CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Global Law Enforcement Disrupts 'The Com' Cybercrime Collective

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A coordinated international operation, Project Compass, has arrested 30 members of 'The Com,' a cybercrime group linked to ransomware attacks, extortion, violent activities, and the production of child sexual exploitation material (CSAM). The group, primarily composed of young individuals, has targeted high-profile entities and engaged in phishing, vishing, and SIM swapping. Project Compass, led by Europol's European Counter Terrorism Centre, involves multiple countries and aims to disrupt the group's operations and safeguard victims. The Com has been connected to Russian cybercriminal gangs and has expanded its activities to include physical violence, extremist links, and the exploitation of minors. The group operates with a decentralized structure, making it particularly difficult to disrupt. Europol splits The Com into three distinct groups of activity: cyber activity, offline activity, and extortion/sextortion activity.

Timeline

  1. 27.02.2026 20:20 2 articles · 4d ago

    Europol Identifies 62 Victims and Safeguards Four

    Europol identified 62 victims of 'The Com' and directly safeguarded four of them from the group's attacks. The Com operates openly across social media, messaging apps, online gaming environments, and music streaming services, targeting children and teenagers for extortion, violence, and the production of child sexual exploitation material (CSAM). The group operates with a decentralized structure, making it particularly difficult to disrupt.

    Show sources
    Open in new tab
  2. 27.02.2026 13:00 3 articles · 4d ago

    Project Compass Arrests 30 Members of 'The Com' Cybercrime Collective

    Europol's Project Compass has arrested 30 members of 'The Com,' a cybercrime group responsible for high-profile ransomware attacks and extortion. The operation, involving multiple countries, has also identified 179 perpetrators and safeguarded several victims. The Com's activities include phishing, vishing, SIM swapping, physical violence, and the production of child sexual exploitation material (CSAM), with links to extremist groups. Project Compass is led by Europol's European Counter Terrorism Centre and involves partnerships with law enforcement agencies from 28 countries, including the US, the United Kingdom, Canada, and several European Union (EU) member states.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Global Law Enforcement Disrupts Black Axe Cybercrime Operations

A coordinated international law enforcement operation led by Europol has resulted in the arrest of 34 individuals associated with the Black Axe cybercrime gang. The operation, conducted with the support of the Spanish National Police and the Bavarian State Criminal Police Office, targeted key members of the group across Spain. The arrests and seizures have caused significant disruptions to Black Axe's operations, which include business email compromise (BEC) attacks, romance scams, phishing campaigns, and other forms of online fraud. The group is believed to generate billions annually, with the Spanish branch alone responsible for nearly €5.93 million in damages. Black Axe is a hierarchical criminal group that originated in Nigeria in 1977 and has spread to dozens of countries across the world, with about 30,000 registered members and other affiliates such as money mules and facilitators. The group specialized in man-in-the-middle (MITM) scams, including business email compromise (BEC). The damages caused by the cybercriminals in the last 15 years exceed $6 million, with $3.5 million linked to this operation. Four main suspects have been put into pretrial detention facing charges of aggravated continuous fraud, membership in a criminal organization, money laundering, document forgery, and obstruction of justice. The investigation is ongoing, and more arrests may follow.

Open in new tab

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Open in new tab

Scattered Spider, ShinyHunters, and LAPSUS$ Form Unified Cyber Extortion Collective

A new cyber extortion collective, Scattered LAPSUS$ Hunters (SLH), has emerged as a unified alliance combining Scattered Spider, ShinyHunters, and LAPSUS$. The group is leveraging the reputational capital of these three high-profile criminal brands to create a consolidated threat identity. SLH is using Telegram as a command hub and brand engine, cycling through public channels to maintain a persistent presence. The alliance aims to fill the void left by the collapse of BreachForums and attract displaced operators with an affiliate-driven extortion model. SLH has created 16 Telegram channels since August 8, 2025, and offers an extortion-as-a-service (EaaS) model. The group is part of a larger cybercriminal enterprise known as The Com and has associations with other threat clusters, including CryptoChameleon and Crimson Collective. SLH's activities blend financially motivated cybercrime and attention-driven hacktivism, with a mature grasp of perception and legitimacy within the cybercriminal ecosystem. The group has hinted at developing a custom ransomware family named Sh1nySp1d3r and is aligned with DragonForce, functioning as an affiliate to break into targets through social engineering techniques. Recently, the admin of SLH, Rey, a 16-year-old named Saif Al-Din Khader from Amman, Jordan, has been cooperating with law enforcement since June 2025. Rey has been involved in releasing SLSH's new ShinySp1d3r ransomware-as-a-service offering, which is a rehash of Hellcat ransomware modified with AI tools.

Open in new tab

DragonForce Cartel Ransomware Emerges with Conti-Derived Encryption

DragonForce, a Conti-derived ransomware operation, has evolved into a cartel-like structure, recruiting affiliates and partnering with Scattered Spider for sophisticated attacks. The group exploits vulnerable drivers to deactivate security programs and has intensified its operations, publishing details of more compromised entities. DragonForce offers affiliates 80% of profits, customizable encryptors, and infrastructure, lowering the barrier to entry for new cybercriminals. The group's partnership with Scattered Spider has enabled high-profile breaches, including the Marks & Spencer incident. DragonForce has also proposed cooperation among major ransomware operations to stabilize the market and increase collective profits. Security experts advise robust backup practices, network segmentation, and consistent patching to defend against such threats.

Open in new tab

LockBit, Qilin, and DragonForce Form Ransomware Alliance

LockBit, Qilin, and DragonForce have formed a strategic alliance to enhance their ransomware operations. This collaboration aims to share techniques, resources, and infrastructure, potentially increasing the threat to critical infrastructure and expanding the attack surface to previously low-risk sectors. LockBit has returned to active operations with new victims identified in September 2025, marking a significant comeback over a year after Operation Cronos disrupted its infrastructure. The alliance comes as LockBit returns to the scene following a significant law enforcement operation in early 2024, which disrupted its infrastructure and led to the arrest of some of its members. Qilin has been the most active ransomware group in recent months, targeting North America-based organizations disproportionately. The partnership is expected to bolster LockBit's reputation among affiliates and facilitate a surge in attacks.

Open in new tab