Europol has delivered the first major blow against "The Com" — a decentralized cybercriminal collective of teenagers and young adults responsible for some of the most high-profile attacks of 2023-2025, including the MGM Resorts breach, the Marks & Spencer ransomware attack, and the Harrods IT disruption. Project Compass, a 28-country law enforcement operation, has resulted in 30 arrests and 179 suspects identified.
What Is The Com?
"The Com" (short for "The Community") is not a single hacking group — it's a sprawling ecosystem of English-speaking cybercriminals, primarily aged 16-25, that spawns sub-groups operating semi-independently. The most notorious offshoots include:
- Scattered Spider (UNC3944) — social engineering specialists behind the MGM Resorts breach ($100M+ impact) and Caesars Entertainment extortion ($15M ransom paid)
- ShinyHunters — data breach operators linked to Pornhub, Ticketmaster, and AT&T breaches
- Star Fraud / 0ktapus — SMS phishing campaigns targeting Okta, Twilio, and 130+ organizations
What makes The Com unique among cybercriminal ecosystems is the convergence of cybercrime with real-world violence. Members don't just hack — they engage in SIM swapping, swatting (fake emergency calls), sextortion of minors, and coercion of teenagers into self-harm. Europol explicitly noted links to violent extremist groups and Russian cybercriminal gangs.
Project Compass: The Operation
Launched in January 2025 and coordinated by Europol's European Counter Terrorism Centre (not the cybercrime unit — a deliberate signal about The Com's violence nexus), Project Compass brought together:
- 28 countries — EU member states, Five Eyes (US, UK, Canada, Australia, NZ), Norway, Switzerland
- Key agencies — FBI, Homeland Security Investigations, UK Counter Terrorism Policing, National Crime Agency
Results After Year One
| Metric | Count |
|---|---|
| Arrests | 30 |
| Perpetrators identified | 179 |
| Victims identified | 62 |
| Children safeguarded | 4 |
| Countries involved | 28 |
Attack Techniques (MITRE ATT&CK Mapped)
The Com's sub-groups share a common playbook that security teams should understand:
1. Social Engineering & Vishing (T1566)
Scattered Spider's signature move: calling IT helpdesks while impersonating employees to reset MFA. The MGM breach started with a single phone call to an outsourced helpdesk.
2. SIM Swapping (T1111)
Porting victim phone numbers to attacker-controlled SIMs to intercept SMS-based MFA codes. This technique was used to bypass 2FA on cryptocurrency exchanges, corporate accounts, and personal banking.
3. SMS Phishing Kits (T1598.003)
The 0ktapus campaign sent phishing SMS to employees at 130+ companies, harvesting Okta credentials and MFA tokens in real-time using custom phishing kits that proxied to legitimate login pages.
4. Identity Provider Compromise (T1556)
Once inside via social engineering, Scattered Spider targeted identity providers (Okta, Azure AD) to create persistent access across the entire organization — not just one system.
5. Ransomware Deployment (T1486)
The Com's groups partnered with ALPHV/BlackCat ransomware-as-a-service for the MGM and M&S attacks, deploying encryption after lateral movement through identity infrastructure.
Detection Guidance
Sigma Rule: Helpdesk Social Engineering Indicators
title: Suspicious MFA Reset Following Helpdesk Call
id: 9d4e5f6a-1b2c-3d4e-5f6a-7b8c9d0e1f2a
status: experimental
description: Detects MFA reset events that may indicate social engineering of helpdesk
logsource:
product: azure
service: auditlogs
detection:
selection_reset:
Operation: 'Reset password'
ResultType: 0
selection_mfa:
Operation:
- 'User registered security info'
- 'Admin registered security info'
timeframe: 15m
condition: selection_reset | near selection_mfa
level: high
tags:
- attack.credential_access
- attack.t1566
- attack.t1556
What to Monitor
- Identity Provider logs — MFA resets, new device registrations, unusual login locations following helpdesk interactions
- Helpdesk ticket correlation — cross-reference password reset tickets with subsequent suspicious authentication events
- SIM swap indicators — sudden loss of SMS-based MFA delivery, carrier-level number porting alerts
- Lateral movement from IdP — single identity accessing abnormal number of systems post-authentication
Why This Matters for Defenders
The Com represents a new model of cybercrime that traditional threat intelligence struggles with:
- Age — members are 16-25, many minors, making prosecution complex across jurisdictions
- Decentralization — no central leadership, sub-groups form and dissolve organically
- Violence convergence — cyber tactics combined with real-world threats (swatting, extortion, coercion of minors)
- Affiliate model — young hackers providing initial access to sophisticated ransomware operations (ALPHV/BlackCat)
30 arrests out of 179 identified means 149 known suspects are still active. Project Compass is ongoing, but The Com's decentralized structure means new sub-groups will continue to emerge.
The defensive takeaway: if your organization relies on helpdesk-based password resets or SMS-based MFA, you are running the exact playbook Scattered Spider exploits. Move to phishing-resistant MFA (FIDO2/passkeys) and implement helpdesk verification protocols that can't be socially engineered.
Sources: Dark Reading, Help Net Security, Security Affairs
Need help assessing your exposure? Request a Beta Tester Program — currently in open beta.
Top comments (0)