Exclusive: Feds Investigate 764, Com’s Use of Cybercrime Tactics to Commit Violent Crimes

The child sextortion group 764 and the global collective of loosely affiliated groups called “The Com” use tools and techniques typically used for financially motivated cybercrime tactics – such as SIM swapping, IP grabbing and social engineering – to commit violent crimes , says exclusive law enforcement and intelligence reports reviewed by CyberScoop.

The reports offer insight into the underbelly of the global network, revealing how they use traditional cybercrime tools to identify, target, manipulate, extort and cause physical and psychological harm to victims as young as 10 years old. They were shared with police across the country and in the U.S., in some cases with foreign-allied governments.

The intelligence report also shows how The Com leverages cybercrime knowledge within its subgroups to go beyond ransomware attacks or data breaches and into areas the FBI classifies as terrorism.

An intelligence note dated October 2023 said that in March of that year, 6996, a group affiliated with The Com, published on its Telegram channel what it called “The Bible” “in the techniques for making ATM/Debit transactions -/Credit card skimming, IP grabbing, cult formation, doxing and blackmail/grooming.”

“Channel 6996 features digital art and photos of graffiti promoting the violent online groups MKU and 764,” said the intelligence release, which was marked “Unclassified/For Official Use Only.”

The group “seems to be at the intersection of communities of users who share gore material, followers (racially or ethnically motivated violent extremist white supremacists) like MKU, and child exploitation actors like 764.” MKU is a neo-Nazi group Presence in Russia and Ukraine.

The intelligence note was prepared by the Joint Regional Intelligence Center and the Central California Intelligence Center, both of which are part of the U.S. Department of Homeland Security’s network of regional intelligence sharing fusion centers. After 9/11, regional fusion centers were established to facilitate the sharing of intelligence and emerging threat information across the country and between state, local, and federal law enforcement agencies and other government agencies.

Neither center responded to emails seeking comment from CyberScoop.

The joint intelligence note is titled “Violent online group publishes guide to forming a cult, committing fraud and self-harming minors.” The areas of investigation are divided into the following categories for law enforcement and other agencies receiving them: “Domestic Violent Extremism, Cybercrime, Fraud and Exploitation.” It said: “6996 appears to be similar to the online child exploitation group 764, which is involved in forcing minors to commit self-harm, including suicide; animal cruelty; and the production of child sexual abuse material.”

The “key content” flagged in The Bible’s intelligence report published on Telegram in March 2023 includes:

• A description of what ATM skimming is, how to avoid skimming, a five-step guide to skimming, and recommendations for the equipment and software needed to successfully skimm debit and credit cards.

• A description of “IP Grabbing,” how to use free online tools to obtain someone’s IP address, and various services that can be used to hide an IP address.

• A section on how to doxx using open source tools and gather information about potential victims and how to find new victims to target.

The groups use these methods to entice children to send sexually explicit photos of themselves, threaten to make the photos public unless they harm themselves, and kill or injure animals, among other things. The members of the group coerced children into attempting suicide, harming themselves, siblings and animals.

“We have seen people kill their grandparents,” a senior official from the National Center for Missing and Exploited Children said during a panel with FBI agents about 764 at a domestic terrorism and violence prevention conference in Pittsburgh last month. “It’s just terrible.”

Another document reviewed by CyberScoop, a May 2024 FBI trade alert, also warned law enforcement agencies across the country about 764’s doxxing practices. The alert said the group created a fake suicide prevention Telegram chat targeting suicidal people promised anonymous support to underage women and claimed the chat “could help save other girls and children from the same trauma.” The “764” actors would then use social engineering tactics to convince victims to give the actors their personal information, which the actors would then use to defraud and blackmail the victims.”

The FBI’s National Press Office declined to comment when asked about this trade alert.

At the same panel discussion at the Violence Prevention Conference in late October, FBI agents urged parents to be aware of what their child is doing on their phone and encouraged law enforcement in attendance to pay attention in their communities. The FBI agents on the panel asked CyberScoop for anonymity, citing concerns about being doxxed by 764 and The Com.

FBI personnel declined to speak to CyberScoop about the cybercrime tactics or anything beyond what was said during the panel, referring all questions to the FBI press office, which declined to comment.

“It almost sounds too much to be true, but it is true,” said an FBI agent. “I want to emphasize: This is everywhere.” Another agent said he had made this “arrests in every state, in every field office and in 23 countries.”

Those investigating these crimes have been largely secretive about the cyber aspects of their investigations and the networks themselves. But a recent Justice Department news conference following the sentencing of Richard Densmore, who ran a network of 764 Discord servers, hinted at the cyber components of the broader law enforcement effort to track down members of the loosely connected collectives. Densmore was sentenced to 30 years in prison for recruiting children online – including by infiltrating online gaming sites frequented by children – to cut themselves and engage in graphic sexual acts.

The connection between The Com and 764 has been explored in previous reports by independent cybersecurity journalist Brian Krebs. However, the documents reviewed by CyberScoop provide new insights into how law enforcement pursues these affiliated groups and how 764 and The Com use cybercrime techniques to commit their crimes.

At another panel discussion at the same violence prevention conference in late October, a federal prosecutor spoke briefly about 764.

“There is a focus by national law enforcement and at the national level on this network, the entire premise of which is to weaponize child pornography, sextortion and other criminal acts to target the most vulnerable members of our community, often children, with the idea that “When these children grow up, our entire foundation will crumble beneath us,” they said.

“It’s not based on the idea of ​​child pornography, but on the idea of ​​the breakdown of society, and they do it through animal cruelty and they do it through beating and sextortion.”

The Justice Department also recently arrested several Com members for non-violent cybercrimes. In October, Canadian authorities arrested a person believed to be a Com member who allegedly orchestrated a series of data exfiltration attacks against customers of data storage company Snowflake.

The person arrested – Ontario native Connor Moucka – was found by investigators due to, among other things, multiple threats of violence against a cybersecurity researcher.

In November, federal authorities dropped charges against five people with ties to the Scattered Spider cybercrime syndicate, accusing them of running a massive phishing scheme that compromised companies across the country and stealing millions of dollars in non-public data and cryptocurrencies made possible. Scattered Spider has also been associated with The Com.

The National Center for Missing & Exploited Children operates an online hotline to help victims remove their photos from the Internet. The service, known as “Take It Down,” helps minors or adults who have been victims of online images or videos as minors remove sexually explicit content. For more information, visit https://takeitdown.ncmec.org.

If you believe you are a victim of a crime that uses such tactics, retain all information related to the incident (e.g. usernames, email addresses, websites or names of platforms used for communication, photos, videos, etc .) and report the incident immediately to:

• The FBI Internet Crime Complaint Center at www.ic3.gov