The Human Perimeter: How the COM Became a Cybercrime Powerhouse

The contemporary English-speaking cybercriminal ecosystem — often referred to as the criminal online marketplace (COM) — has evolved from a niche subculture into a mature, service-driven industry. 

What began as a community trading “original gangster” (OG) social media usernames now underpins large-scale data breaches, extortion campaigns, SIM-swapping, and ransomware targeting governments, enterprises, and individual investors. 

CloudSEK researchers recently analyzed the COM’s evolving tactics, offering insights essential for developing modern, human-centric security strategies.

How the COM Began: From Forums to Fraud

The roots of the COM lie in early and mid-2010s forums such as Dark0de and RaidForums, which offered marketplaces for stolen data, exploits, and illicit services.

In parallel, OGUsers emerged as a hub for buying and selling rare social media handles. 

Over time, OGUsers shifted from simple trading to aggressive social engineering, including manipulation of platform employees to access internal tools and execute high-profile account takeovers.

Groups like LizardSquad exemplified the transition from underground forums to brand-name cybercrime. 

Between 2014 and 2016, LizardSquad used high-impact distributed denial-of-service (DDoS) attacks against gaming networks and corporations, culminating in the Christmas Day 2014 disruption of Xbox Live and PlayStation Network. 

Their operations introduced the “leak-and-brag” culture in which public taunting, media engagement, and spectacle were as important as the attack itself. 

This performance-driven approach directly influenced later groups, including Lapsus$ and ShinyHunters.

The cryptocurrency boom of 2020–2021 further professionalized this ecosystem. Techniques originally developed to steal usernames — such as SIM-swapping and account takeover — were repurposed to drain high-value crypto wallets. 

OG handles became both status symbols and money-laundering instruments, as stolen cryptocurrency was laundered through the purchase and resale of valuable accounts.

How the COM Evolved Into Cybercrime-as-a-Service

Law enforcement operations against Dark0de, RaidForums, and OGUsers, as well as coordinated platform actions by major social media companies, disrupted but did not dismantle the COM. 

Instead, users migrated to Telegram, Discord, and successor forums such as BreachForums and later BreachStars. 

This migration effect blended OGUsers’ social engineers with RaidForums’ breach-focused hackers, creating hybrid actors with both manipulation skills and technical expertise.

In this phase, cybercrime matured into a modular “as-a-service” supply chain. 

Specialized roles emerged, including callers (vishing operators), texters (smishing), phishing-kit developers, SIM swappers, initial access brokers, doxers, ransomware affiliates, and crypto launderers. 

Few actors control an entire attack chain; instead, they form transactional micro-economies.

This division of labor enables rapid scaling, efficient outsourcing of risk, and constant infrastructure turnover, making traditional indicator-of-compromise–based (IOC-based) defenses (such as static blacklists) increasingly ineffective.

Simultaneously, English-speaking actors began converging with established Russian-language communities on forums like Exploit[.]in. 

This East–West fusion allows ransomware crews to directly contract English-speaking social engineers and SIM-swapping specialists, creating hybrid adversaries with broader reach and more sophisticated toolchains.

Inside the Rise of Scattered Lapsus$ Hunters

By mid-2025, this convergence produced a new coalition: Scattered Lapsus$ Hunters. 

This group combines capabilities associated with Scattered Spider (enterprise social engineering and SIM-swapping), ShinyHunters (large-scale data exfiltration), and Lapsus$ (public extortion and spectacle). 

Scattered Lapsus$ Hunters follow a “log in, not hack in” philosophy. 

They prioritize identity-centric intrusion by impersonating IT and help desk staff, convincing employees to reset credentials, approve MFA prompts, or install remote tools. 

Once inside, they seek high-value data stores, exfiltrate large volumes of records, and leverage public Telegram channels, polls, and taunts to pressure victims into paying. 

Claimed operations include a Salesforce ecosystem breach allegedly involving hundreds of organizations and numerous attacks on global consumer brands.

Although the group publicly announced a supposed retirement in late 2025, this move is widely interpreted as an operational security tactic rather than a genuine shutdown. 

Private extortion and quieter campaigns likely continue under new branding or through affiliated cells.

Why Identity Is the Real Perimeter

The evolution of the COM underscores a central reality: it is often easier to compromise people than systems. 

Social engineering, SIM-swapping, and insider manipulation are now the primary vectors for enterprise compromise, not peripheral threats. 

Traditional, technology-centric defenses may not keep pace with an adversary that treats identity as the true perimeter.

Effective defense demands a shift toward identity-centric and resilience-focused security. 

Organizations should prioritize phishing-resistant multi-factor authentication (such as FIDO2/WebAuthn), harden and closely monitor IT and help desk workflows, and apply strict, time-bound, and auditable access controls to administrative tools. 

Insider-threat programs must account for coercion and social engineering, not just malicious insiders. 

Finally, security operations, legal, and communications teams must be prepared for “leak-and-brag” incidents in which public humiliation and reputational damage are part of the attacker’s strategy.

Organizations that fail to adapt their defenses to this reality will remain prime targets for the next generation of COM-aligned adversaries.

Core Mitigations for Identity-Driven Attacks

To defend against the modern COM-driven cybercrime ecosystem, organizations must adopt a security strategy centered on identity, human behavior, and resilient operations. 

• Enforce strong identity and MFA by eliminating SMS-based authentication, using phishing-resistant MFA, and applying conditional access to all privileged and remote logins.
• Secure help-desk workflows with non-spoofable identity checks, strict controls on password/MFA changes, and regular training to recognize vishing and other social-engineering attempts.
• Adopt zero-trust and insider-risk controls through least privilege, just-in-time admin access, continuous anomaly monitoring, and safe reporting channels for coercion attempts.
• Strengthen human-focused defenses with realistic phishing/vishing tests, targeted training for high-risk roles, and policies that limit oversharing and doxing exposure.
• Harden cloud, SaaS, and telecom environments by enabling full security logging, auditing third-party/OAuth access, monitoring for SIM-swap indicators, and enforcing strong SSO and identity-provider protections.
• Improve detection, response, and resilience using UEBA analytics, DLP and egress controls, rehearsed extortion-focused IR playbooks, strict vendor requirements, data minimization, and resilient offline backups.

By implementing these controls, organizations can limit the reach and impact of the social engineering and identity-driven attacks used by COM threat actors.

The rise of the COM from small forums to a global cybercrime ecosystem underscores the shift toward human-focused attacks that exploit identity, trust, and operational gaps. 

Organizations that prioritize identity-first security and invest in cyber resilience — through strong human, technical, and operational defenses — will be positioned to combat emerging threats.

To counter these identity-driven attacks, organizations should use zero-trust as part of their modern defense.