Organizations working to secure their cloud environments and software-as-a-service (SaaS) platforms typically focus on data protection and business continuity. However, recent analysis illustrates that preventing unauthorized access also disrupts the financial pipelines for groups engaged in physical violence and the exploitation of minors.
According to a recent analysis by Flashpoint, the decentralized threat actor ecosystem known as "The Com" has grown to fill the void left by the splintering of older, established international groups. A new generation of predominantly North American threat actors has emerged from this common source. These entities operate under various banners. Including ShinyHunters, Lapsus$, and Scattered Spider—and occasionally combine into informal collectives like "Scattered Lapsus$ Hunters." Flashpoint's research maps these various groups back to the same underlying network.
This shared origin reveals a complex operational structure with severe societal implications. The Com’s technical division, which refers to itself as "Hacker Com," generates revenue that supports other criminal activities, including the generation and trafficking of child sexual abuse material (CSAM) and physical violence. While financial tracking between these specialized subgroups can be complex, Flashpoint researchers indicate that the boundaries between them are functionally nonexistent. The proceeds from unauthorized access into corporate networks directly resource operations that manipulate and radicalize young participants.
Groups affiliated with this network have focused heavily on compromising widely used cloud and SaaS platforms, including Okta and Microsoft 365. By strengthening defenses and configuration standards around these critical enterprise tools, organizations can directly interrupt the funding mechanisms for these broader societal harms.
The organizational structure of The Com
The Com functions as a diffuse network that includes violent extremists, individuals involved in CSAM, and manipulated youths, alongside occasional participation from individuals holding government security clearances. While distributed globally, the majority of its participants are located in North America.
The network skews young, largely due to its recruitment methodologies. Threat actors associated with The Com frequently engage with gaming communities and social media platforms. They use grooming and sextortion tactics to manipulate adolescents, often converting impacted individuals into active participants in the network.
Operationally, The Com divides its activities into three primary subsets. The "IRL Com" coordinates physical operations, such as arson and physical assaults. "Extortion Com" manages recruitment and coercion, using sextortion to force minors into generating CSAM or engaging in violence. Finally, "Hacker Com" focuses on enterprise security incidents, including ransomware deployments, SIM swapping, and distributed denial-of-service (DDoS) operations against prominent corporations.
Operational overlap and law enforcement response
These three subsets operate collaboratively rather than in isolation. Allison Nixon, CEO of Unit 221B, has tracked The Com for 15 years and notes that treating these subsets as distinct entities can hinder effective prosecution.
"The overlap is significant, and the way governments have subdivided them has caused a lot of confusion and under-prosecution of crimes," Nixon explains. "I understand why governments do this, but the general public should understand that any given hacker in The Com has a much higher than average probability of possessing or forcing the creation of CSAM, and sextorters in The Com have a much higher than average probability of engaging in fraud for their income."
This crossover is corroborated by the FBI’s Internet Crime Complaint Center, which observes that participants "often participate in criminal activity encompassed in more than one subset and maintain relationships with members in multiple subsets simultaneously, in case their skills are beneficial."
The revenue generated from corporate extortion is systematically reinvested into the network. Nixon points to associated groups, such as the neo-Nazi extortion network 764, noting that members frequently resume corporate extortion after serving prison sentences. These funds pay for technical infrastructure and finance physical operations against rival networks.
Current activity and evolving tactics
While some high-profile affiliates like Scattered Spider have maintained a lower profile following major incidents, such as the operational disruption at Jaguar Land Rover—the network remains active.
Darren Williams, founder and CEO of BlackFog, emphasizes that these threat actors frequently rotate their affiliations based on operational success. "These individuals work for multiple [groups] at the same time," Williams says. "So they will chop and change based on which ones are most successful at the time. So this is not very unusual."
Participants may currently be preparing new campaigns or operating under different names. Nixon observes that criminal activity across The Com remains consistent, with new tactics emerging regularly. One of the most pressing developments is the network's ability to coordinate physical operations through digital channels.
"The most compelling trend that I think will have major consequences is the ability for these guys to systematically locate and deploy physical assets to locations," Nixon states. "To decide they want to send a kid to assault someone's home, or break in, or connect to a specific Wi-Fi network, and locate a kid in their criminal social networks that is both willing and able to do this."
(Original reporting for this analysis was provided by Nate Nelson, a cybersecurity journalist, award-winning scriptwriter, and contributor to Darknet Diaries, Threatpost, and Malicious Life.)