For more than a decade, an English-speaking cybercriminal community known simply as “The COM” has transformed from a fringe collective trading rare usernames into a sprawling, service-driven underground economy. Today, its decentralized network of social engineers, SIM swappers, ransomware affiliates, and money launderers is reshaping global cybercrime — and testing the limits of modern digital defense.
From Niche Forums to a Coordinated Underground Economy
Over the past ten years, the cybercriminal ecosystem known as The COM has undergone a remarkable transformation. What began as an insular community trading rare social-media “OG handles” has evolved into a fluid, service-oriented operation capable of orchestrating complex, multi-vector attacks across continents.
Early forums like Dark0de and RaidForums laid the groundwork, fostering an environment where data breaches, credential trading, and reputation-based deals became central currency. As groups like OGUsers normalized SIM swapping and social engineering, the COM matured, creating a market for specialized actors — “callers,” “texters,” and credential brokers — who could be hired on demand.
Law enforcement crackdowns, including the 2022 takedown of RaidForums, triggered what researchers describe as a Migration Effect. Rather than dissolve, the COM splintered and reorganized into invite-only spaces on Telegram, private Discord servers, and encrypted communication channels. The decentralization made the group harder to disrupt, even as its capabilities expanded.
The Modern Supply Chain: A Service Model Designed for Scale
Today, the COM resembles a professionalized supply chain more than a loose federation. Roles are distinctly divided.
Callers specialize in voice-phishing corporate employees.
Kit developers build phishing infrastructure.
SIM swappers hijack phone numbers to bypass security.
Initial access brokers sell footholds into corporate networks.
Ransomware affiliates and money launderers handle monetization.
Each function operates as an independent service — a modular, plug-and-play style of cybercrime.
This structure allows for rapid scaling and innovation. Short-lived infrastructure can be spun up in hours. Cloud services and encrypted channels obfuscate operations. Traditional indicators of compromise, once useful for identifying threat groups, lose relevance as tools and tactics become interchangeable across teams.
The COM’s linguistic divide has also blurred. English-speaking specialists now collaborate with sophisticated Russian-speaking syndicates on platforms like Exploit.in, sharing malware, laundering channels, and operational techniques. The resulting “east-west fusion,” analysts say, has dramatically accelerated the global reach of COM-aligned attacks.
Tactics and Threat Actors: A Human-Focused Playbook
If the COM has a technical advantage, its central tactic remains distinctly human. The group’s operations hinge on social engineering, psychological manipulation, and exploiting the so-called “human perimeter” — the idea that people, not systems, are the weakest link in digital security.
Groups aligned with or inspired by the COM, such as Lapsus$, ShinyHunters, and Scattered Spider (UNC3944), have become emblematic of this approach. Their operations blend automated intrusion techniques with targeted vishing calls, insider recruitment, and credential harvesting.
Lapsus$, for instance, used social engineering not only to obtain access but to create public spectacle: live-streaming breaches and taunting both companies and investigators. ShinyHunters industrialized data exfiltration, selling stolen data sets at scale and licensing access through as-a-service models. Scattered Spider pioneered hybrid campaigns that mix voice-phishing with persistent lateral movement inside networks, often leading to multi-step extortion or ransomware deployments.
These tactics reflect a shift in cybercrime strategy — away from purely technical exploits and toward psychological pressure, misdirection, and real-time human manipulation.
A New Defensive Posture: Protecting the Human Perimeter
As the boundary between technical and social attack vectors narrows, cybersecurity experts warn that the next frontier of defense revolves around people as much as infrastructure. Organizations are being pushed toward identity-centric defense models:
phishing-resistant multi-factor authentication,
hardened helpdesk protocols,
continuous insider-threat monitoring,
and better training around psychological manipulation.
Experts note that the COM’s rise shows cybercrime is no longer simply the work of anonymous hackers behind code. It is a global, adaptive business — one that blends performance, deception, and specialization to target both systems and individuals.
Facing such adversaries, defenders are increasingly focused on resilience and rapid response. As one analyst observed, the COM’s evolution “redefines the battlefield,” demanding a security posture that is as adaptive and human-aware as the threats it seeks to deter.
