The English-speaking cybercriminal ecosystem known as “The COM” has evolved significantly, transforming from a niche community focused on trading social media handles into a sophisticated, organized operation responsible for a wide spectrum of damaging cyberattacks. This evolution, particularly accelerated during the cryptocurrency boom of 2020-2021, has seen threat actors shift their focus to digital asset theft and increasingly complex intrusion methods targeting major corporations and critical infrastructure worldwide.
What began with simple online forums for exchanging rare social media usernames has matured into a professional, service-driven criminal marketplace. The COM now functions as a comprehensive supply chain for cybercrime, with specialized roles working in tandem to execute coordinated attacks. Security analysts from CloudSEK have observed that this operational structure closely mirrors legitimate business models, enabling rapid scaling of criminal activities and the distribution of risk among independent actors.
The acceleration of The COM’s activities during the cryptocurrency boom marked a crucial turning point. Cybercriminals pivoted from stealing social media accounts to draining digital wallets containing millions of dollars, introducing new monetization strategies and attack vectors that fundamentally reshaped the cybercrime landscape. This period saw a significant increase in the sophistication and ambition of these groups.
Currently, The COM operates with a clear division of labor among its participants. Specialized threat actors handle specific tasks, such as social engineering via vishing calls, ongoing credential theft operations, and dedicated teams for data exfiltration and money laundering. This specialization allows for highly efficient and coordinated attacks, increasing their success rate and impact against targets.
The Attack Mechanism: Targeting the Human Perimeter
According to CloudSEK security researchers, The COM’s most effective offensive tool is not technical exploits, but rather social engineering. The primary vector for initial access involves the manipulation of individuals through vishing (voice phishing) operations. Attackers impersonate IT support staff, telecommunication providers, or internal corporate help desk personnel to deceive employees.
These fraudulent actors trick employees into divulging sensitive credentials, authorizing remote access to their systems, or executing commands that grant attackers entry into corporate networks. The underlying principle of this technique is that compromising a person is often easier and more efficient than overcoming a device’s technical defenses. Threat actors leverage detailed victim profiling, gathered through open-source intelligence and previously breached data, to conduct highly personalized and convincing campaigns.
Once inside a target network, attackers utilize legitimate tools such as the Remote Desktop Protocol (RDP) and various cloud services. Their objective is to move laterally across the network, blending their activities with normal administrative traffic to evade detection by security monitoring systems. This methodology has proven to be exceptionally effective, even against organizations that have invested heavily in advanced security infrastructure.
The rise of prominent groups like Lapsus$ and ShinyHunters exemplifies the evolution of The COM into more theatrical and publicity-driven operations. Lapsus$, for instance, gained notoriety for breaching major technology companies including NVIDIA, Samsung, and Microsoft. Their tactics often involved manipulating customer support staff through social engineering to gain initial access. This group pioneered a “leak-and-brag” strategy, publicly taunting victims and law enforcement while threatening to release stolen data to pressure for faster ransom payments.
The reliance on human-centric attack vectors underscores the critical need for robust security awareness training and stringent internal security protocols for organizations. As these sophisticated English-speaking cybercriminal ecosystem operations continue to evolve, focusing on insider threats and the human element remains a paramount concern for enterprise defense strategies moving forward.