The English-speaking cybercriminal ecosystem, commonly known as “The COM,” has transformed from a niche community of social media account traders into a sophisticated, organized operation fueling some of the world’s most damaging cyberattacks.
What started as simple forums for trading rare social media handles has evolved into a professional, service-driven criminal marketplace targeting multinational corporations, government agencies, and critical infrastructure across the globe.
The COM’s growth accelerated during the cryptocurrency boom between 2020 and 2021, when cybercriminals shifted their focus from stealing social media accounts to draining digital wallets containing millions of dollars.
This shift introduced new attack methods and monetization strategies that fundamentally changed the landscape of cybercrime.
The ecosystem now operates as a comprehensive supply chain where specialized roles work together seamlessly to execute coordinated attacks.
CloudSEK security analysts identified that The COM’s operational structure mirrors legitimate business models.
Different threat actors specialize in specific roles—some handle social engineering through vishing calls, others manage credential theft, and specialized teams handle data exfiltration and money laundering.
This specialization allows criminal operations to scale rapidly while distributing risk across multiple independent actors.
The emergence of groups like Lapsus$ and ShinyHunters demonstrated The COM’s evolution into theatrical, publicity-driven operations.
Lapsus$ became infamous for breaching major tech companies, including NVIDIA, Samsung, and Microsoft, by manipulating customer support staff through social engineering.
The group pioneered a “leak-and-brag” approach, publicly taunting victims and law enforcement while threatening data releases to accelerate ransom payments.
The Attack Mechanism: Targeting the Human Perimeter
CloudSEK security researchers noted that The COM’s most effective weapon is social engineering rather than technical exploits.
The primary infection vector involves human manipulation through vishing crews who impersonate IT support staff, telecom providers, or corporate help desk personnel.
These operators deceive employees into revealing credentials, approving remote access, or executing system commands that grant attackers entry to corporate networks.
The technique operates through a simple principle: compromising a person is easier than compromising a device. Attackers use detailed victim profiling gathered through open-source intelligence and breached data, enabling highly targeted campaigns.
Once inside networks, attackers leverage legitimate tools like Remote Desktop Protocol and cloud services to move laterally, avoiding detection by blending with regular administrative traffic.
This approach has proven devastatingly effective against even organizations with advanced security infrastructure, making human-focused security measures increasingly critical for enterprise defense strategies moving forward.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
