LAS VEGAS — The latest crop of cybersecurity hires coming out of the hacker underground contains a large number of violent, depraved and amoral individuals, and the information-security industry needs to develop ways to spot and isolate them, an expert on cybercrime warned at the BSides Las Vegas hacker conference here Monday.
That’s because the teen-dominated hacking scene that’s existed for decades has changed profoundly in the past few years, said Allison Nixon, chief research officer at
incident-response firm Unit 221B.
It’s no longer about the “lulz” of
breaking into corporate servers or stealing sensitive information, she explained. It’s now about power, control and manipulation of other people, especially young women and teenage girls who are subjected to online sexual abuse after they are identified and targeted through social media.
Most of the victims are “between 13 and 17,” two unrepentant sextortionists told an interviewer in an audio clip Nixon played during her presentation. Many of their tormentors aren’t much older.
A different breed of hackers
It’s well known that many longtime cybersecurity professionals cut their teeth doing minor cybercrimes and selling “warez.” Hanging out online with cybercriminals was at one point the only way to learn how to hack, Nixon said. But “normal” budding hackers now have other options, leaving the underground forums to the truly criminally minded.
“I have hired convicted hackers, and I’m not against that, but it depends on what they did,” Nixon said. “I’d rather hire someone who hacked the Pentagon than hacked a little girl’s social media. It’s a completely different mentality.”
She added that the skyrocketing price of Bitcoin had profoundly changed hacking, and that the pandemic showed many career criminals that they could make money online.
“Bitcoin changed hacking from something fun and cool to something that could get you retirement money,” Nixon said. “It attracted a different kind of person.”
The English-language teen hacker underground is now dominated by a loose confederation of online forums, Discord servers, Telegram channels and other media known as “the Com,” Nixon said. The social-engineering group that
knocked MGM Resorts offline in 2023, and made Caesars Entertainment pay a reported $10 million ransom, was dubbed “Scattered Spider” by cybersecurity researchers, but it’s just part of the Com.
“These guys are learning that the social-manipulation skills they apply to young girls also apply to manipulating large companies,” Nixon observed.
The most notorious Com affiliate is 764, a sextortion-focused group founded in 2020 by two 16-year-olds, both of whom have
since been arrested and one of whom received
an 80-year prison sentence at the age of 18. In May, the FBI announced that it had opened 250 simultaneous investigations into 764, according to
ABC News.
Nixon said that 764 members had gone so far as to create a fake Telegram-based “suicide hotline” that offered counseling and other advice but was really a way for the group to lure psychologically fragile underage girls. Beyond sexual abuse, members of 764 have coerced younger teens to cut themselves, kill their pets, or even attack family members, often while live streaming.
Other Com-affiliated groups carry out swatting attacks, offer “violence for hire” services to attack property and individuals, harass and “dox” random targets online, and carry out SIM-swapping attacks to steal cryptocurrency, according to independent security researcher
Brian Krebs. One Com group was behind the
Snowflake cloud-storage hacks of 2024, Krebs said.
Ready for recruitment
As with previous generations of young hackers, many of these individuals will enter the cybersecurity workforce. Once there, they’ll have almost unfettered access to the personal information of millions of people, Nixon pointed out.
She added that many of these black-hat hackers will reform themselves and stop committing crimes, just as in previous generations. But not all will.
Nixon referenced a recent court document about a 20-year-old arrested in the Bay Area on charges related to child sexual and abuse material (CSAM). He was employed by a startup that was working to develop tools to detect CSAM.
What do you do when a sexual predator gets a job at Instagram? How do you prevent that from happening? What kind of internal mechanisms does the cybersecurity industry need to develop to detect these people?
Nixon pointed out that if you apply for a job at a daycare center, you’re subject to intensive screening to make sure you won’t harm the small number of children in your care. But, she said, there’s no such screening for employees in the cybersecurity industry.
“The industry needs a mechanism to expel bad actors,” Nixon said. “As part of our jobs, we have access to an enormous amount of personal information. Our jobs are a position of trust. We need to start treating it that way, or otherwise those standards will be imposed on us by governments.”
