The English-speaking cybercriminal ecosystem known as “The COM” has evolved from a niche underground culture into a sophisticated, professional service-oriented economy that orchestrates some of the world’s most disruptive cyberattacks.
Over the past decade, this decentralized network has transformed from its origins in OG username trading forums into a full-spectrum criminal supply chain targeting multinational corporations, government entities, critical infrastructure, and retail investors globally.paste.txt.
The COM’s trajectory began in early and mid-2010s forums like RaidForums and OGUsers, where English-speaking cybercriminals addressed to trade “OG” (original gangster) social media handles and build reputation among peers.
These foundational communities cultivated the social engineering skills and manipulation tactics that would become the ecosystem’s defining characteristic.
However, the fundamental transformation occurred following major law enforcement disruptions, which triggered a “Migration Effect” that blended the social-engineering expertise of OG traders with the technical capabilities of breach-focused hackers.
This convergence created an agile new generation of reputation-driven cybercriminals capable of executing increasingly sophisticated attacks.paste.txt.
Today, The COM operates as a multi-faceted criminal economy, enabling large-scale data breaches, extortion campaigns, SIM-swapping attacks, ransomware operations, cryptocurrency theft, rug pulls, and financial fraud.
Technical and Intelligence Brief Style
Key threat actors within this ecosystem include Lapsus$, ShinyHunters, Scattered Spider (UNC3944), and the Silent Ransom Group.
These groups operate with specialized roles and hierarchical structures, monetizing their capabilities through underground supply chains that abstract complexity and lower barriers to entry for new participants.paste.txt.
At the heart of The COM’s operational success lies a fundamental vulnerability: the human perimeter. Social engineering has emerged as the primary attack vector across this ecosystem.
Exemplified by OGUsers’ “callers,” Lapsus$’s manipulation of IT staff, and the notorious GTA VI hack executed from a hotel room, these groups understand that employees represent the weakest link in corporate security.
This reality necessitates that organizations prioritize protection of IT and help desk personnel as a critical security layer, implementing strict identity verification protocols and conducting regular phishing and vishing simulations.paste.txt.
Another critical vulnerability this ecosystem exploits is SMS-based multi-factor authentication. SIM-swapping, pioneered on OGUsers forums, enables attackers to bypass traditional 2FA protections and drain cryptocurrency wallets or compromise enterprise accounts.
This technique has proven devastatingly effective, establishing SMS-based MFA as a core vulnerability that organizations must address through migration to phishing-resistant methods like FIDO2/WebAuthn.paste.txt.
What distinguishes The COM from previous cybercriminal models is its resilience and decentralization. While law enforcement operations have disrupted major forums like RaidForums and BreachForums, these takedowns have merely fragmented the ecosystem rather than dismantling it.
On January 31, 2022, Coelho was arrested in Croydon, UK, followed by a coordinated seizure of all RaidForums infrastructure on February 25, 2022.
Threat actors have migrated to encrypted messaging platforms like Telegram, Discord, and private invite-only channels, making traditional forum monitoring inadequate for threat intelligence collection. The ecosystem has proven capable of absorbing disruption and adapting its infrastructure.paste.txt.
On March 16, 2022, Conor Brian Fitzpatrick, known as “Pompompurin,” launched BreachForums a near-clone of RaidForums.
The threat actor motivations within The COM extend beyond pure financial gain. Groups like Lapsus$ and ShinyHunters pursue disruption and notoriety equally as financial objectives, conducting “leak-and-brag” style attacks featuring real-time data exposure and public taunting of victims.
This behavioral shift demands that incident response programs evolve beyond data theft prevention to address reputational damage and coordinate responses across SOC, PR, and legal teams.paste.txt.
As The COM continues evolving, organizations must recognize cybercrime as a persistent, resilient threat requiring comprehensive security strategies grounded in Zero Trust principles, employee security awareness, and diversified threat intelligence collection across emerging platforms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.