What "The Com" Actually Is: One Word, Thousands of People, Three Kinds of Crime

In May 2019, the first time the United States government put the phrase "The Community" in a charging document, it was describing nine people. Prosecutors in the Eastern District of Michigan charged them with hijacking mobile numbers and draining cryptocurrency wallets, a little over two million dollars in total. Six years later the same word, by then shortened to "The Com," appeared in an FBI public service announcement describing "thousands" of members between eleven and twenty-five years old, spread across three different kinds of crime.

Nothing about the underground became more mysterious in those six years. The label got stretched. Following how it stretched, and what it actually covers, is the difference between treating The Com as a shadow syndicate to be feared and treating it as what it is: a teenage social scene with a criminal fringe, one layer of which belongs on a corporate risk register. This piece is about locating that layer, and about why the group named in any given headline is almost never the thing you should be defending against.

What the government actually named in 2019

The word came before the headlines. Long before "The Com" was a term in threat-intelligence reports, "the Community" was what a particular online scene called itself. Its roots run back to the warez groups of the piracy era and forward into the trade in "OG" social-media handles, short, original usernames bought, stolen, and fought over by teenagers. The researcher Allison Nixon, now at Unit 221B, has been tracking the communities the scene grew out of since 2011. As she described it to MIT Technology Review in February 2026, the group "sometimes called itself" the Community, and the modern Com emerged around 2018 as a faction that took over that older scene.

Its first hard appearance in a public record is narrow and specific. On 9 May 2019, the Eastern District of Michigan announced charges against "the hacking group 'The Community'": six members and three bribed mobile-carrier employees, accused of seven SIM-swap attacks that stole roughly $2.4 million in cryptocurrency. That is the whole of what the phrase meant in a courtroom in 2019: a single crew, running one kind of attack for money.

The term did not yet carry that broader meaning. Nine days later, when Brian Krebs reported that the SIM-swapping forum OGUsers had itself been hacked, he called it a "hacking community" and named the forums, but he did not reach for "the Com" or "the Community" as an umbrella. The shorthand for an entire ecosystem was not yet in circulation; in 2019 the word still named a single group.

How one word came to mean thousands

The umbrella meaning is recent, and it arrived through the press before it reached the agencies. In April 2024, CBS's 60 Minutes described Scattered Spider as one of "a sprawling collection of online criminals calling themselves 'the Community,' or 'the Com,'" and noted that the population had "exploded" since 2018. That September, Krebs published "The Dark Nexus Between Harm Groups and 'The Com,'" which defined it as an "archipelago of crime-focused chat communities." That article is the moment the term visibly widens: in a single piece it gathers ransomware crews, SIM-swappers, doxing forums, and groups that exist to extort minors into self-harm, all under one heading.

The agencies followed. On 23 July 2025 the FBI issued public service announcements formalising the umbrella: "The Com," it wrote, "short for The Community," is a "primarily English speaking, international, online ecosystem" of "thousands" of members, typically eleven to twenty-five, divided into three subsets it labelled Hacker Com, In Real Life (IRL) Com, and Extortion Com.

The codification does not hold together on its own terms. The same advisory that says "thousands" sits alongside reporting in which an FBI official put the number at around one thousand. A scene whose size the same agency estimates within a factor of several, in the same month, does not have an agreed boundary. That uncertainty is the most telling detail in the advisory: "The Com" has become a word for "young English-speaking online crime in general," rather than a name for any countable thing.

Where the umbrella comes from

It would be easy, and wrong, to argue from all this that The Com is a media invention. The overlap the FBI is pointing at is real. What is misleading is the implication that the overlap makes it a coordinated organisation.

The same young people arrive through the same funnel, gaming and Discord and Telegram in their early teens, and circulate inside the same social scene, where status is the currency. Nixon's long-running observation is that the idolisation in this world tracks directly with how much harm a member can cause. The scene itself, the chat channels, the feuds, the doxing, the reputation economy, is the connective tissue. The crimes are two directions the same people point that energy: toward money, or toward violence and coercion.

You do not have to take a researcher's characterisation on faith, because the layers meet in named individuals on the public record. Connor Riley Moucka, charged in the Western District of Washington over the Snowflake customer-data extortion, is the same figure (handle "Judische," also "Waifu") who appears in Krebs's reporting moving between the financial intrusion world and the channels built around real-world harm. The same person spans both worlds, and a federal indictment, not a researcher's inference, is what places him there.

The violent and child-exploitation wings, what the FBI calls IRL and Extortion Com, are a law-enforcement and child-protection matter and fall outside the scope of this analysis. That leaves the third direction, the financial one, which is the only part of The Com that belongs on a company's risk register, and the only part this piece is about from here.

The durable layer is a market

Inside that financial layer, what persists is a market rather than any single gang.

The labour is modular. Reporting from firms such as CloudSEK describes a set of interchangeable roles, vishing callers, smishing texters, phishing-kit developers, SIM-swappers, access brokers, money launderers, that assemble around a job and disperse afterward.

The brands that get the headlines are downstream of that market, and they should be kept distinct, because conflating them is how the mystique gets built. Scattered Spider, LAPSUS$, and ShinyHunters are not one organisation; they are separate reputations drawing on an overlapping pool of people. Mandiant has described ShinyHunters itself as multiple threat clusters operating under a single brand. A LAPSUS$-branded leak site was active in 2026, years after the group's core members were convicted in London in 2023. The name outlived the people who built it.

If a brand can keep operating after its founders are in prison, the brand was never the thing doing the work. The durable layer is the marketplace and its infrastructure, the forums, the escrow, the leak sites, the partnerships, and the brands are tenants who come and go on top of it. This is the argument we made at length in the silent market: the platform is the product, and the crews are its customers. It is why the question every report tries to answer, "who is active right now," is close to unanswerable, and why getting a clean answer would not help you defend anything. The group is the wrong unit.

From buying your data to compelling it: the fraudulent emergency data request

If the group is the wrong unit, the right one is the method, and the most durable part of the method is how these actors learn about you before they ever contact you. Reconnaissance here runs in three tiers, and the third is the one most organisations have no answer for.

The first tier is open and free: scraped social media, public records, the ordinary digital footprint. The second is commercial. Data brokers and people-search platforms compile profiles that anyone can buy, which is a real exposure but a manageable one, because it is for sale on a legal market and it can be opted out of. That is the layer the Eraser is built to reduce.

The third tier is different in kind. Instead of buying data about you, the actor compels a platform to hand over data it holds about you, by impersonating the police. A fraudulent Emergency Data Request, or a forged subpoena submitted through a law-enforcement verification portal such as Kodex, can pull the non-public details a service keeps on an account: the email and phone behind it, IP and device history, login locations.

The FBI issued an advisory on fraudulent EDRs in 2024, and its November 2024 private-industry notice described compromised government email credentials being sold alongside step-by-step guides for abusing them. The market is priced and visible: in February 2026, Dataminr documented a seller offering access to a US police email account for around $1,000 and a law-enforcement verification-portal account for around $2,000, with a forged officer ID for a few hundred more. Kodex's own figures give a sense of the volume, with roughly thirty per cent of requests failing second-level verification and thousands of law-enforcement portal users suspended.

Nobody sells the compelled data on an opt-out list, because there is no broker in the loop. The fuel underneath it is the infostealer log: commodity malware harvesting credentials indiscriminately from infected machines, including the machines of government and police employees, which is where the working portal logins come from. We covered that supply in how modern infostealers work. Reconnaissance has graduated from buying your data to compelling it, and an opt-out cannot reach the second kind.

One move, three trust layers

Strip the tooling away and every tier of this is the same move: persuading a system that you are an authorised person making a routine request. At the help desk, that means an analyst impersonating an employee to get a password reset or an MFA device re-enrolled, the vishing call we broke down in the anatomy of a vishing attack. At the platform, it means impersonating a police officer through an emergency request. At the registrar, it means impersonating a legal authority to seize or suspend a domain. Each target takes a different defence, but the underlying move is the same.

The law has caught up to that framing, and the way these cases are charged shows it. The Central District of California's November 2024 indictment of five Scattered Spider members, and the guilty plea one of them, Tyler Buchanan, entered in 2026, are built on wire fraud and aggravated identity theft, not on a hacking statute. The charging theory says, in effect, that the offence was impersonation. A defender's job follows from that: not protecting a perimeter against a break-in, but protecting every routine trust decision their staff and vendors make against a convincing request.

Why the arrests haven't ended it

Enforcement against this scene has been heavy and continuous, and it makes the point about the market better than any analysis could. Moucka was arrested in Canada in October 2024. The five Scattered Spider defendants were indicted in November 2024. Cameron Wagenius was arrested that December.

Noah Urban was sentenced to ten years and ordered to pay $13 million in restitution in 2025. In September 2025 the UK and US charged Thalha Jubair and Owen Flowers, with the American complaint tying Jubair to 120 intrusions against 47 organisations and at least $115 million in ransom payments. Buchanan pleaded guilty to an $8 million scheme in April 2026. Peter Stokes, alias "Bouquet," was arrested at Helsinki Airport that same month.

That is roughly eighteen months of sustained, cross-border prosecution. And through it, the tempo of attacks did not stop; it rotated. The names on the leak sites changed, the methods did not.

The founder of BreachForums was arrested in 2023 and the forum lineage carried on through successor domains. The LAPSUS$ core was convicted in 2023 and the brand reappeared in 2026. Arrests remove people, which matters, and which is the correct response to crimes with real victims. What they do not remove is the market that replaces them. That is the layer a defender has to assume will still be there next quarter.

What this means for your organisation

It would be an overstatement to tell you that fraudulent emergency requests are aimed at your company. For the most part they are aimed at the large platforms that hold everyone's data. But the bridge from this ecosystem to a specific organisation is real, and it runs along three concrete routes.

The first is your domains. The same fraudulent-request method that compels account data from a platform can be pointed at a domain registrar to seize or suspend a name, and it works against registrars regardless of size. The second is your executives' and employees' private accounts, which can be pierced through a fraudulent emergency request to the platform that holds them, an exposure that opt-out services cannot touch because there is no broker listing to remove.

The third is the most direct: your employees' infected devices are part of the fuel supply. Every staff laptop quietly running an infostealer feeds working credentials into the same market, and an infection that gets reimaged and forgotten leaves the credentials it leaked live for years. That is the surface the Lockdown and a Corporate Audit are built to find and close.

The defensive guidance that follows is mostly procedural, and it works. Treat every inbound legal or law-enforcement request as suspicious until verified through a known official channel, not a number or domain supplied in the request itself. Check the sending domain against real records. Enforce hardware-backed multi-factor authentication on the accounts that matter, especially the legacy and administrative ones that rarely get attention. And measure your own exposure before someone else does, because the same reconnaissance and doxing machinery described here is exactly what gets pointed at a named executive or their family when an attacker decides to make it personal, a threat we examined in executive doxing in Europe.

What survives the next rename

The word grew from nine people in a 2019 indictment to "thousands" in a 2025 advisory without the threat becoming any more mysterious, only more marketed. By the time you read the next breathless profile of a Com-affiliated crew, the brand in its headline may already be renamed, splintered, or in custody. The market it drew from, the method it used, and the exposure it shopped against will not have moved. Those three things, not the name, are what a defence is built on, and the exposure is the only one of the three you control.

That is the part we measure. A Corporate Audit maps the credential, broker, and account exposure that this whole market runs on, and reduces it, so that when the next name appears, your organisation is not already listed in the inventory it shops from.

Sources

Etymology and origin

• MIT Technology Review, "Hackers made death threats against this security researcher. Big mistake." (16 Feb 2026). Source
• US DOJ, Eastern District of Michigan, "Nine Individuals Connected to Hacking Group Charged with Online Identity Theft" (9 May 2019). Source
• Krebs on Security, "Account Hijacking Forum OGusers Hacked" (18 May 2019). Source

The drift to an umbrella

• CBS 60 Minutes, "Russians team up with young, English-speaking hackers for cyberattacks" (Apr 2024). Source
• Krebs on Security, "The Dark Nexus Between Harm Groups and 'The Com'" (13 Sep 2024). Source
• FBI IC3, PSA250723 and PSA250723-3 on The Com (23 Jul 2025). Source
• CyberScoop, "Potent youth cybercrime ring made up of 1,000 people, FBI official says". Source

Market, method, and the fraudulent emergency data request

• CloudSEK, "The COM: Anatomy of an English-Speaking Cybercriminal Ecosystem and the Origins of Scattered Lapsus$ Hunters". Source
• FBI IC3 Private Industry Notification, "Fraudulent Emergency Data Requests" (4 Nov 2024). Source
• Krebs on Security, "Hackers Gaining Power of Subpoena Via Fake Emergency Data Requests" (29 Mar 2022). Source
• Dataminr reporting on Kodex and police-account sales (17 Feb 2026).

Court record

• US DOJ, Central District of California, "5 Defendants Charged Federally with Running Scheme that Targeted Victim Companies via Phishing Text Messages" (20 Nov 2024). Source
• US DOJ, Central District of California, "British National Pleads Guilty to Hacking Companies and Stealing at Least $8 Million" (2026). Source
• US DOJ, Middle District of Florida, "Palm Coast Hacker Sentenced to 10 Years in Prison" (Urban). Source
• US DOJ, Western District of Washington, "United States v. Connor Riley Moucka and John Erin Binns". Source
• BBC News, "Two teenagers charged over Transport for London cyber attack" (Jubair and Flowers). Source