Over the last decade, the English-speaking cybercriminal landscape, known as “The COM,” has grown from a niche group dedicated to trading rare social media usernames into a complex, service-driven underground economy orchestrating a wide array of global cyberattacks.
Foundational communities like Dark0de and RaidForums have played a critical role in this evolution, cultivating expertise in data breaches, malware development, and reputation-based trading. As forums such as OGUsers emerged, they introduced techniques like social engineering and SIM-swapping, enabling The COM to adapt to market dynamics. This adaptability has positioned it as a launchpad for a new generation of cybercriminals, including “callers,” “texters,” and credential brokers.
The closure of prominent forums due to law enforcement actions, such as the 2022 seizure of RaidForums and specific operations against OGUsers, has resulted in a ‘Migration Effect.’ This phenomenon has merged the social manipulation skills refined by social media traders with the technical expertise of hackers focused on data breaches. Nowadays, The COM is decentralized and fluid, thriving in exclusive channels, Telegram groups, and private Discord servers, enhancing its resilience against disruption.
Tactics and Threat Actors: Social Engineering, Data Breach, and Extortion
At the heart of The COM’s operations is the human factor. Cybercriminals employ advanced social engineering techniques, including vishing, phishing, SIM-swapping, and insider recruitment, to compromise credentials and secure unauthorized access. Notable groups such as Lapsus$, ShinyHunters, and Scattered Spider (UNC3944) exemplify these tactics. They effectively utilize psychological manipulation alongside automated intrusion methods to bypass technical safeguards, targeting individuals and multinational corporations alike.
Lapsus$ has taken social engineering to new heights, using these tactics not only for unauthorized access but also to create a spectacle by live-streaming breaches and publicly taunting businesses and law enforcement agencies. Similarly, ShinyHunters has industrialized data exfiltration, monetizing extensive datasets and offering access through as-a-service models.
Meanwhile, Scattered Spider has pioneered hybrid attack methods, integrating voice phishing with sustained access to internal networks, laying the groundwork for complex ransomware operations, extortion, and massive data-dumping campaigns. Their strategies exemplify the evolution of cybercrime tactics in a highly interconnected environment.
The Modern Supply Chain: Service Model and Global Collaboration
The current landscape of The COM resembles a professionalized supply chain rather than a loose coalition. Operating roles—ranging from voice phishers and phishing kit developers to SIM swappers and ransomware affiliates—function in a modular, on-demand manner, akin to legitimate business ecosystems. This specialization facilitates rapid scaling, risk outsourcing, and innovation, effectively making traditional indicators of compromise nearly obsolete.
Infrastructure utilized by The COM tends to be transient, with attackers frequently leveraging trusted cloud services and encrypted communications, making detection increasingly difficult for defenders. Furthermore, collaboration has transcended linguistic barriers, with English-speaking cybercriminals increasingly partnering with Russian-speaking syndicates on platforms like Exploit.in, exchanging resources and tactics within a converged threat environment. This east-west collaboration expands access to advanced malware and sophisticated laundering networks, significantly heightening risks for cybersecurity professionals worldwide.
Defending Against The New Frontier
As the line separating technical and social attack vectors blurs, the primary security weakness is highlighted in what is termed the “human perimeter.” Organizations are urged to shift toward identity-centric defenses, implementing robust helpdesk protections alongside phishing-resistant multi-factor authentication and continuous monitoring for insider threats. The orchestration of varied global attacks by The COM serves as a reminder that cybercrime operates as both a business and a performance, targeting systems and individuals alike. To combat these evolving threats effectively, a strategy combining resilience, heightened awareness, and adaptive responses must be developed.
The tactics employed by The COM often align with several MITRE ATT&CK frameworks, including initial access through phishing, persistence via various methods, and privilege escalation techniques to secure elevated access. Understanding these connections can significantly enhance organizations’ defensive measures against similar threats in the future.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
