Exclusive: Feds are probing 764, The Com’s use of cybercriminal tactics to carry out violent crimes
The child sextortion group 764 and the global collective of loosely associated groups known as “The Com” are using tools and techniques normally used for financially motivated cybercrime tactics — such as SIM swapping, IP grabbing and social engineering — to commit violent crimes, according to exclusive law enforcement and intelligence reports reviewed by CyberScoop.
The reports offer insight into the underbelly of the global network, showing how they are using traditional cybercriminal tools to identify, target, groom, extort, and cause physical and psychological harm to victims as young as 10. They were shared with police nationwide and in some cases, with foreign-allied governments.
The intelligence report also shows how The Com is leveraging the cybercrime knowledge within its subgroups to go beyond ransomware attacks or data breaches and into areas the FBI classifies as terrorism.
An October 2023 intelligence note says in March of that year, 6996, a group associated with The Com, published what it called “The Bible” on its Telegram channel, “highlighting techniques for conducting ATM/Debit/Credit Card skimming, IP Grabbing, forming a cult, doxing and extortion/grooming.”
“The 6996 channel features digital art and photos of graffiti promoting the violent online groups M.K.U. and 764,” according to the intelligence note, which was marked Unclassified/For Official Use Only.
The group “appears to be situated at the nexus of communities of users who share gore material, [Racially or Ethnically Motivated Violent Extremist-White Supremacist] adherents such as M.K.U. and child exploitation actors like 764.” M.K.U., it says, is a neo-Nazi group with a presence in Russia and Ukraine.
The intelligence note was produced by the Joint Regional Intelligence Center and the Central California Intelligence Center, both part of the Department of Homeland Security’s intelligence sharing network of regional fusion centers. Regional fusion centers were set up after 9/11 to facilitate intelligence and emerging threat information sharing across the country and among state, local and federal law enforcement and other government agencies.
Neither center responded to emails seeking comment from CyberScoop.
The joint intelligence note is titled “Violent Online Group Publishes Guide to Forming a Cult, Committing Fraud and Grooming Minors for Self-Harm.” It categorizes the investigative areas as: “Domestic Violent Extremism, Cyber Crime, Fraud and Exploitation” for law enforcement and other agencies receiving it. It says “6996 appears to be similar to online child exploitation group, 764, which has been implicated in coercing minors to self harm, including suicide; animal cruelty; and the production of child sexual abuse material.”
“Key content” flagged in the intelligence report from “The Bible” shared in March 2023 on Telegram include:
- A description of what ATM “skimming” is, how to avoid being skimmed, a five-step guide on how to skim, and recommendations for equipment and software needed to successfully skim debit and credit cards.
- A description of “IP Grabbing,” how to use free online tools to obtain someone’s IP address, and various services that can be used to hide an IP address.
- A section on how to use open-source tools to doxx and gather information about potential victims and how to find new victims to target.
The groups use these methods to trick children into sending sexually explicit photos of themselves, threaten to make the photos public unless they harm themselves, and kill or harm animals, among other crimes. The group’s members have coerced children into attempting suicide, harming themselves, siblings and animals.
“We’ve had people kill their grandparents,” a senior official with the National Center for Missing and Exploited Children said during a panel with FBI agents about 764 last month at a domestic terrorism and violence prevention conference in Pittsburgh. “It’s just awful.”
Another document reviewed by CyberScoop, a FBI tradecraft alert from May 2024, also warned law enforcement nationwide about 764’s doxxing practices. The alert says the group created a fake suicide prevention Telegram chat that promised to provide anonymous support to suicidal minor females, claiming the chat “could help save other girls and kids from the same trauma.” The “764” actors would then use social engineering tactics to convince the victims to give the actors their personal information, which the actors would then use to doxx and extort the victims.”
The FBI National Press Office declined to comment when asked about this tradecraft alert.
At the same panel at the violence prevention conference in late October, FBI agents urged parents to be aware of what their kid is doing on their phone and encouraged law enforcement in the room to look out for this in their communities. The FBI agents on the panel asked CyberScoop for anonymity citing concerns about being doxxed by 764 and The Com.
The FBI personnel declined to speak with CyberScoop about the cybercrime tactics or about anything beyond what was said during the panel, referring all questions to the FBI press office, which declined comment.
“It almost sounds too much to be true, but its real,” said one FBI agent. “I want to stress: this is everywhere.” Another agent said they have seen this “in every state, every field office and arrests have been made in 23 countries.”
Those investigating these crimes have been mostly tightlipped about the cyber aspects of their probes and of the networks themselves. But a recent Department of Justice press conference following the sentencing of Richard Densmore, who ran a network of 764 Discord servers, hinted at the cyber components of the broader law enforcement effort to track down members of the loosely associated collectives. Densmore was sentenced to 30 years for recruiting children online — including by infiltrating online gaming sites that children frequent — to cut themselves and engage in graphic sexual acts.
The connection between The Com and 764 has been explored in previous reporting by independent cybersecurity journalist Brian Krebs. However, the documents reviewed by CyberScoop offer new insight into how law enforcement is tracking these associated groups and how 764 and The Com are using cybercriminal techniques to carry out their crimes.
At a different panel at the same violence prevention conference in late October, a federal prosecutor spoke briefly about 764.
“There is a national law enforcement and national level focus on this network, where its entire premise is weaponizing child pornography and sextortion and other criminal acts to attack the most vulnerable members of our community, often being children, with the idea that when these children become adults our entire foundation will crumble from underneath us, ” they said.
“It’s not premised on the idea of child pornography, it’s premised on the idea of collapsing society and they do it through animal cruelty and they do it through swatting and sextortion.”
The Department of Justice has also recently arrested several Com members for non-violent cybercrimes. In October, Canadian authorities arrested a person, suspected to be a Com member, of allegedly orchestrating a series of data exfiltration attacks targeting customers of the data-storage firm Snowflake.
The person arrested – Ontario native Connor Moucka – was found by investigators partly due to multiple threats of violence he made toward a cybersecurity researcher.
In November, federal authorities unsealed charges against five individuals with links to the “Scattered Spider” cybercrime syndicate, accusing them of conducting an extensive phishing scheme that compromised companies nationwide, enabling the theft of non-public data and millions in cryptocurrency. Scattered Spider has also been tied to The Com.
The National Center for Missing & Exploited Children operates an online tip line as a way to help victims remove their photos from the internet. Known as “Take It Down,” the service helps minors or adults who were victimized as minors in online image or video files with the removal of the sexually explicit content. For more information, visit https://takeitdown.ncmec.org.
If you believe you are the victim of a crime using these types of tactics, retain all information regarding the incident (e.g., usernames, email addresses, websites or names of platforms used for communication, photos, videos, etc.) and immediately report it to:
• FBI’s Internet Crime Complaint Center at www.ic3.gov
• FBI Field Office [www.fbi.gov/contact-us/field-offices or 1-800-CALL-FBI (225-5324)]
• National Center for Missing and Exploited Children (1-800-THE LOST or www.cybertipline.org )
