![](\"https:\/\/fortune.com\/img-assets\/wp-content\/uploads\/2025\/12\/GettyImages-1500416880-e1766424902418.jpg?w=2048\")
<\/p>\n<\/p>\n
The job posts don\u2019t immediately raise alarms, even though they\u2019re clearly not for tutoring or babysitting.<\/p>\n
\u00a0\u201cFemale candidates are a PRIORITY, even if you aren\u2019t from US, if you do not have a clear accent please feel free to inquire,\u201d a public Telegram channel post on Dec. 15 stated. \u201cINEXPERIENCED people are OKAY, we can train you from scratch but we expect you to absorb information and take in what you are learning.\u201d Those who are interested are expected to be available from 12 pm EST to 6 pm EST on weekdays and will earn $300 per \u201csuccessful call,\u201d paid in crypto.<\/p>\n
Of course, the ad isn\u2019t for a legitimate job at all. It\u2019s a recruiting post to join a criminal underground organization, where the job is undertaking ransomware attacks against big corporations. And the \u2018gig\u2019 workers being recruited are largely kids in middle and high schools. The enterprise is called The Com, short for \u201cThe Community,\u201d and it includes about 1,000 people involved in numerous ephemeral associations and business partnerships, including those known as Scattered Spider, ShinyHunters, Lapsus$, SLSH, and other iterations. Associations change and reframe frequently in what expert researcher Allison Nixon calls \u201ca huge spaghetti soup.\u201d Since 2022, the pipeline has successfully infiltrated U.S. and UK companies with a collective market cap valuation of more than $1 trillion with data breaches, theft, account compromise, phishing, and extortion campaigns. Some 120 companies have been targeted, including brands such as Chick-fil-A, Instacart, Louis Vuitton, Morningstar, News Corporation, Nike, Tinder, T-Mobile, and Vodafone, according to research from cyber intelligence firm Silent Push and court records.\u00a0<\/p>\n
What makes The Com and these groups uniquely dangerous is both their sophistication, and in how they weaponize the youth of their own members. Their tactics exploit teenagers\u2019 greatest strengths, including their technical savvy, cleverness, and ease as native English speakers. But their blindness to consequences, and habit of having conversations in public leaves them vulnerable to law enforcement. Starting in 2024, a series of high-profile arrests and indictments of young men and teenagers ranging in age from 18 to 25 has exposed the significant risk of getting involved in The Com. In August, a 20-year-old in Florida was sentenced to a decade in federal prison and ordered to pay restitution of $13 million for his role in multiple attacks. Unnamed juveniles have also been listed as co-conspirators, and the ages that some are alleged to have begun offending are as young as 13 or 14, according to law enforcement.\u00a0<\/p>\n
Zach Edwards, senior threat researcher at Silent Push, said the structure is a classic one, in which young people do most of the dangerous grunt work in a criminal organization. \u201cThe people that are conducting the attacks are at dramatically more risk,\u201d said Edwards. \u201cThese kids are just throwing themselves to the slaughter.\u201d<\/p>\n
Edwards said the group even tends to slow down during the holidays \u201cbecause they\u2019re opening presents from Mom under the Christmas tree,\u201d he said. \u201cThey\u2019re, you know, 15-year-olds opening stockings.\u201d<\/p>\n
And usually parents only find out their kids are involved when the FBI knocks on the door, noted Cynthia Kaiser, former deputy assistant director of the FBI\u2019s cyber division.\u00a0<\/p>\n
\u201cWhen they\u2019re at a federal felony level is when the parents know because that\u2019s when the FBI comes into play,\u201d she said. Cybercrime lacks all the natural \u201cofframps\u201d that exist with other types of juvenile offenses, explained Kaiser. If a kid defaces a school gym with spray paint, they\u2019re usually caught by a security guard or teacher and they get in trouble. It\u2019s a warning sign for further intervention that doesn\u2019t exist in the online spaces kids frequent.<\/p>\n
\u201cIt allows these kids to get to the point where they\u2019re conducting federal crimes that no one\u2019s ever talked to them about,\u201d said Kaiser. She often saw \u201cloving parents, involved parents, kids who really did have a lot of advantages, but they just kind of got swept up into this, which I think is easy to do.\u201d<\/p>\n
Silent Push, which has tracked Scattered Spider and other groups for years, found that since March 2025, the group has pivoted back to social engineering as the backbone to its ransomware operations, a feat it is incredibly skilled at pulling off. The group allegedly steals employee lists and job titles by compromising HR software platforms and conducting extensive reconnaissance on LinkedIn, said Nixon. With a full roster in hand, the group will call employees directly, pretending to be a new hire with innocuous-seeming questions about platforms, cloud access, and other tech infrastructure. They\u2019ve also been known to read internal Slack message boards to pick up on corporate lingo and acronyms and to find out who to target for permissions to systems. Edwards said the group leans hard on A\/B testing to determine which types of calls are most successful and then doesn\u2019t stray far from that path.<\/p>\n
Charles Carmakal, chief technology officer of Google Cloud\u2019s Mandiant Consulting, said group members also learn from each other as they work through more intrusions and they share their insights in chat rooms. They often abuse legitimate software in a way that gets them to their ultimate objective without having to create malware or malicious software, he said.\u00a0<\/p>\n
\u201cThey\u2019re resourceful,\u201d said Carmakal. \u201cThey read the blogs, they understand what the red teams are finding, what the blue teams are finding, what other adversaries are doing, and they\u2019ll replicate some of those techniques as well. They\u2019re smart folks.\u201d<\/p>\n
Nixon has seen phishing lures in which attackers claim to be running an internal HR investigation into something a person allegedly said that was racist or another type of complaint. \u201cThey\u2019re really upsetting false accusations, so the employee is going to be quite upset, quite motivated to shut this down,\u201d said Nixon. \u201cIf they can get the employee emotional, they\u2019ve got them on the hook.\u201d<\/p>\n
Once the employee gets rattled, the attackers will direct them to a fake helpdesk or HR website to input their login credentials. In more sophisticated companies that use multi-factor authentication or physical security keys, the attackers use the company\u2019s remote software like AnyDesk or TeamViewer to eventually get inside internal networks. \u201cThey are very savvy as to how these companies defend themselves and authenticate their own employee users, and they\u2019ve developed these techniques over a long period of time,\u201d said Nixon.<\/p>\n
Plus, Scattered Spider has picked up on a key asymmetry in authentication, said Sherri Davidoff, founder of LMG Security. When help desks call employees, they rarely have to identify themselves or prove they work for a company. Whereas when employees contact help desks, they have to verify who they are.<\/p>\n
\u201cMany organizations, either intentionally or unintentionally, condition their staff to comply with help desk requests,\u201d said Davidoff. \u201c[Threat actors] will then mimic the urgency, they\u2019ll mimic any stress, and they\u2019ll mimic the sense of authority that these callers have.\u201d<\/p>\n
One of Scattered Spider\u2019s signatures is that the group is incredibly chaotic, noted Greg Linares, a former hacker who is now a cybersecurity researcher at Eeye Digital Security. Unlike more established ransomware operators, Scattered Spider members communicate directly with victims\u2019 C-level executives without formal negotiators. \u201cThey don\u2019t have a professional person in the middle, so it\u2019s just them being young adults and having fun,\u201d said Linares. \u201cThat unpredictability among the group makes them charismatic and dangerous at the same time.\u201d<\/p>\n
The Scattered Spider attacks have featured brazen and audacious behaviors, like renaming the CEO to something profane in the company email address book, or calling customers directly and demanding ransom payments\u2014general troll behavior \u201cfor the lols,\u201d said Edwards. Serious criminal actors involved in ransomware money-making schemes, usually working for nation states like Russia or North Korea, use Signal or encrypted services, he added. The younger Scattered Spider members often create new channels on Telegram and Discord if they get banned and announce the new channel and make it public again.\u00a0<\/p>\n
Experienced criminals \u201cdon\u2019t run out there and create another Telegram, like, \u2018Come on, everybody, back in the pool, the water\u2019s fine,\u2019\u201d said Edwards. \u201cIt is absolutely what kids do.\u201d<\/p>\n
CrowdStrike senior vice president of counter adversary Adam Meyers told Fortune <\/em>these techniques have been honed after years of escalating pranks in video game spaces. Kids will start by stealing items or destroying other kids\u2019 worlds in video games like Minecraft, mostly to troll and bully each other, said Meyers. From there, they progress to conducting identity takeovers, usually because they want account names that have been claimed by users long ago, said Meyers. The account takeovers then evolve into targeting crypto holders.\u00a0<\/p>\n \u201cMany of these teen offenders have been recruited and groomed from gaming sites, first with the offer of teaching then how to acquire in-game currency, and moving on to targeting girls for sextortion,\u201d said Katie Moussouris, founder of startup Luta Security. \u201cFrom there, they are encouraged to shift to other hacking crimes. There\u2019s a well-established criminal pipeline that grooms young offenders to avoid adult prosecutions.\u201d<\/p>\n A complaint unsealed in September in New Jersey alleged that UK teenager, Thalha Jubair, 19, was part of Scattered Spider starting from when he was 15 or 16. Jubair is facing a maximum of 95 years in prison in a scheme that U.S. authorities allege infiltrated 47 unnamed companies including airlines, manufacturers, retailers, tech, and financial services firms, and raked in more than $115 million in ransom payments.\u00a0<\/p>\n Owen Flowers, 18, was charged along with Jubair in the UK, according to the UK\u2019s National Crime Agency. Both are accused in attacks on Transport for London and for allegedly conspiring to damage two U.S. healthcare companies. Flowers and Jubair have pleaded not guilty and a trial is set for next year.<\/p>\n Those charges came after another alleged Scattered Spider ringleader, Noah Michael Urban, 20,\u00a0 pleaded guilty to wire fraud, identity theft, and conspiracy charges and was sentenced to 10 years in federal prison in August. He was ordered to pay $13 million in restitution.\u00a0<\/p>\n Four others, all under the age of 25, were charged alongside Urban in 2024 for allegedly being part of Scattered Spider\u2019s cyber intrusion and crypto theft scheme, including an unnamed minor. In another alleged Scattered Spider attack, at least one unnamed juvenile turned himself in to police in Las Vegas for taking part in attacks on gaming companies in Las Vegas, according to police.\u00a0<\/p>\n The field of cybercrime is almost exclusively dominated by male actors, but Scattered Spider has effectively recruited teenage and young adult women who have become a strategic asset. Nixon of Unit 221B said the number of girls in The Com is \u201cexploding.\u201d<\/p>\n Arda B\u00fcy\u00fckkaya, a senior threat intelligence analyst at EclecticIQ based in the EU, said he\u2019s also found that some callers are using AI systems that will alter their voices to mimic a regional accent or other features, such as a woman \u201cwith a neutral tone\u201d who offers pleasantries, such as \u201ctake your time,\u201d that also downplay suspicions.\u00a0<\/p>\n Social engineering is rife with gender presumptions, said Karl Sigler, senior security manager at Trustwave SpiderLabs. Men tend to lean on their positions of authority as a senior executive or even a CFO or CEO, while women take the tactic of being in distress.\u00a0<\/p>\n \u201cWomen tend to be more successful at social engineering because, frankly, we\u2019re underestimated,\u201d said Moussouris of Luta Security. \u201cThis holds true whether trying to talk our way in by voice or in person. Women aren\u2019t viewed as a threat by most and we\u2019ve seen this play out in testing organizations where women may succeed in getting in and men don\u2019t.\u201d<\/p>\n In Nixon\u2019s observation, The Com finds young women are useful \u201cfor social engineering purposes, and they\u2019re also useful to them for just straight-up sexual purposes.\u201d Some of the girls respond to ads in gaming spaces that specify \u201cgirls only\u201d and others are victims of online sexual violence, said Nixon.\u00a0<\/p>\n \u201cThe people running these groups are still almost all male, and very sexist,\u201d said Nixon. \u201cThe girls might be doing the low-level work, but they\u2019re not going to be taught anything more than the bare minimum that they need to know. Knowledge is power in these groups, and mentorship is not given to girls.\u201d<\/p>\n Many involved seem to be seeking money, notoriety among the group, a sense of belonging, and the rush and thrill of a successful attack, experts said.<\/p>\n Linares, who is known as the youngest ever hacker arrested in Arizona at age 14, said the hacking community he joined as a teen became closer to him than his actual family members at the time. If he were born in this era, Linares said he \u201cabsolutely\u201d could see himself alerted to this type of crime and the money-making potential. Since sharing his story on a podcast over this summer, he\u2019s heard from kids who are involved in cyber crime and he urges them to participate in legal bug bounty programs. Many have told him they are also autistic\u2014a diagnosis Linares himself didn\u2019t get until he was well in his 30s.<\/p>\n \u201cA lot of these kids come from broken households, alcoholic parents, and they\u2019re on the path of doing drugs as well,\u201d said Linares. \u201cLife is hard and they\u2019re just looking for a way through.\u201d<\/p>\n However, there is more to the picture. Marcus Hutchins, a cybersecurity researcher who famously stopped the global WannaCry ransomware attack and who previously faced federal charges related to malware he created as a teenager, said he\u2019s learned that a lot of kids involved come from stable backgrounds with supportive parental figures.\u00a0<\/p>\n \u201cA lot of these are privileged kids who come from loving families and they still somehow end up doing this,\u201d Hutchins said. \u201cHow does someone who has everything going for them decide that they\u2019re going to go after a company that is just absolutely going to insist that they go to jail?\u201d<\/p>\n According to Kaiser, who after leaving the FBI joined cybersecurity firm Halcyon, the complexity lies in that the crimes are happening online and in secret. And in the grand tradition of parents not understanding kids\u2019 slang, parents often find messages incomprehensible, which isn\u2019t unusual, noted Nixon.\u00a0\u00a0<\/p>\n Despite the natural tendency to underestimate kids\u2019 abilities or always see the best in them as parents, Kaiser said parents have to protect kids\u2014and it might mean getting uncomfortable about monitoring their online behavior. Even with her background as a top FBI cyber official, Kaiser said she still struggles as a parent.\u00a0<\/p>\n \u201cI was the deputy director of the FBI\u2019s Cyber Division, and I still don\u2019t think I know how to fully secure my kids\u2019 devices,\u201d she said. \u201cIf my kid was acting foolish on the street, I\u2019ll get a text. We\u2019re not getting those alerts as parents, and that makes it really hard.\u201d<\/p>\n Fortune contacted all the companies named in this article for comment. Some declined to comment and some could not comment directly due to ongoing investigations. Others noted their commitment to strong cybersecurity and that they had quickly neutralized threats to their systems.<\/p>\n<\/div>\n #Feds #hunting #teenage #hackers<\/p>\n","protected":false},"excerpt":{"rendered":" The job posts don\u2019t immediatel… <\/p>\n","protected":false},"author":1,"featured_media":8497,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[2567,3210,1665,6785,6786,2321],"_links":{"self":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts\/8496"}],"collection":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8496"}],"version-history":[{"count":0,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/posts\/8496\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=\/wp\/v2\/media\/8497"}],"wp:attachment":[{"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8496"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microvibenews.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\u2018Female candidates are a PRIORITY\u2019\u00a0<\/h2>\n