The Com Isn't a Hacker Group. It's a Generation.

They started by stealing usernames. They ended up classified as terrorists. The Com — short for Community — is not a cybercrime gang you can arrest your way out of. It is a subculture, a social ecosystem, and by the time you finish reading this, it has already recruited someone new.

On February 27, 2026, Europol announced the first operational results of Project Compass — 30 arrests, 179 suspects identified, and 62 victims catalogued across a coordinated international operation spanning 28 countries. On the surface, it reads like a win. But to understand why those numbers represent only the outer edge of the problem, you have to understand what The Com actually is — where it came from, how it operates, and why it has proven so difficult to permanently disrupt.

This is not a story about nation-state hackers or sophisticated zero-days. It is a story about teenagers on Discord who figured out that the weakest link in any network is the human being answering the phone.

From Username Trading to Full-Spectrum Crime

The roots of The Com trace back to the early and mid-2010s, when English-speaking cybercriminals began clustering in public and semi-private forums. One of the earliest influential hubs was Dark0de, a notorious English-language hacking forum where members traded stolen data and illicit tools. When law enforcement took it down in 2015, the community scattered — and reassembled on RaidForums and OGUsers.

OGUsers deserves more attention than it typically gets in post-mortems on this threat. The forum was initially built around something that sounds almost trivial: trading rare, short social media handles — the so-called "OG" (original gangster) usernames that carried status in online communities. But the methods required to steal those handles — SIM swapping, social engineering telecom employees, impersonating account holders — turned out to be the precise skill set needed to drain cryptocurrency wallets, bypass two-factor authentication, and later, compromise corporate help desks. The community that built itself around username theft was, without fully realizing it, training a generation of social engineers.

CloudSEK's January 2026 anatomy of The Com traces the ecosystem's roots to those early English-language forums where reputation was currency and social engineering was the path to both. The skills built trading handles became the skills that built ransomware operations. — CloudSEK Research (January 2026)

When those forums collapsed under law enforcement pressure — RaidForums was seized in 2022, OGUsers faced repeated law enforcement and hacking disruptions — the community did not dissolve. It decentralized. Members migrated to Telegram, Discord, invite-only encrypted channels, and successor forums like BreachForums. The techniques they had honed for stealing usernames merged with the more technically sophisticated breach capabilities of the RaidForums crowd, creating what researchers now describe as a hybrid threat: actors fluent in both psychological manipulation and network intrusion.

That migration effect is why The Com is so hard to uproot. There is no central server to seize. There is no headquarters to raid. The network lives wherever its members happen to be talking — and they are always talking somewhere. BreachForums itself cycled through multiple seizures, honeypots, and resurrections across 2023–2025, with the most recent iteration taken offline in October 2025 by a joint US-French operation — only for ShinyHunters to publicly declare the seizure had "no impact" on their ongoing operations and schedule a new data leak within hours of the announcement.

Where 764 Came From: One Bullied Kid in a Bedroom in Texas

To understand how The Com's most violent wing got started, you need to understand one specific origin story — because it tells you something important about both the threat and the people being drawn into it.

In 2020, a 15-year-old school dropout named Bradley Chance Cadenhead was living in Stephenville, Texas. Cadenhead had been fascinated with violent and graphic online content since age ten. At thirteen he was placed in juvenile detention after threatening to shoot up his school. He dropped out at fifteen and, by his own account to probation officers, stopped caring about anything. He withdrew to his room. And from that room, he built one of the most extensively documented child exploitation networks in FBI history.

764 was named after the first three digits of Stephenville's ZIP codes — 76401 and 76402. Cadenhead learned his methods from a precursor sextortion network called CVLT, which had been coercing children into producing explicit material. 764 expanded on those methods systematically, adding self-harm coercion, animal cruelty demands, and sibling abuse as escalating control mechanisms. Cadenhead described himself as a "cult leader." His followers called him a "god."

He was arrested in August 2021 after investigators traced a CSAM upload on Discord back to his mother's apartment. On his laptop they found exploitation material alongside images of children who had carved phrases into their own bodies under coercion. In March 2023, he pleaded guilty to possession with intent to promote child pornography. An Erath County judge sentenced Cadenhead to 80 years in state prison, citing his self-described status as a cult leader. The prosecutor summarized the evidence to the court: children had been coerced into mutilating themselves, carving Cadenhead's screen name into their bodies, and harming animals — with one video showing a 13-year-old girl cutting herself daily in what participants called "cut shows." The sentencing record remains one of the most disturbing in the history of US federal child exploitation prosecutions.

His arrest did not end the network. It fragmented it. Offshoots including Harm Nation, CVLTIST, Court, Kaskar, Leak Society, Slit Town, and H3ll emerged from the wreckage, all sharing 764's aesthetics, methods, and victim targeting. The FBI now estimates thousands of children have been targeted by 764 and its successor networks, with the agency reporting more than 350 active 764-related investigations by December 2025 — up from approximately 250 in May 2025 — spanning all 56 field offices nationwide. The National Center for Missing and Exploited Children reported it was on track to receive nearly 2,000 reports tied to 764 or similar networks in 2025 alone. Canada formally designated 764 as a terrorist organization on December 10, 2025 — the first nation to do so. The US Department of Justice classifies it as a nihilistic violent extremist network and the FBI considers it a Tier One investigative matter — the same classification applied to ISIS. Researchers at the University of Nebraska Omaha's National Counterterrorism Innovation, Technology, and Education Center documented a 350% increase in US federal indictments connected to 764 in 2025 compared to 2024 — over half of all 764 federal indictments in US history were filed in a single year.

The question of how a teenager in rural Texas built a global child exploitation network from Discord is one that much coverage elides. The answer is partly about Discord's moderation architecture — Cadenhead's accounts were typically banned within about a day, but he created new ones immediately, and Discord's system at the time relied primarily on user reports rather than proactive detection. It is also about the void he was filling: online communities where isolated, distressed, or simply bored young people could find belonging, status, and a shared identity — however dark. After Cadenhead's arrest, a Romanian national known as "Riley" took over as network leader, expanding 764's reach before his own 2023 conviction. Then Nepal and Varagiannis stepped in — a pattern of leadership succession that illustrates how resilient a leaderless structure can be even when leaders are removed.

The ideological substrate of 764 also deserves more direct examination than it typically receives. 764's core worldview is rooted in nihilism and misanthropy — a genuine rejection of the value of human life rather than any organized political ideology. But the network draws heavily on the aesthetics and symbolic vocabulary of the Order of Nine Angles (O9A), a neo-Nazi Satanist movement that has circulated since the 1970s and whose writings advocate accelerationism, human transgression, and social collapse as spiritual ends. According to the ADL, 764's use of O9A material is driven more by its visual and symbolic shock value than by genuine ideological alignment — but the effect is similar: members are immersed in a framework that normalizes violence and frames it as status-generating. O9A symbolism, texts from the Haters Handbook circulated by the Maniac Murder Cult, and visual material from Tempel ov Blood are all in active circulation in 764-linked channels. This is not background noise. It is a recruitment and retention tool — content that socializes new members into an aesthetic of transgression before they even understand what they have walked into. Understanding this dimension is essential to designing counter-messaging and prevention programs that can actually reach the demographic before it becomes embedded.

How The Com Actually Works

Law enforcement agencies including the FBI and Europol now formally categorize The Com into three primary operational branches. Understanding these branches is essential to understanding why The Com generates such a broad range of harm.

Hacker Com is the technical wing. Members here focus on large-scale cyberattacks, data theft, ransomware deployment, and cryptocurrency fraud. According to the FBI, notoriety and perceived status within Hacker Com groups are derived from a member's skill sets and account balances. This branch is directly linked to some of the most damaging ransomware campaigns of the past three years and is affiliated with ransomware organizations operating at scale.

IRL (In Real Life) Com is where the story gets darker and stranger. This branch evolved out of SIM swapping disputes — when online conflicts between members escalated to physical retaliation. It now operates as something closer to a violence-as-a-service marketplace. Documented price lists have been found advertising shootings, kidnappings, armed robbery, stabbings, physical assaults, and property destruction. Groups recruit local attackers through social media to carry out these acts for payment. This is not a rumor or a researcher's inference — it is documented activity that law enforcement has actively investigated across multiple jurisdictions.

Extortion Com is the wing Europol describes in the most disturbing terms. This branch specifically targets minors, using sextortion, blackmail, doxxing, and coercion to collect child sexual abuse material and perpetuate cycles of exploitation. Multiple leaders of The Com's affiliated subgroups have been identified as members of 764, a violent extremist offshoot that coerces vulnerable children into producing self-harm and exploitation material.

What makes The Com structurally resilient is exactly what makes it hard to prosecute. Memberships are fluid, motivations are diverse — financial gain, notoriety, and ideological satisfaction all coexist — and the age range spans from 11 to 25. There is no single leader to flip, no organizational chart to dismantle. The network self-assembles around shared platforms and shared culture.

The Radicalization Pipeline Nobody Wants to Talk About

There is a question most coverage of The Com sidesteps entirely: how does a child get from Roblox to producing exploitation material? The answer is not a sudden leap. It is a pipeline — and it works because it exploits vulnerability rather than ignorance.

Researchers describe The Com's recruitment mechanism as resembling cults or street gangs. Older community members identify potential targets — typically young people already online in spaces associated with gaming, anime culture, mental health communities, and self-harm forums. The Institute for Strategic Dialogue found that 764 group members specifically sought out victims through online communities focused on mental health disorders, gaming, and "e-girl" subculture — a TikTok-origin trend combining gothic and anime aesthetics. They go where vulnerable kids already feel safe.

The initial contact looks like friendship. The target is flattered, included, given status. Escalation happens gradually — a request to share something minor, then something more, then leverage obtained, then coercion. The National Center for Missing and Exploited Children documented one case in which a girl was forced to carve a group member's username into her skin until the bathwater turned red — and when asked by her mother, told her abuser "I love you." That is not ignorance. That is the result of months of psychological manipulation sophisticated enough to constitute full grooming.

The NCA's psychological profile of Com network members describes them as typically young men motivated by "status, power, control, misogyny, sexual gratification, or an obsession with extreme or violent material." NCA Director General Graeme Biggar's March 2025 statement emphasized that the emergence of these groups was driving some younger individuals toward a dangerous propensity for extreme violence. The ideology is not imported from a political tradition — it is grown inside the network itself, through competitive escalation and the normalization of increasingly extreme content.

This matters for defenders because it reframes who the victim population actually is. The corporate organizations breached by Scattered Spider and their affiliates are one category of victim. But tens of thousands of children, disproportionately girls and disproportionately already vulnerable before first contact, are the other category — and they receive almost none of the security investment directed at enterprise targets.

The Attacks You Heard About — and the Method Behind Them

If you followed cybersecurity news between 2023 and 2025, you have seen The Com's fingerprints without necessarily knowing it. The September 2023 casino breaches that disrupted MGM Resorts and Caesars Entertainment for weeks, costing MGM alone an estimated $100 million in recovery costs — those were Scattered Spider, a Com-affiliated group. The April 2025 ransomware attacks that simultaneously hit Marks and Spencer, Co-op, and Harrods in the United Kingdom — also Com-affiliated activity.

The 2025 campaign went significantly further than most reporting captured. By Q2 2025, Scattered Spider had expanded from retail and insurance into the aviation sector, with confirmed incidents at Hawaiian Airlines, WestJet, and Qantas attributed to the group. The FBI issued a dedicated flash alert warning that the aviation industry was an active target. Silent Push documented Scattered Spider targets in 2025 including Chick-fil-A, Forbes, Louis Vuitton, Morningstar, Nike, X, T-Mobile, and Vodafone — a breadth that illustrates how systematically the group cycles through industry sectors. By the middle of 2025, Scattered Spider had also formally partnered with DragonForce, a Russian ransomware-as-a-service operation, combining social engineering entry with industrial-scale ransomware deployment in hybrid cloud and on-premises environments.

Meanwhile, the broader Com ecosystem was consolidating into a new alliance. In June and July 2025, a coordinated wave of Salesforce CRM data thefts hit scores of major organizations — including Google, Adidas, Cartier, Chanel, Cisco, FedEx, IKEA, and McDonald's — through a combination of vishing, OAuth abuse, and credential harvesting. The group claiming responsibility called itself Scattered LAPSUS$ Hunters (SLH), publicly framing itself as a merger of ShinyHunters, Scattered Spider, and LAPSUS$. In October 2025 SLH issued a ransom demand directly to Salesforce itself and threatened to release one billion records stolen from Salesforce customers — a threat delivered even as BreachForums, the platform they had been using as a leak site, was seized by US and French law enforcement that same day.

None of these attacks started with a sophisticated software exploit. They started with a phone call.

According to cybersecurity analysis following the Project Compass announcement, none of the attacks attributed to these groups originated from endpoint exploits or network vulnerabilities. The groups have deployed AI-driven voice agents to automate vishing at scale, and actively recruit women for voice phishing campaigns, reportedly paying up to $1,000 per call. — DEV Community / Cybersecurity Analysis (February 2026)

The consistent playbook across Com-affiliated attacks follows a recognizable pattern: identify a target organization, locate an employee or contractor with access, place a vishing call impersonating IT support or a vendor, extract credentials or MFA codes in real time, and use that initial access to move laterally toward high-value data or ransomware deployment. Help desk procedures — specifically, the process for resetting credentials and MFA devices — are the primary attack surface.

In one documented 2025 incident, Scattered Spider operators impersonated a CFO in a call to the target company's IT help desk, leveraging reconnaissance data — including the CFO's date of birth and last four digits of their Social Security Number — to pass verification. Once authenticated, they escalated to breach the VPN, reinstate decommissioned virtual machines, extract the NTDS.dit Active Directory database, open a CyberArk password vault containing over 1,400 secrets, and ultimately detonate ransomware across the environment. The entire sequence from initial call to ransomware deployment was measured in hours.

Once inside a network, operators focus on specific indicators: OAuth application registrations from new principals, remote management tool installations (ScreenConnect, TeamViewer, Splashtop), modifications to mail transport rules, Active Directory database access, and bulk data access patterns following credential reset events. These are not the fingerprints of unsophisticated teenagers. These are deliberate, practiced tradecraft refined across hundreds of intrusions.

Why Europol's Counter-Terrorism Unit Owns This Case

Here is the detail that most coverage glosses over: Project Compass is not run by Europol's cybercrime division. It is coordinated by the European Counter Terrorism Centre — the same unit that handles jihadist networks, right-wing extremist cells, and organized political violence.

That classification is deliberate, and it tells you something important about where The Com sits in the threat landscape. This is not purely a cybercrime problem. It is a violent extremism problem that happens to use cyber tools as its primary delivery mechanism.

The UK's National Crime Agency 2025 National Strategic Assessment identified Com networks as one of the defining emerging threats in the current landscape, with known UK reports of Com-related incidents increasing sixfold between 2022 and 2024. NCA Director General Graeme Biggar did not hedge his language in his public statement: young people were being drawn into these networks and collaborating at scale to inflict or incite serious harm — and these groups were not lurking on the dark web but operating on the same platforms young people use every day. The NCA's assessment concluded that the emergence of these groups was almost certainly causing some individuals, especially younger people, to develop a dangerous propensity for extreme violence.

The Com sits squarely at the intersection of cybercrime and radicalization. Subgroups like 764 — whose alleged leaders Leonidas Varagiannis and Prasan Nepal were arrested in April 2025 and charged with operating an international child exploitation ring, now facing potential life sentences — operate with the structure and ideological coherence of extremist organizations, not simply opportunistic criminal gangs. Additional 764 members Tony Christopher Long and Alexis Aldair Chavez both pleaded guilty in late 2025 to multiple charges tied to the network.

The arrests accelerated sharply in 2025. The University of Nebraska Omaha's NCITE research center documented that more than half of all US federal 764 indictments in history were filed in 2025 alone — a 350% increase compared to 2024. US Attorney General Pam Bondi described the network in April 2025 as one of the most heinous online child exploitation enterprises federal prosecutors had ever encountered. And yet, while Canada designated 764 as a terrorist entity under its Criminal Code on December 10, 2025, the United States has not made an equivalent formal designation. Researchers and former counterterrorism officials writing in venues including The Cipher Brief and Homeland Security Today have argued this gap has direct operational consequences: without a formal terrorist designation, US prosecutors are limited to charging individuals for specific criminal acts rather than for membership and material support, making network-level prosecution significantly harder. Canada's intelligence service reported in late 2025 that nearly one in ten of their active terrorism investigations now involves a subject under the age of 18. The US has no equivalent published statistic — which may itself reflect the absence of a framework that would generate one.

The Com has documented connections to violent skinhead networks active in Russia and Ukraine, and its offshoots No Lives Matter, Maniacs Murder Cult, and Satanic Front are classified by researchers as violent extremist organizations operating within the broader Com umbrella. These groups communicate through the same platforms — Discord, Telegram, gaming servers — that the Hacker Com wing uses for coordinating ransomware campaigns. The ecosystem is unified by culture, not by formal organizational structure.

Anna Sjöberg, head of Europol's European Counter Terrorism Centre, stated that these networks deliberately target children in digital spaces where they feel safe — and that Project Compass allows earlier intervention, victim protection, and disruption of those who exploit vulnerability for extremist ends. No country, she emphasized, can address this threat alone. — Europol (February 2026)

The Geography Nobody Tracks: 764 Goes Global

Coverage of The Com tends to center on the US and UK, where the highest-profile arrests and the loudest law enforcement warnings have originated. But the geographic scope of 764 and its offshoots has expanded significantly in ways that receive less attention — and that expansion carries specific implications for how the threat develops from here.

Sweden has seen multiple confirmed 764-linked prosecutions and investigations since 2024. In one documented case, a 14-year-old identified online as "Slain764" — who ran a Swedish chapter of No Lives Matter/764 known locally as "Mordwaffen" — was convicted in May 2025 by a Swedish court for stabbing a 55-year-old woman in Borås. Separately, a January 2025 knife attack on a woman in Stockholm was linked to 764 and uploaded to a 764 account by the attacker. Norway has at least one active court case linked to the network. Germany made a significant arrest in June 2025, when Hamburg authorities detained a 20-year-old German-Iranian man identified as a leading 764 figure known as "White Tiger," accused of over 120 offenses including murder and multiple attempted murders. Brazil has seen two separate major enforcement actions: the Federal Police's "Discórdia" operation in January 2024 arrested teenage 764 leaders in two states, and in May 2025 Brazilian police broke up a 764-aligned group that had been plotting to attack a Lady Gaga concert in Rio de Janeiro using explosives and Molotov cocktails — with one member additionally charged for livestreaming the arson of a homeless man. Researchers at the Institute for Strategic Dialogue documented 191 arrests across 28 countries between 2020 and 2025 connected to 764 or affiliated groups — and noted that 2025 marked a shift toward offline violence as an entry requirement within certain subgroups, not merely a consequence of online activity. The RCMP has confirmed active investigations across multiple Canadian provinces. Finland's National Bureau of Investigation announced multiple arrests of locally affiliated nihilistic violence network members in November 2025, believed to have victimized dozens of children — and Finnish police separately investigated whether two teen suicides in Jätkäsaari were linked to 764. The Global Network on Extremism and Technology's January 2026 analysis of the Nordic cases notes that the network's culture and methods are easily replicated — a teenager needs little more than a smartphone, access to Discord and Telegram, and an invitation link to be drawn in.

There is also a dimension to 764's expansion that has received almost no mainstream attention: the victim-as-accomplice dynamic. In Vernon, Connecticut, a student was manipulated into befriending a 764 member online, coerced into sharing explicit material, and then leveraged into providing information about a teacher — information used to send bomb and mass shooting threats. Police initially considered her a suspect before recognizing her as a victim. This pattern, where groomed victims become unwilling instruments of the network's harassment campaigns, is documented across multiple jurisdictions and creates serious complications for law enforcement. Victims who have been coerced into criminal acts are often reluctant to report, fearing prosecution themselves. This is not an edge case. It is a deliberate feature of the exploitation model — leverage that compounds over time and makes exiting the network psychologically and legally terrifying. The legal frameworks for addressing that dual status are largely absent from existing criminal codes in most jurisdictions.

The economic dimension also deserves more direct treatment than it typically receives. Research by Allison Nixon and Unit 221B traces a critical inflection point to 2018, when Bitcoin's value surge transformed the financial calculus for young people considering The Com as an entry point. The pitch to a teenager with limited economic prospects is not ideological — it is economic. Criminal fraud offers returns that no legitimate entry-level job can match, and the cultural status markers inside The Com reinforce continued participation. Understanding this does not excuse participation; it explains why law enforcement pressure alone is structurally insufficient. The pipeline has an economic on-ramp that prosecution cannot close.

The Platform Problem

Every account of The Com's operations names the same platforms: Discord, Telegram, Roblox, Minecraft, TikTok, Instagram, Snapchat, Reddit. These are not dark web venues. They are the mainstream infrastructure of youth internet culture. And the question that almost never gets asked directly is: what responsibility do these platforms bear, and what have they actually done about it?

The answer is uncomfortable. Bradley Cadenhead's Discord accounts were banned within roughly a day of creation — but he created new ones continuously for months before his arrest, and Discord's system relied primarily on user reports rather than the kind of proactive behavioral detection that would have identified his pattern earlier. The NCA's 2025 assessment explicitly called on tech companies to "play their part" — which suggests that in 2025, they still were not playing enough of one.

In the UK, the Online Safety Act is the primary legislative vehicle for forcing platforms to act on content that causes harm to children. Following the NCA's March 2025 warning specifically naming Com networks, children's safety advocates pointed out that the regulator Ofcom had not introduced a single targeted measure to address the specific pattern of grooming-into-violence that Com networks use. Critics specifically cited a "glaring gap" in Ofcom's regulatory regime around suicide and self-harm coercion offenses — the exact mechanism 764 and related groups use against victims.

The structural reality is that platforms face a genuine enforcement paradox. The Com does not operate in dedicated criminal spaces — it operates in the same channels where millions of ordinary teenagers talk about games and music. A Telegram group advertising violence-for-hire sits algorithmically adjacent to groups discussing anime. A Discord server where grooming happens was, weeks earlier, a server where kids played Minecraft. Blanket content moderation sweeps either catch too little (leaving the harm intact) or too much (chilling legitimate communities and driving bad actors further into encryption). Neither outcome is acceptable at scale, and neither is free.

What would actually work is a different model: behavioral pattern detection trained specifically on escalation sequences rather than keyword matching, mandatory reporting obligations with teeth attached to non-compliance, and cross-platform identity flagging that survives the account-ban-and-recreate cycle that currently makes enforcement nearly pointless. These are technically feasible. They are commercially inconvenient. That tension is where the policy debate actually lives — and it is largely absent from public discourse about The Com.

The Designation Gap: Why the US Hasn't Called This Terrorism

Canada designated 764 as a terrorist entity under its Criminal Code on December 10, 2025. The US has not done so. That gap is not a technicality — it has direct operational and prosecutorial consequences, and almost no mainstream cybersecurity coverage has addressed it directly.

Under current US law, federal prosecutors can charge 764 members for specific criminal acts: possession or production of child sexual abuse material, coercion, extortion, computer fraud, and conspiracy. These are serious charges with serious sentences. But they treat each actor as an individual criminal, not as a participant in a designated terrorist enterprise. The difference matters because material support statutes and terrorist designation frameworks allow prosecutors to charge people for supporting, funding, or belonging to a designated organization — even when they have not personally committed a specific crime. Applied to 764, that tool would reach recruiters, administrators of distribution channels, and members who share material without being direct perpetrators of contact offenses. Without the designation, those actors are frequently unchargeable.

Former State Department counterterrorism officials and academic researchers have written explicitly about this gap. A January 2026 analysis in The Cipher Brief by a former Director of Countering Violent Extremism at the State Department argued that Canada had made the right call, that the FBI's own Tier One classification of 764 is functionally equivalent to calling it terrorism, and that the legal architecture simply had not caught up. The NCITE research center at the University of Nebraska Omaha similarly noted that existing US law creates charges applicable to individual offenders while leaving the network infrastructure largely untouched by prosecution. Their December 2025 report documented 157 federal charges across 764, CVLT, and Greggy's Cult defendants in US history — a figure that sounds large until you consider that the FBI was simultaneously running more than 350 active investigations.

The designation question is also politically complicated in ways that rarely surface in coverage. 764 was founded by an American teenager. Its early network was largely domestic. A formal terrorist designation of a group with American origins and predominantly American members raises different questions than designating, say, a foreign-based jihadist network — particularly in a political environment where domestic terrorism legislation has become a partisan battleground. None of that complexity changes the operational reality that the US currently has a Tier One threat classified as terrorism by the FBI and by Canada, running 350+ active investigations, with no equivalent legal designation that would enable network-level prosecution. That is a policy gap with documented consequences.

What Happens to the Victims After Identification

Europol's February 2026 Project Compass announcement stated that 62 victims had been identified and four had been "safeguarded." Europol did not define what "safeguarded" means operationally. It did not describe what happens to the other 58 identified victims. It did not address victim support infrastructure, access to trauma-informed therapy, or whether any of those victims had been coerced into criminal acts themselves. That silence is a structural problem — and it is almost never discussed in coverage of Com enforcement operations.

The victim population in 764-linked cases is not a uniform group of passive targets. Some were coerced once and escaped. Others were subjected to months or years of systematic psychological manipulation before law enforcement identified them. Some were leveraged into committing acts against other victims — making bomb threats, producing material, providing information used in harassment campaigns — before anyone recognized them as victims at all. The Vernon, Connecticut case documented in this article is one example. There are dozens of similar cases in court records across the US, UK, Canada, Sweden, and Germany.

The legal frameworks for these individuals are largely inadequate in almost every jurisdiction where 764 has operated. Prosecutors face a genuine ambiguity: a person who was coerced into distributing CSAM may still technically be a distributor of CSAM under existing law. A teenager who was manipulated into making bomb threats may still face terrorism-related charges depending on jurisdiction. The absence of formal coercion-as-mitigation pathways — legal frameworks that explicitly allow prosecutors to divert coerced participants into treatment rather than prosecution — means that many of these individuals face an impossible choice: come forward and risk prosecution, or stay silent and remain under the network's control. Many choose silence. And silence means they never become the witnesses and intelligence sources that law enforcement needs to dismantle the network more completely.

Project Compass should be evaluated not just by arrest counts but by whether it develops an answer to this question. "Safeguarded" is not a defined outcome. It is a word in a press release. What comes after identification — therapy, legal protection, diversion, reintegration — is the part of the response that currently barely exists. That is a gap not in enforcement capacity, but in political will and cross-sector coordination.

Project Compass: 30 Arrests, 179 Named, and a Long Road Ahead

Project Compass launched in January 2025 with a coalition that represents an unusual level of international coordination: all Five Eyes nations (the US, UK, Canada, Australia, and New Zealand), EU member states, Norway, and Switzerland. US participants include the FBI and Homeland Security Investigations. UK participants include Counter Terrorism Policing and the National Crime Agency. The operation is led by Europol's European Counter Terrorism Centre, reflecting the dual cybercrime-extremism classification.

After twelve months of operation, Europol's first reported results include 30 arrests, 179 perpetrators fully or partially identified, 62 victims identified, and 4 victims directly safeguarded. The operation also conducted nine joint awareness initiatives and established what Europol describes as a structured intelligence-sharing framework using coordinated data sprints — sessions where officers from partner nations consolidate intelligence on active cases in real time.

Those numbers are meaningful. But they need context. The National Crime Agency reported that Com-related incidents in the UK increased sixfold between 2022 and 2024. The network continued recruiting and operating actively throughout 2025 even as arrests mounted. Scattered Spider, arguably the most technically capable Com-affiliated group, pivoted through retail, insurance, aviation, and CRM platforms in 2025 in a sustained campaign that showed no operational slowdown despite the losses.

Some of those losses, however, were real. On July 10, 2025, the UK National Crime Agency arrested four individuals — two 19-year-old men, a 17-year-old man, and a 20-year-old woman — in London, the West Midlands, and Latvia, on charges including Computer Misuse Act offenses, blackmail, and money laundering tied to the April 2025 attacks on Marks & Spencer, Co-op, and Harrods. In September 2025, the US Department of Justice unsealed charges against Thalha Jubair, a UK national alleged to have participated in at least 120 cyberattacks as part of Scattered Spider's extortion scheme — with victims collectively paying at least $115 million in ransoms — alongside a second UK teenager, Tyler Flowers, charged in connection with attacks on US healthcare companies. Allison Nixon, chief research officer at Unit 221B, whose decade-long tracking of The Com has been instrumental in multiple arrests, responded to the Jubair and Flowers charges with a statement describing both defendants as representative of a wider pattern in The Com: members who pursue criminal notoriety on a scale large enough to make them famous for the harm they cause. In August 2025, convicted Scattered Spider member Noah Michael Urban — known online as "Sosa" — was sentenced to 10 years in federal prison and ordered to pay approximately $13 million in restitution.

Nixon has characterized The Com as a "bottom-up social phenomenon" — a borderless, grassroots movement where status is correlated directly with the capacity to cause harm. Her research at Unit 221B, which includes a searchable archive of scraped Telegram and Discord channels going back years, has become a primary intelligence source for law enforcement across multiple jurisdictions. Nixon's analysis traces a key inflection point to 2018, when Bitcoin's price surge transformed the criminal underground from a community of petty thieves into one where a teenager could theoretically earn more in a week than in a year at an entry-level job. That economic calculation, she argues, is a structural recruitment driver that arrests alone cannot address. On the Project Compass results, Nixon offered a measured assessment to CyberScoop: the early numbers and the sustained international effort represent what progress actually looks like against a network of this scale, and expectations need to be realistic.

The architecture of The Com makes traditional disruption strategies significantly less effective. When law enforcement took down RaidForums in 2022, the community migrated to BreachForums within weeks. BreachForums itself became a case study in the limits of forum seizure: it was taken down, resurrected, taken down again, resurrected again, and in August 2025 was reportedly converted into a law enforcement honeypot — with ShinyHunters warning their own user base that the site had been compromised and all activity was being logged. US and French authorities formally seized the domain in October 2025, with the Scattered LAPSUS$ Hunters operators responding by publishing a list of 39 victim organizations and demanding ransom from Salesforce directly — a threat delivered even as the domain was being seized. Each disruption fragments the ecosystem rather than dismantling it. The decentralized model is not an accident — it is the feature that has kept this network functional across a decade of law enforcement pressure.

That resilience continued into early 2026. According to reporting by KrebsOnSecurity in January 2026, Scattered LAPSUS$ Hunters — already operating through their seventh Telegram channel — were pursuing a new supply chain attack vector through Gainsight applications connected to Salesforce, recruiting insiders from retail, hospitality, and technology organizations, and offering $25,000 for access to corporate networks. Mandiant confirmed in January 2026 that the group was conducting fresh vishing campaigns impersonating IT staff at targeted organizations. The October 2025 domain seizure had not ended operations. It had briefly inconvenienced them.

Project Compass represents a strategic shift from reactive prosecution to proactive intelligence sharing. The goal is less about closing individual cases and more about building sustained pressure across jurisdictions simultaneously — making it harder for actors to simply relocate. Whether that approach can keep pace with a network that recruits continuously through platforms like Discord, Roblox, and music streaming services remains to be seen.

What Defenders Are Actually Up Against

The cybersecurity industry has spent decades building better firewalls, better EDR platforms, better SIEM tools. None of that investment stops a phone call. The Com's primary attack vector — vishing, SIM swapping, and credential harvesting through help desk impersonation — is specifically designed to route around technical defenses entirely. The attack surface is human behavior, and human behavior does not patch.

For organizations trying to defend against Com-affiliated threat actors, the priority list looks different than standard vulnerability management:

• Eliminate SMS-based MFA entirely. SIM swapping is a core Com capability. Any authentication factor that relies on the phone number being in the right person's hands is a liability. Hardware security keys (FIDO2/WebAuthn) bound to physical possession are the standard to reach for. Authenticator apps are better than SMS but still vulnerable to real-time phishing via adversary-in-the-middle proxies.
• Overhaul help desk identity verification — and remove knowledge-based authentication. The initial access vector in virtually every major Com-affiliated breach was a help desk employee processing a credential reset for an attacker. Verification that relies on knowledge-based authentication (mother's maiden name, employee ID, last four of SSN) is explicitly defeated by the reconnaissance Scattered Spider operators routinely conduct from social media, breach databases, and LinkedIn. Non-spoofable, hardware-backed identity checks or in-person verification workflows for high-privilege resets are the only defensible standard. No knowledge-based question survives a motivated attacker who has already read your LinkedIn.
• Train specifically for vishing, not just phishing — and include synthetic voice scenarios. Email-based phishing simulations are useful but incomplete. Organizations should be running voice phishing exercises, including scenarios that involve AI-generated voices mimicking familiar personas. The documented deployment of AI voice agents by Com-affiliated groups means the barrier to a convincing impersonation has dropped dramatically. If your security awareness program doesn't include a scenario where an employee gets a call from a synthetic voice impersonating the CFO, it is not current.
• Monitor for RMM tool installations and OAuth registrations. Remote management tools like ScreenConnect, TeamViewer, and Splashtop are legitimate in many environments, but their installation from new or unusual principals following a credential event is a high-fidelity signal of compromise. Similarly, OAuth application registrations by recently-authenticated principals, especially outside business hours, should trigger immediate review. These are the digital fingerprints of Scattered Spider post-intrusion activity across dozens of documented breaches.
• Apply zero-trust to privileged access — and time-constrain it. Just-in-time admin access, least privilege enforcement, and continuous anomaly monitoring reduce the blast radius when initial access does succeed. Pay particular attention to C-suite accounts, which Scattered Spider deliberately targets because they tend to be over-privileged and their help desk requests are processed with less scrutiny. If your CISO's account has standing administrative rights to your domain controller 24 hours a day, that is an attack surface.
• Audit and restrict your CRM environment. The 2025 Salesforce campaign that hit dozens of global brands exploited the reality that CRM platforms hold vast quantities of customer and business data while sitting at the intersection of legitimate third-party access and social engineering vectors. OAuth token abuse, compromised third-party integrations, and credential reuse are all live attack paths. Organizations should treat their CRM environment with the same security posture they apply to production infrastructure.

The uncomfortable reality for defenders is that the most expensive security stack in the world will not stop an employee from giving away their credentials in a five-minute phone call. The investment in human-layer defenses — awareness training, procedural controls, psychological preparedness — needs to match the investment in technical controls. For many organizations, it currently does not.

What Would Winning Actually Look Like?

This is the question that almost nobody asks — because it forces you to confront how poorly defined success actually is. In counterterrorism, success tends to be measured by the absence of attacks. In cybercrime enforcement, it is measured by arrests and disruptions. Neither metric fits The Com cleanly, and the mismatch matters.

Winning is not thirty more arrests. Thirty arrests have already happened and the threat is fully operational. Winning is not seizing one more forum. BreachForums cycled through at least four iterations in three years and the operators were making ransomware threats from Telegram within hours of the October 2025 seizure. Winning is not better corporate vishing training, though that is necessary. Winning is stopping the pipeline — the one that moves a lonely, distressed, screen-saturated fourteen-year-old from a Roblox lobby into a community of escalating harm within eighteen months.

That requires thinking about solutions that are almost entirely absent from current cybersecurity discourse:

• A US terrorist designation for 764 — and a legal framework built for nihilistic networks. Canada's December 2025 designation gave its law enforcement material support statutes, asset freezing authority, and network-level prosecution tools. The US has none of those for 764. Former counterterrorism officials have argued publicly that the FBI's own Tier One classification already constitutes a functional assessment that 764 is terrorism — but without the legal designation, US prosecutors remain limited to individual criminal charges. Closing that gap would not require new legislation in most cases: the existing domestic terrorism framework could be applied. The political will to apply it to a network with American origins has been the missing ingredient.
• Counter-messaging specifically targeting O9A and nihilistic extremist aesthetics. 764's recruitment mechanism is partly cultural: the network circulates visual material, symbols, and ideology borrowed from the Order of Nine Angles and adjacent neo-Nazi Satanist spaces that function as an aesthetic on-ramp before they function as an ideology. Existing counter-extremism messaging programs are largely built around ideological counter-messaging — pushing back on political claims, offering alternative narratives. That model does not map cleanly onto a recruitment aesthetic that is primarily visual, transgressive, and designed to shock rather than persuade. Building counter-messaging specifically designed for the nihilistic extremism pipeline — working with the same platforms that carry the recruitment material, funded at scale, and designed by people who understand the psychology of the demographic — is almost entirely absent from current counter-extremism investment.
• Upstream prevention programs targeting the demographic before recruitment occurs. Research on gang prevention consistently shows that credible intervention between ages 11 and 14, before full identity formation, is dramatically more effective than prosecution after offense. The Com recruits in exactly that window. Programs that build digital literacy alongside psychological resilience — particularly in boys who are isolated, academically struggling, or drawn to extreme online content — are not being resourced anywhere near the scale of the threat.
• Platform accountability frameworks with actual enforcement teeth. Self-regulation has demonstrably failed. The architecture that allowed Bradley Cadenhead to rebuild his network after each ban is still the architecture Discord operates on. What would change behavior is financial liability attached to measurable outcomes — not fines for policy violations, but civil liability exposure tied to documented harm to minors facilitated on a platform after a pattern of abuse was identifiable. That creates a genuine financial incentive for proactive detection investment.
• Exit and diversion programs specifically designed for low-level Com participants. Many of the teenagers drawn into Com-adjacent activity are not committed offenders — they are participants who got in over their heads, often starting with minor activity and escalating. The UK's Channel program and analogous deradicalization frameworks were built for ideological terrorism. Adapting them for nihilistic youth networks — with appropriate psychological support and without the stigma of formal criminal records for genuine intervention candidates — could intercept a portion of the pipeline before it produces victims or adult offenders.
• Cross-platform persistent identity infrastructure for abuse cases. The account-ban-and-recreate cycle is the single most durable protection The Com's members have on mainstream platforms. The technology to solve it exists — device fingerprinting, behavioral biometrics, shared infrastructure-level ban lists — but it requires platforms to cooperate with each other and accept some privacy tradeoffs that they have historically resisted. Industry consortia or legislatively mandated frameworks for sharing known-bad actor signals across platforms would meaningfully disrupt recruitment operations.
• Legal frameworks for victims who have been coerced into criminal acts. The pattern of 764 and related groups coercing victims into participating in harassment, making threats, and distributing material is documented across at least a dozen countries. These individuals are not accomplices in any meaningful moral sense — they are people whose psychology has been deliberately engineered against them. Prosecutors and legislators in most affected jurisdictions lack a clear legal pathway to treat these cases appropriately. Creating victim-first diversion frameworks that recognize coercion as a mitigating factor is not just humane. It is tactically necessary — victims who fear prosecution are witnesses who never come forward.
• Addressing the economic incentive directly. Allison Nixon's research suggests The Com's recruitment surge in 2018 tracked Bitcoin's price rise — not ideology, not charisma, but money. A 17-year-old being offered more in a week than a minimum wage job pays in a month is facing a financial argument, not just a moral one. Downstream prevention investment — digital skills training, apprenticeship pipelines, credible economic pathways for the demographic that The Com recruits from — is not in the cybersecurity conversation. It should be.
• Honest metrics for law enforcement operations. Project Compass should be evaluated not by arrest counts but by measurable changes in recruitment rates, victim reports, and network operational tempo. If those metrics do not improve across the next two years, that is information that should drive a strategic reassessment — not be buried in a press release about thirty more arrests.

None of these solutions are simple. Several are politically contentious. Some require platforms to accept costs they have spent years avoiding. But the alternative — continuing to treat The Com as a cybercrime enforcement problem when it is actually a social infrastructure problem — has a decade of evidence showing where it leads.

Key Takeaways

1. The Com is a subculture, not a gang. It has no central leadership, no fixed infrastructure, and no single platform. It survives by existing in the spaces where young people already congregate online. Takedowns fragment it; they do not end it.
2. 764's origin story is not a footnote. A bullied teenager built a global child exploitation network from a bedroom in Texas using Discord's user-report moderation architecture. That story explains both the vulnerability being exploited and the platform accountability gap that still has not been closed.
3. The primary attack vector is human, not technical. Phishing, vishing, SIM swapping, and help desk social engineering are the entry points for nearly every high-profile Com-affiliated breach. Technical defenses are necessary but not sufficient. Knowledge-based authentication in 2026 is not a control — it is a liability.
4. The terrorism classification is not rhetorical. Europol's decision to route Project Compass through its counter-terrorism center reflects a genuine assessment that The Com has evolved beyond cybercrime into violent extremism, with documented connections to child exploitation networks, violence-as-a-service operations, and radicalization pipelines. Canada's formal designation of 764 as a terrorist organization on December 10, 2025 is not hyperbole. It is policy based on evidence. The US has not made an equivalent designation — and that gap has direct consequences for the scope of network-level prosecution available to federal prosecutors.
5. Project Compass is a step, not a solution. Thirty arrests across 28 countries represents real operational progress. But with 179 suspects identified and only a fraction arrested, with the network operating through Scattered Spider, SLH, and affiliated groups at scale through 2025 and into 2026, and with recruitment continuing through mainstream platforms, the threat remains fully operational. The Scattered LAPSUS$ Hunters were running fresh vishing campaigns and recruiting corporate insiders in January 2026 — three months after a domain seizure that was supposed to disrupt them.
6. AI is changing the calculus. The deployment of AI-driven voice agents for automated vishing means the barrier to entry for social engineering at scale is dropping. The documented practice of paying up to $1,000 per call to recruit voice actors for targeted campaigns is already being supplemented by synthetic voice systems. Organizations need to adapt their awareness and detection posture now.
7. The platform accountability question is not being asked loudly enough. The Com lives on Discord, Telegram, Roblox, and TikTok because account creation on those platforms is frictionless and bans are trivially circumvented. That is an architectural choice, not an inevitability. And the absence of legislative pressure to change it is a policy failure with documented victims.
8. The threat is genuinely global — and spreading. 764-linked violence has occurred in Sweden, Norway, Brazil, Canada, Australia, and the UK, not just the US. The network copies itself. A teenager needs an invitation link and a Discord account, not a border crossing. Law enforcement frameworks built around national jurisdiction are structurally mismatched to that model.
9. Victims are being weaponized — and nobody has a legal framework for it. The pattern of coercing victims into participating in harassment, bomb threat campaigns, and exploitation of others is documented across multiple jurisdictions. These are not willing accomplices. They are people whose psychology has been engineered against them. The absence of diversion pathways and victim-forward legal frameworks in almost every country where this is occurring is a gap with consequences.

The Com started by stealing usernames. It evolved into ransomware. It fractured into a child exploitation terrorist network. It is now classified as a violent extremist ecosystem across multiple jurisdictions simultaneously. That trajectory is the story of what happens when a subculture built on manipulation and notoriety is given a decade to mature without a coherent societal response. Project Compass is the most coordinated international effort yet to address it — and it is worth noting that even with the UK's July 2025 arrests, Thalha Jubair and Tyler Flowers facing federal charges, Noah Urban sentenced, and BreachForums seized in October 2025, the same network was recruiting corporate insiders and running fresh vishing campaigns in January 2026. Whether any law enforcement operation can be sufficient against a threat that self-assembles in Discord servers and Roblox lobbies and music streaming comments is the question the next twelve months will begin to answer. The answer will depend less on how many people get arrested, and more on whether anyone finally starts treating the platforms, the pipeline, and the economic incentives as the problem — not just the people who exploit them.