A comprehensive analysis reveals how the underground English-language cybercriminal network, known colloquially as The COM, has transformed from scattered forums trading social-media handles into a fully-fledged industrialised illicit economy.
Evolution of The COM
The origins of The COM trace back to forums like Dark0de, RaidForums and OGUsers, where early-adopters traded usernames, SIM-swap tools and account access. Over time, as law enforcement disrupted these platforms, the ecosystem migrated and matured into a distributed network of specialised roles including:
- Callers and texters who perform voice phishing and SMS-based credential harvesting.
- SIM-swappers who exploit telecommunications systems to hijack identities.
- Initial access brokers (IABs) who sell VPN, RDP or SSO access to enterprise systems.
- Ransomware-as-Service (RaaS) affiliates who deploy extortionware using access obtained from the network.
Key Characteristics & Threat Trends
- The business-model is modular and supply-chain-oriented: each actor specialises in a function, enabling quick scale and high profit.
- English-language social engineering has become a major driver: demand for native-speaker voice-phishers and “help-desk impersonators” has surged.
- The ecosystem now overlaps with non-English-speaking cybercrime groups, blurring previously distinct boundaries, and granting Western-language operators access to malware, laundering services and advanced tooling via Eastern affiliates.
- Traditional indicators of compromise (IP, hash, domain) are becoming less effective because infrastructure is short-lived, distributed, and highly dynamic.
Why This Matters for Organisations
For organisations operating in sectors such as financial services, healthcare, retail, manufacturing and government, the rise of The COM represents a significant shift:
- The “human perimeter” is increasingly the attack vector: social engineering, insider recruitment and credential abuse are now primary intrusion paths.
- Native-English social engineers are targeting help-desk staff, executives and service personnel-bypassing many technical controls.
- The convergence of multiple languages and regions means attackers can assemble global access chains making attribution and disruption harder.
- The supply-chain-style model means that organisations may face access sold by one actor, tools developed by another and extortion deployed by a third-raising complexity for defence.
Actionable Recommendations
- Move away from reliance on reactive or signature-based controls: invest in identity-centric defences, phishing-resistant MFA (such as FIDO2/WebAuthn) and segmentation of high-privilege support services.
- Harden the human layer: target training and simulation efforts at help-desk, administrative and support teams who may be impersonated.
- Inspect your supply chains: include third-party access, vendor portals and outsourced functions in threat-rhunt programs-assume attacker-provided access may be in play.
- Monitor for non-traditional infrastructure signals: e.g., Telegram/Discord recruitment, English-language voice-phishing job ads, rapid-turn deployment of short-lived domains.
- Prepare incident-response playbooks with leak-and-brag style extortion in mind: the modern adversary may not simply encrypt data-they may publicly shame and exfiltrate it.
Conclusion
The modern English-speaking cybercrime ecosystem-The COM-is no longer a collection of hobbyist forums. It is a resilient, adaptable and professionalised network that focuses on human vulnerabilities, global access chains and service-driven intrusion. Organisations must shift mindset and defences accordingly: the edge is no longer just technical – it is human.
About COE Security
COE Security partners with organisations in financial services, healthcare, retail, manufacturing and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
Given the rise of The COM, we also provide human-risk assessments for social engineering, access-brokering threat-monitoring, and hybrid-adversary readiness programmes tailored to defence teams in high-risk sectors. Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay updated and cyber safe.