Over the past ten years, the English-speaking cybercriminal community known as “The COM” has evolved from a niche subculture focused on trading rare social media usernames (so-called “OG handles”) into an agile service-driven underground economy orchestrating a vast range of global attacks.
Early communities like Dark0de and RaidForums laid the foundation, fostering skills in data breaches, malware development, and reputation-based trading.
As forums like OGUsers popularized social engineering and SIM-swapping, the COM adapted to market realities and became a launchpad for a new generation of “callers,” “texters,” and sophisticated credential brokers.
The demise of high-profile forums, driven by law enforcement takedowns such as the 2022 seizure of RaidForums and targeted actions against OGUsers, forced a Migration Effect.
This blended the social manipulation skills honed by OG traders with the technical pedigree of breach-focused hackers. Today’s COM is decentralized and adaptive, thriving in invite-only channels, Telegram groups, and private Discord servers, making it resilient against disruption.
The COM’s operational backbone is the human element. Attackers deploy advanced social engineering, vishing, phishing, SIM swapping, and insider recruitment to compromise credentials and gain privileged access.
Groups like Lapsus$, ShinyHunters, and Scattered Spider (UNC3944) exemplify this, using a mix of psychological manipulation and automated intrusion to bypass technical safeguards and target everything from individual crypto wallets to multinational corporations.
Notably, Lapsus$ leveraged social engineering not only for access but also for public spectacle, live-streaming breaches, and openly taunting both companies and law enforcement.
ShinyHunters industrialized data exfiltration, monetizing large data sets and selling access through as-a-service models.
Meanwhile, Scattered Spider and their affiliates pioneered hybrid attack vectors, mixing voice phishing with persistent access to internal networks, setting the stage for multi-step ransomware, extortion, and data-dumping campaigns.
Today, the COM cybercrime hub operates more as a professionalized supply chain than as a loose federation. Dedicated roles callers (voice phishers), phishing kit developers, SIM swappers, initial access brokers, ransomware affiliates, and money launderers work in a modular, on-demand fashion, mirroring legitimate business ecosystems.
This specialization enables rapid scaling, risk outsourcing, and innovation while also making traditional indicators of compromise nearly obsolete. Infrastructure is short-lived, and attackers frequently leverage trusted cloud hosting and encrypted communication, hampering detection.
Importantly, English-speaking COM specialists now collaborate with Russian-speaking cybercrime syndicates on platforms such as Exploit.in, sharing resources and techniques within a converged threat environment.
This east-west fusion grants access to advanced malware and robust laundering networks, upping the ante for defenders worldwide.
As the line between technical and social vectors blurs, the primary security weakness is the “human perimeter.” Organizations must pivot to identity-centric defenses, robust helpdesk protections, phishing-resistant multi-factor authentication, and continuous monitoring for insider threats.
The COM’s orchestration of varied global attacks demonstrates that cybercrime is both a business and a performance targeting not just systems, but people, and the only effective defense is a blend of resilience, awareness, and adaptive response.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
