The Com: the growing cybercrime network behind recent Pornhub hack

. UK edition

Dark hand on laptop keyboard
‘The Com ranges from 11-year-olds trying to hack Minecraft to people in their mid-20s targeting vulnerable kids online.’ Photograph: Andrew Brookes/Getty Images/Image Source

Criminal ecosystem is made up of mostly male native English language speakers aged from 16 to 25

Ransomware hacks, data theft, crypto scams and sextortion cover a broad range of cybercrimes carried out by an equally varied list of assailants.

But there is also an English-speaking criminal ecosystem carrying out these activities that defies conventional categorisation. Nonetheless, it does have a name: the Com.

Short for community, the Com is a loose affiliation of cybercriminals, largely native English language speakers typically aged from 16 to 25. Its activities run from crippling the IT systems of British retailers to phoning in bomb threats to schools and encouraging teenage girls to harm themselves.

The latest victims of the Com are premium users of PornHub, one of the world’s largest pornography sites, who have had their search history and viewing habits hacked by a group called ShinyHunters. The gang has emerged from the Com’s sprawling networks, whose constituents also include Scattered Spider, a collective that has been linked with hacks against the British retailers M&S, the Co-op and Harrods.

The Com is thought to comprise thousands of people but there is no formal membership and no tightly delineated groups.

“The Com ranges from 11-year-olds trying to hack Minecraft to people in their mid-20s targeting vulnerable kids online,” says Aiden Sinnott, principle threat researcher at the cybersecurity firm Sophos.

Sinnott describes the Com as operating like a pipeline where older members groom younger recruits into carrying out increasingly sophisticated, and damaging, acts of cybercrime.

“Older members of the Com contact kids and try to get them to commit increasingly sophisticated acts of criminality, moving through to what we are seeing Scattered Spider and ShinyHunters do,” he says.

Members of the Com communicate on platforms such as Discord and Telegram, sometimes exchanging extreme imagery or boasting about hacks. One such channel on Telegram, its name an amalgam of the ShinyHunters, Lapsus$ and Scattered Spider groups, carried a post this month stating: “We are the supply and demand for the Com.”

The Com is well known to law enforcement on both sides of the Atlantic. In July the FBI issued a public warning about the Com, describing it as a “primarily English speaking, international, online ecosystem comprised of multiple interconnected networks whose members, many of whom are minors, engage in a variety of criminal violations”.

The UK’s National Crime Agency has said reports of Com networks have increased six-fold in the UK from 2022-2024. The NCA describes Com members as “usually young men who are motivated by status, power, control, misogyny, sexual gratification, or an obsession with extreme or violent material”.

The Com is split into three subsets. The first is Hacker Com, which comprises groups such as ShinyHunters, Scattered Spider and Lapsus$. Scattered Spider activities include crippling company IT systems and extracting private data, then demanding cryptocurrency for its return as part of a process known as a ransomware attack. ShinyHunters and Lapsus$ have more commonly stolen data without the ransomware element. Other activities include hacking social media accounts and using them as fronts for crypto scams.

Noah Urban, a 20-year-old Florida-based member of the Scattered Spider group, was sentenced to 10 years in jail this year for his part in a cybercrime spree that included cryptocurrency theft.

The second subset is IRL, or In Real Life Com, linked to groups such as Bricksquad or ACG. Its activities include calling out armed law enforcement on US university campuses under false pretences, in a process known as “swatting”, subjecting schools to bomb threats, or offering violence-as-a-service where contracts to carry out violent acts – often against other Com members – are posted online, with a financial breakdown for each act of violence.

The last grouping is Extortion Com, which targets vulnerable children and includes a notorious group known as 764. According to the FBI, the victims are typically aged between 10 and 17. They are coerced or extorted into sharing or live-streaming acts of self-harm, sexually explicit behaviour or even committing suicide. The footage is then circulated among network members, so the victims can continue to be extorted or controlled.

Manipulating teenagers into carrying out sexual acts and then blackmailing them for money is known as sextortion and the Com is known to carry this out. But there is also an element of cruel manipulation for the sake of it. The NCA describes Com networks that “manipulate their victims, who are often children, into harming or abusing themselves, their siblings, or pets”.

According to Sophos, there are more than 250 active FBI investigations into this branch of the Com alone, with some of its members motivated by a desire to cause “fear and chaos”, according to US law enforcement.

In the UK this year, Cameron Finnigan, 19, from Horsham, West Sussex, was given a nine-year prison sentence for possessing a terrorist document and encouraging someone online to take her own life. Counter-terror police said he had become involved with 764, which is described as a “Satanic extremist group” with an “extreme rightwing” ideology.

“It’s not three set pillars,” says Sinnott. “There is some movement between the groups.”

The Com is a fluid grouping and a growing threat.