What is “The Com”?

The Community, more widely known as “The Com” is a sophisticated hybrid threat ecosystem in which cybercrime serves as the venture capital for domestic terrorism. Existing since the early 2010s, it operates in the “edgesphere”, a grey area where mainstream social media overlaps with underground criminal networks, blending nihilistic violent extremism (NVE) with high-level financial fraud. In The Com, cybercrime against Fortune 500 companies is the primary revenue stream used by members to fund a domestic terror network that aims to radicalize youth and encourage real-world violence.

However, The Com poses more than just financial risk, it is a self-serving victim-to-perpetrator pipeline. It uses stolen capital to recruit adolescents, who they view as a disposable workforce, turning them from a victim to a perpetrator. Despite being a decentralized web of individuals rather than a traditional threat actor organization, The Com has managed to grow by hiding in the gaps between corporate security, parental oversight, and law enforcement.

How The Com is Structured

The Com is often mischaracterized as a single, formal organization. In reality, its ecosystem is unstructured and lacks a shared culture or leadership. However, the various factions within the ecosystem are extremely organized, supporting three broad categories of criminal activity: cybercrime, exploitation of minors, and real-world physical violence.

Federal investigations have shown that The Com includes a mix of adults and minors, men and women. While the exact number of members is difficult to determine, Flashpoint estimates that the broader ecosystem of The Com is in the thousands. While being a global threat, its most active core members are concentrated in Western English-speaking countries: the United Kingdom, the United States, and Canada.

Understanding the Key Pillars of The Com

While The Com is a decentralized ecosystem, its internal structure is defined by a high degree of operational alignment. Individual crews and networks within each pillar exhibit a shared psychology and standardized tradecraft that ensures their criminal activities remain effective and repeatable.

However, Flashpoint notes that members of these pillars do not operate alone. Their interaction with members of other pillars (extortion and real-world violence) amplifies the intended threat.

HACKER Com: The Economic Engine of The Com

Hacker Com acts as the ecosystem’s economic engine and primary technical arm. Its primary function is to hack major corporations and commit financial fraud to fund the broader community’s activities and lifestyle.
Seeing themselves as the elite technical tier of The Com, Hacker Com members are motivated primarily by financial gain and the thrill of outsmarting corporate security infrastructures. Notable crews within this pillar include Scattered Spider, LAPSUS$, ShinyHunters, and DragonForce.

TTPs Used by HACKER Com

The following tactics, tools, and procedures (TTPs) have been observed by HACKER COM groups:

Social Engineering (Vishing)

Hacker Com members capitalize on TTPs that target human vulnerabilities instead of relying solely on software and other exploits. Vishing is a signature move of the Scattered Spider crew, whose native English-speaking members call corporate IT helpdesks impersonating employees of that company. 

Analysts note these threat actors are likely Gen Z who socially engineer older support staff by mimicking the impatient attitudes and vernacular of young tech executives, essentially hacking the generation gap. They leverage this form of social engineering to convince support staff to reset passwords or even re-enroll new multifactor authentication (MFA) devices, which grants them access to the victims’ networks.

Supply Chain Targeting

Crews in this pillar have also successfully breached major targets by attacking their trusted vendors. For instance, Lapsus$ compromised Okta by targeting its third-party contractor, Sykes, while Scattered Spider has repeatedly targeted Okta’s identity services to pivot into their clients’ networks.

Living-off-the-land (LOTL)

Once inside a network, threat actors avoid detection by using legitimate, preexisting software and other remote admin tools such as AnyDesk, Ngrok, and Teleport to maintain persistence and move laterally. They often gamify this access, mocking victims for allowing them to simply “log in” using standard admin tools rather than having to hack their way in via complex exploits. They treat the ease of access as a testament to the victim’s incompetence.

SIM Swapping

A SIM swap attack is a foundational TTP used by financially motivated actors that involves social engineering mobile carriers to hijack a target’s phone number, usually resulting in the takeover of high-value cryptocurrency accounts.

The Extort Com pillar functions as a machine designed for psychological control, coercion, and sexual exploitation of minors. Its goals intersect squarely with NVE ideologies, resulting in a marketplace and production center for CSAM and extreme violence, where members often trade these materials as a form of social currency.

Targets are migrated from public channels, which include social media and video games such as Roblox and Minecraft, to private ones maintained by The Com. Once moved, the dynamic shifts from recruitment to active exploitation, which is done to ensure the victim’s compliance.

The “In Real Life” (IRL) pillar serves as the physical enforcement arm of the ecosystem, effectively bridging the gap between virtual threats and reality. Sometimes referred to by law enforcement as “IRL Terror,” members often turn online animosity and disputes into real-world harm against people and their property.

Protect Against Converging Threats Using Flashpoint

The evolution of The Com represents a fundamental shift in the global threat landscape. It is not enough to view cybercrime as a purely financial risk or domestic extremism as a purely ideological one, the two have merged into a self-sustaining engine where stolen corporate capital fuels the radicalization and exploitation of the next generation.

As The Com continues to professionalize its tradecraft and expand its reach, the boundary between our digital and physical worlds will only continue to thin. To protect against this decentralized threat, organizations will require a mutli-layered defense strategy that is powered by intelligence that is sourced at the heart of these groups. Request a demo to learn more.