Europol just dropped the hammer on The Com, a decentralized cybercrime collective made up mostly of teenagers and young adults who have been behind some of the biggest breaches of 2023-2025. Operation Project Compass has resulted in 30 arrests and 179 suspects identified across 28 countries.
This isn't a story about sophisticated zero-days. It's about social engineering at scale — and why your help desk is your weakest link.
What Is The Com?
The Com is not a single gang — it's a loose ecosystem of young cybercriminals who recruit and radicalize each other across Discord, Telegram, gaming platforms, and social media. Members range from teenagers to young adults, primarily based in English-speaking countries.
What makes The Com dangerous is its connections. Members have operated under or alongside some of the most notorious cybercrime brands:
- Scattered Spider (UNC3944/Octo Tempest) — help-desk social engineering specialists
- LAPSUS$ (DEV-0537) — insider recruitment and source code theft
- ShinyHunters (UNC6040) — large-scale data harvesting and extortion
In 2025, these groups merged into an alliance calling themselves Scattered LAPSUS$ Hunters (SLH), claiming over 60 million breached records.
The Attack Playbook
Not a single attack attributed to these groups started with an endpoint exploit or network vulnerability. Every breach began with account takeover through social engineering.
Primary Technique: Vishing (Voice Phishing)
Attackers call target organizations posing as IT support staff. They convince employees to:
- Reset MFA tokens
- Approve malicious OAuth integrations
- Provide VPN credentials
- Grant remote access
The group has deployed AI-driven voice agents for automated vishing at scale, and actively recruits women for voice phishing campaigns, paying up to $1,000 per call.
Post-Compromise Toolkit
Once inside, The Com operators follow a consistent playbook:
| Phase | Tools & Techniques |
|---|---|
| Credential Harvesting | RedLine malware, MFA fatigue (T1621), NTDS.dit extraction |
| Enumeration | ADExplorer, ADRecon.ps1, PowerShell Get-ADUser |
| Persistence | ScreenConnect, TeamViewer, Splashtop, Pulseway (RMM abuse) |
| Email Interception | Office 365 mail transport rules (tenant-level redirect) |
| Cloud Pivot | AWS IMDS exploitation (169.254.169.254 → IAM role theft) |
| Extortion | TOR-based extortion portal, data leak threats |
Notable Victims
| Year | Target | Impact |
|---|---|---|
| 2023 | MGM Resorts & Caesars | Casino operations disrupted, $100M+ losses |
| 2025 | Marks & Spencer | Retail operations compromised |
| 2025 | The Co-op | Systems breached via social engineering |
| 2025 | Harrods | Targeted in same campaign wave |
| 2025 | Salesforce environments | API-level access via vishing |
| 2025 | Salesloft & Drift | GitHub repos → OAuth tokens → AWS access |
Project Compass: The Takedown
Launched in January 2025 by Europol's European Counter Terrorism Centre (not cybercrime unit — that's significant), Project Compass coordinates:
- 28 countries including all EU member states
- Five Eyes alliance (US, UK, Canada, Australia, New Zealand)
- Norway and Switzerland
- FBI and Homeland Security Investigations
- UK Counter Terrorism Policing and NCA
Results After One Year
| Metric | Count |
|---|---|
| Arrests | 30 |
| Suspects identified | 179 |
| Victims identified | 62 |
| Children safeguarded | 4 |
| Countries participating | 28 |
The fact that Europol's counter-terrorism division leads this — not the cybercrime unit — reflects how The Com has evolved beyond pure hacking into physical violence, sextortion of minors, and connections to violent extremist groups.
MITRE ATT&CK Mapping
| Technique | ID | Usage |
|---|---|---|
| Acquire Access (Insider Recruitment) | T1650 | Telegram recruitment channels |
| Phishing: Vishing | T1566.004 | Primary initial access vector |
| Multi-Factor Auth Request Generation | T1621 | MFA fatigue/prompt bombing |
| OS Credential Dumping: NTDS | T1003.003 | Domain controller credential theft |
| Remote Access Software | T1219 | ScreenConnect, TeamViewer abuse |
| Email Forwarding Rule | T1114.003 | O365 mail transport interception |
| Data Encrypted for Impact | T1486 | Ransomware deployment |
| Financial Theft | T1657 | Extortion via TOR portal |
Detection & Defense
Why Traditional Security Fails
These attacks bypass every technical control because they target humans, not systems. EDR won't catch a phone call. Firewalls don't block social engineering.
What Actually Works
1. Help Desk Hardening
- Implement callback verification for all credential resets
- Require video verification for high-privilege account changes
- Never reset MFA based on a phone call alone
2. MFA Architecture
- Deploy phishing-resistant MFA (FIDO2/WebAuthn)
- Disable SMS-based MFA entirely (SIM swapping risk)
- Set MFA prompt rate limits to prevent fatigue attacks
3. Monitoring for Post-Compromise
# Detection priorities:
- OAuth application registrations from new principals
- RMM tool installations (ScreenConnect, TeamViewer, Splashtop)
- Office 365 mail transport rule modifications
- NTDS.dit access or ntdsutil execution
- AWS IMDS queries from unusual processes
- Bulk data access patterns after credential reset events
4. Insider Threat Program
- Monitor for recruitment outreach on Telegram/Discord
- Track employees accessing systems outside normal patterns
- Implement data loss prevention for source code repositories
The Bigger Picture
The Com represents a paradigm shift in cybercrime. These aren't Russian organized crime syndicates or Chinese APT groups — they're Western teenagers who learned to hack through gaming communities and social media.
Their weapon of choice isn't malware. It's a phone call.
Project Compass is a start, but with 179 suspects identified and only 30 arrested, the network is far from dismantled. The decentralized structure means new members are constantly being recruited through the same platforms where they socialize.
For defenders, the lesson is clear: invest in people and process, not just technology. The most expensive SIEM in the world won't stop an employee from giving away credentials over the phone.
Think your help desk could withstand a vishing attack? Find out with a free penetration test — currently in open beta.
References:
Top comments (0)