A cybersecurity investigation has uncovered the inner workings of a loosely organized network of teenage cybercriminals responsible for one of the decade’s most significant data breaches, affecting at least 160 major organizations and compromising sensitive information belonging to millions of Americans.
The network, known as “The Com,” operates primarily through English-speaking online channels and has been linked to the rebranded hacker group “Scattered Lapsus$ Hunters,” formerly known as “Shiny Hunters,” according to Resecurity, a Los Angeles-based cybersecurity firm that has been tracking the group’s activities since 2017.
Resecurity successfully infiltrated the group using honeytrap tactics, tricking members into revealing their operations and networks.
Final Call: FCRF Opens Last Registration Window for GRC and DPO Certifications
Major Data Breach Targets Fortune 500 Companies
The investigation centers on a massive breach of Snowflake, a cloud-based data warehousing platform whose clients include some of America’s largest corporations. Among the affected organizations were AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health.
The stolen data included personally identifiable information, medical prescriber DEA numbers, digital event tickets, and more than 50 billion call records from AT&T alone. The telecommunications giant’s call and text message metadata involving nearly all U.S. customers was compromised in the breach.
The incident prompted an unusual request from the U.S. Department of Justice, which asked AT&T to delay public disclosure due to national security and public safety concerns. AT&T subsequently paid a ransom of Rs 3.15 crore ($370,000) to have the stolen data deleted, according to reports.
Read Full Report: Cyber Counterintelligence (CCI): When ‘Shiny Objects’ trick ‘Shiny Hunters’
Two Men Charged in International Investigation
Federal prosecutors have charged Connor Riley Moucka, 25, and John Erin Binns, 24, with conspiracy, computer fraud and abuse, extortion, wire fraud, and aggravated identity theft. The charges stem from an alleged scheme to hack at least 10 victim organizations, steal sensitive information, and extort victims by threatening to leak the data unless ransoms were paid.
Canadian police arrested Moucka in November 2024 on charges tied to the Snowflake breach. Binns was arrested in May 2024 in Turkey, based on a U.S. indictment charging him with hacking T-Mobile in 2021. Binns is not currently in U.S. custody.
Moucka is scheduled for trial on October 19, 2026.
Resecurity’s HUNTER unit began tracking both men in early 2017, nearly a decade before the Department of Justice released its indictment in 2025. Before the arrests, Resecurity provided authorities with email communications from Binns, which revealed cloud instances, instant messaging accounts, rented servers, phone numbers, and IP addresses used in the criminal operation.
“Resecurity began tracking these actors well before the industry even started discussing them,” the firm stated.
U.S. Army Soldier Pleads Guilty in Related Case
The investigation also implicated Cameron John Wagenius, a 20-year-old U.S. Army soldier who operated under the alias “Kiberphant0m.” Wagenius was arrested in December 2024 after infiltrating 15 telecommunications providers while on active military duty.
Wagenius was stationed at Fort Cavazos in Central Texas and at a U.S. Army base in South Korea between April 2023 and December 18, 2024. Court documents reveal he published stolen AT&T call logs of high-ranking officials, including President Donald Trump and former Vice President Kamala Harris, on dark web forums.
His mother, Alicia Roen, told investigators he had been associated with Moucka and worked on radio signals and network communications.
Searches Raise Counterintelligence Concerns
Court filings reveal that before his arrest, Wagenius conducted several highly incriminating internet searches, including “can hacking be treason,” “where can i defect the u.s government military, which country will not hand me over,” “U.S. military personnel defecting to Russia,” and “Embassy of Russia – Washington, D.C.”
In November 2024, Wagenius communicated via email from an address he believed belonged to a foreign country’s military intelligence service, attempting to sell stolen information. Federal investigators have not disclosed whether Wagenius was acting on behalf of a foreign government or operating independently.
The case has raised significant counterintelligence concerns beyond the scope of typical cybercrime investigations.
Inside “The Com” Criminal Network
The FBI issued a public service announcement last year warning about the risks associated with joining cybercriminal movements like “The Com.” The network announces successful data breaches through its associated Telegram channel, “The Comm Leaks.”
According to Resecurity’s investigation, “The Com” operates through several distinct domains. “Hacker Com” handles data breaches, intrusions, and ransomware attacks. “In Real Life (IRL) Com” encompasses subgroups that facilitate real-world physical violence, often stemming from online conflicts. “Extortion (Extort) Com” focuses on exploiting children through threats of doxing, swatting, and violence.
Members often move between these domains, using funds gained through hacking to engage in extortion activities. The extortion primarily targets minors, typically females, forcing them to carry out malicious actions through threats.
Resecurity infiltrated the actors’ circles and gathered valuable insights through human intelligence operations, exploring the actors’ profiles to understand their motivations and tactics.
How the Attack Was Executed
Security investigations revealed that attackers accessed customer environments by exploiting stolen credentials obtained via infostealer malware. The credentials lacked multi-factor authentication in many cases, allowing attackers to log in directly to Snowflake customer instances using only a username and password.
Based on that pattern, Resecurity designed a method to trick attackers into deliberately creating honeytraps, enabling investigators to log actionable network intelligence. The firm successfully trapped members of the group using these techniques.
“The actors recently mentioned the alias of Binns when their malicious attempt was successfully identified by the honeytrap account we deployed,” Resecurity stated.
Suspect Remains Active, Resecurity Warns
Resecurity is releasing 105 pages containing more than 1,000 message titles related to Binns, obtained from a foreign email server. The communications include attempts to harass U.S. government personnel, State Department officials, and FBI staff, along with multiple instances of misinformation and deceptive tactics.
Resecurity will not disclose how it obtained this data but confirmed its authenticity, which can be independently verified by examining the contacts and titles in the acquired messages.
According to Resecurity’s research, Binns is likely still involved in hacking activity that may be conducted on behalf of malicious parties working against American interests. Binns has repeatedly attempted to harass U.S. government employees, including law enforcement personnel.
In October last year, “Scattered LAPSUS$ Hunters” posted phone numbers and addresses of hundreds of government officials, including nearly 700 from the Department of Homeland Security.
Binns has also created websites where he leaked information and attempted to harass representatives of the U.S. Intelligence Community, including high-ranking government officials. All domains registered by the suspect have been configured through foreign domain registrars and hosting providers, posing challenges for U.S. law enforcement to obtain data through traditional cooperation channels.
Resecurity’s investigation revealed that a female individual previously linked to Moucka is currently residing in Turkey and involved in malicious cyber activity. The firm sent the individual a “warm hello,” along with another individual referred to as “S.M.”
Calls for Enhanced International Cooperation
The investigation highlights ongoing challenges in international law enforcement cooperation. Many members of “The Com” remain at large and are not under arrest, partly due to complications in coordinating efforts to disrupt their activities in foreign jurisdictions not easily accessible to U.S. law enforcement agencies.
During the investigation into “The Com” activity and John Binns, Resecurity observed some foreign organizations’ lack of cooperation, underscoring the need for improved cross-border law enforcement coordination and greater emphasis on public-private partnerships to exchange vital intelligence and address threats effectively.
Recommendations for Enterprises
Resecurity is urging enterprises to implement counterintelligence programs to protect their environments against sophisticated actors. Such measures can include deception technologies, honeytraps, emulated environments, and fake information designed to attract malicious actors.
“All the actors from ‘The Com’ have something in common. They target big brands and government agencies to gain fame and express themselves within their community,” Resecurity noted. “A secondary motive is financial gain and domination. Through extortion, they attempt to obtain new sources of income that can be substantial and political power within their groups.”
Given that actors like “Shiny Hunters” and other members of “The Com” often leverage insiders recruited for cooperation, counterintelligence will play a critical role in modern cybersecurity operations, according to Resecurity.
“These efforts demonstrate Resecurity’s strong commitment to protecting our customers, U.S. law enforcement interests, and individuals working for the benefit of our nation, regardless of where threat actors are, who they are, or what ‘hat’ they wear,” the firm said in a statement.
