and reduced exposure to legal jeopardy. However, although the worst acts of these networks are truly awful, they represent only a small percentage of total members, says Nixon.

High-profile arrests seem to be dampening down their worst excesses, she says. But the threat to enterprises remains undiminished, as recent attacks on UK retailers have shown.

The Com/Scattered Spider crossover

A detailed Brian Krebs investigation into the young men behind many of these attacks shows the strong links between Scattered Spider and Com networks. They include:

• Connor Riley Moucka, a Canadian hacker blamed for the major breach of Snowflake accounts, who also goes by the monikers ‘Judische’ and ‘Waifu’. The latter corresponds to “one of the more accomplished SIM-swappers in The Com over the years”, according to Krebs
• The ‘@Holy’ screen name, associated with a Telegram user who gave media interviews about the MGM hack. The same account was apparently active on a number of cybercrime channels focused on extorting young people into harming themselves or others, and recording it on video
• Noah Michael Urban, a 19-year-old American indicted in January 2024 with a string of wire fraud and identity theft offences. His ‘King Bob’ and ‘Sosa’ monikers are linked to real-world violence-as-a-service offerings
• Four other young men who, along with Urban, were indicted in November 2024 by US authorities for a string of attacks involving the phishing of IT helpdesks, data theft and crypto-based extortion
• 22-year-old Tyler Buchanan, another member of the same group, who allegedly took part in a 2022 phishing campaign which resulted in the theft of 10,000 login credentials related to more than 130 companies
• Conor Brian Fitzpatrick (aka Pompompurin), who pleaded guilty to operating the BreachForums criminal marketplace, and possessing child pornography back in 2023

A different way of doing things

According to a recent ReliaQuest report, Scattered Spider relies heavily on social engineering to achieve initial access, often using the off-the-shelf Evilginx tool to bypass multi-factor authentication (MFA). A recent analysis of over 600 publicly shared IOCs by the threat intelligence firm reveals that its phishing domains primarily target services such as single sign-on (SSO), identity providers (IdP), VPNs, and IT support systems.

The end goal is to harvest credentials from high-value users, including system administrators, CFOs, COOs, and CISOs. When Scattered Spider actors fail with initial phishing attempts, they double down, using vishing techniques to impersonate C-level executives. Typically, they make panicked helpdesk calls requesting password resets or enrollment of new MFA devices, ReliaQuest claims.

The report also warns MSPs in particular to be on their guard, as actors are keen on ‘one-to-many’ attacks. In a recent example, they breached an MSP and exploited vulnerabilities in the SimpleHelp remote management software to deploy ransomware across client networks, it claims.

SOCRadar CISO, Ensar Seker, tells Assured Intelligence that this new breed of threat actor presents new challenges to network defenders accustomed to facing more traditional adversaries.

“Scattered Spider and the Com network actors represent a distinct kind of threat compared to traditional Russian-speaking cyber criminal groups. What sets them apart isn’t necessarily technical sophistication, but their boldness, deep social engineering playbooks, and insider-like operational tempo,” he explains. “These groups frequently exploit identity and access mismanagement, leveraging SIM swapping, MFA fatigue attacks, and even targeting IT help desks to gain privileged access. Their tactics resemble those of APTs but are often executed with the agility and audacity of hacktivist crews, making attribution and defence more complex.”

ReliaQuest director of threat research, Brandon Tirado, agrees, explaining that Scattered Spider actors often cause significant damage within just eight hours of initial access – for example, by rapidly escalating privileges and abusing identity systems like Okta and Azure AD.

“In addition to their speed and expertise in social engineering, their potency lies in their fluency in English, which helps avoid tipping off the targeted organisation’s helpdesk, and their ‘scattered’ nature – operating as a loosely organised network rather than a centralised group,” he tells Assured Intelligence.

“This decentralised structure makes them more unpredictable and adaptable.”

Lessons for CISOs

The threat actor profile may be unusual, but ultimately, they are still focused on the same thing as any cyber criminal: making money. That’s why several notable Com attacks have seen actors work as affiliates for ransomware groups like ALPHV/Black Cat (MGM) and – more recently – DragonForce (M&S).

“CISOs should focus on proactive monitoring of third-party accounts, bolstering helpdesk defences with identity verification protocols, and enforcing adaptive MFA policies,” advises Tirado. “Compared to Russian cyber criminals, who often rely on longer dwell times, combating Scattered Spider requires faster detection, automated response playbooks, and real-time threat hunting to neutralise their rapid operations.”

“The M&S cyber attack demonstrated how conventional cybersecurity layers weren’t even a factor” Adam Casey

SOCRadar’s Seker agrees that CISOs need to “double down on identity security” with phishing-resistant MFA, privilege access management and regular access audits, alongside specialised employee training.

“Defending against these threat actors demands a mindset shift. While traditional ransomware groups often follow a predictable path – initial access broker, lateral movement, exfiltration, and encryption – groups like Scattered Spider bypass many of these stages by targeting identity and session hijacking. This means the usual EDR, network segmentation, and backup combo isn’t enough,” he adds.

“These homegrown actors are loud, fast, and opportunistic. What they lack in stealth, they compensate for in adaptability. That makes real-time visibility into authentication events and faster incident response cycles non-negotiable.”

Bridewell CTO, Martin Riley, adds that preparedness is vital. “If we compare recent attacks, one retailer has been far worse hit, because it wasn’t able to ‘pull the plug’ on non-essential services that prevented the spread of the attack,” he tells Assured Intelligence. “Do you know your organisation and technology enough to understand what is an operational and defendable cybersecurity position? What can you turn off, what impact will it have on the business, and what must you keep?”

Qodea CISO, Adam Casey, argues that security leaders must also go beyond the technical to drive cultural change through continuous awareness training and testing.

“Security is a shared responsibility and CISOs need to be reinforcing that vigilance is expected from everyone within the organisation. The M&S cyber attack demonstrated how conventional cybersecurity layers weren’t even a factor. They manipulated ‘outsourced’ IT staff through impersonation, then went straight for the jugular by targeting leadership,” he tells Assured Intelligence.

“CISOs are also going to need to put a focus on their outsourced operations. Recent attacks have shown that a third-party risk management programme is essential – and needs to be rock solid.”

Whatever freakish confluence of societal factors originally fomented The Com, it’s here now. This is the reality CISOs need to adapt to, and a new threat to consider in their risk planning.