The $300 Teenage Hackers: Inside ‘The Com’ Cybercrime Ring

Imagine scrolling through Telegram and finding this job posting. Easy money, no experience needed, work from home, $300 per successful call paid in crypto. Sounds like a typical work-from-home scam, right? Except this “job” isn’t selling essential oils or crypto courses. It’s recruiting teenagers to conduct sophisticated social engineering attacks against Fortune 500 companies. And it’s working terrifyingly well.

Welcome to “The Com”—a loose network of teenage hackers who’ve successfully breached over 120 major corporations since 2022, including household names like Nike, Chick-fil-A, Instacart, and News Corporation. They’re not elite programmers or nation-state actors. They’re 17-year-olds living at home with their parents, earning hundreds of dollars per call by simply talking their way past enterprise security.

The most disturbing part? Many come from loving, financially stable families. They’re not motivated by poverty or desperation. They’re doing it for the thrill, the status, and the surprisingly lucrative bounties paid out by organized cybercrime groups.

As federal authorities intensify their manhunt and the FBI adds more teenage faces to their most-wanted lists, one question haunts every security professional: If teenagers with no formal training can bypass your multi-million-dollar security infrastructure with a phone call, what does that say about your defenses?

Meet Scattered Spider: The Teen Hackers the FBI Can’t Catch Fast Enough

Who Are They?

Scattered Spider (also known as UNC3944, Octo Tempest, or simply “The Com”) represents a new generation of cybercriminals that security researchers didn’t see coming. Unlike traditional hacking groups that operate from Eastern Europe or Asia, Scattered Spider is primarily composed of English-speaking teenagers and young adults based in the United States and United Kingdom.

According to FBI investigations, these aren’t the stereotypical basement-dwelling hackers of movie tropes. They’re articulate, confident, and frighteningly good at manipulating people. They understand American corporate culture intimately because they grew up in it. They know exactly what an IT help desk employee sounds like, how internal communication flows, and which pressure points make employees bypass security protocols.

The group gained notoriety in 2023 when they orchestrated devastating ransomware attacks against MGM Resorts and Caesars Entertainment, causing operational chaos and costing hundreds of millions in damages. But those high-profile breaches were just the beginning. As detailed in our analysis of top cyber attacks, Scattered Spider’s tactics have evolved and proliferated across the threat landscape.

The Psychology: Why Do Privileged Kids Become Hackers?

This is the question that puzzles law enforcement, parents, and psychologists alike. These aren’t kids from broken homes or impoverished backgrounds. Many come from upper-middle-class families with access to legitimate career opportunities. So why risk federal prison for cryptocurrency?

The Gaming to Hacking Pipeline: Many teenage hackers started in gaming communities, particularly those focused on competitive advantages, account trading, and virtual item theft. The skills they developed—social engineering to steal gaming accounts, bypassing security measures, understanding online identity systems—translate directly to corporate cybercrime. The transition from stealing a $2,000 Counter-Strike skin to stealing corporate credentials isn’t as large as you’d think.

Status and Community: In underground Telegram channels and Discord servers, successful breaches bring respect, recognition, and clout. Screenshots of compromised corporate dashboards become status symbols. Young hackers compete to outdo each other, targeting bigger companies and pulling off more audacious attacks.

The Abstraction of Harm: When you’re 17 and staring at a computer screen, a Fortune 500 company doesn’t feel like real people. It’s an abstract entity—a target in a game. The harm feels distant and theoretical. Researchers studying youth cybercrime note that this psychological distance allows teenagers to rationalize actions they’d never consider if confronting victims face-to-face.

Risk vs. Reward Miscalculation: Teenage brains are still developing, particularly the prefrontal cortex responsible for risk assessment and impulse control. When offered $300 for a 10-minute phone call, teenagers often can’t accurately evaluate the risk of federal prosecution. The immediate reward overshadows the distant, abstract threat of consequences.

Peer Pressure and Mentorship: The Com operates partly as a mentorship network. More experienced hackers teach newcomers, creating a pipeline of increasingly sophisticated attackers. The social pressure to contribute successful breaches, combined with the financial incentives, creates a powerful motivational cocktail.

The $300 Bounty System: How The Com Monetizes Social Engineering

The Economics of Teenage Cybercrime

The business model is deceptively simple. Organized ransomware groups—the ones with the technical infrastructure to deploy ransomware and negotiate with victims—need initial access to corporate networks. Rather than develop their own initial access capabilities, they outsource to specialists. Enter the teenage social engineers.

Here’s how the bounty system typically works:

Tier 1 – Initial Access ($200-$500): Successfully trick a help desk employee into resetting credentials or approve an MFA push notification. Payment in Bitcoin or Monero within hours.

Tier 2 – Privileged Access ($1,000-$5,000): Obtain administrator credentials or VPN access to internal networks. Higher payout for higher privileges.

Tier 3 – Domain Admin ($10,000-$50,000): Achieve domain administrator access, giving complete control over the corporate network. The holy grail for ransomware operators.

Bonus – High-Value Targets: Extra payments for specific companies on target lists. Fortune 500 companies, healthcare systems, and government contractors command premium prices.

According to threat intelligence from Recorded Future, the average payment for a successful initial access compromise is $300-$500, with some transactions reaching thousands for particularly valuable targets. For a teenager, that’s serious money—equivalent to weeks of minimum wage work, earned in a single phone call.

The cryptocurrency payment system provides pseudo-anonymity, though federal investigators have become increasingly adept at tracing blockchain transactions. Still, the perceived anonymity emboldens young attackers who believe they can’t be caught.

The Telegram Recruitment Machine

Telegram has become the primary recruitment and coordination platform for The Com and similar groups. The app’s features—encrypted channels, self-destructing messages, username-based communication without phone number exposure—make it ideal for criminal coordination.

Recruitment happens in gaming Discord servers, social media, and through existing network connections. A typical recruitment pitch might look like:

“Looking for motivated individuals. Simple tasks. High pay. Skills not required—we’ll teach you everything. Flexible hours. Work from anywhere. Guaranteed payments. DM for details.”

Once recruited, new members join private Telegram channels where they receive:

• Target lists: Companies currently being targeted
• Scripts: Exact language to use when calling help desks
• Technical tutorials: How to use tools for SIM swapping, credential harvesting, and network reconnaissance
• Success stories: Screenshots and reports from successful breaches to motivate the team
• Payment proof: Evidence of successful cryptocurrency payouts

The community aspect is crucial. New hackers aren’t working alone—they’re part of a team, with mentors available to answer questions and troubleshoot problems. This dramatically lowers the barrier to entry for cybercrime.

How Teenage Hackers Bypass Enterprise Security

Phase 1: Reconnaissance and Target Selection

Despite the stereotype of hackers hunched over keyboards running complex code, Scattered Spider’s methodology is surprisingly low-tech. It starts with open-source intelligence (OSINT)—information gathering using publicly available resources.

LinkedIn Mining: Attackers scroll through company LinkedIn pages, noting:

• Organizational structure and reporting relationships
• IT department personnel and help desk staff
• New employee announcements (prime targets during onboarding)
• Company jargon and internal terminology
• Recently departed employees whose accounts might not be immediately deactivated

Social Media Reconnaissance: Facebook, Instagram, Twitter, and TikTok provide personal details:

• Pet names, children’s names, favorite sports teams (common password components and security question answers)
• Vacation schedules (when accounts might be unmonitored)
• Personal interests and hobbies (for building rapport)

Corporate Website Analysis: Studying press releases, executive bios, and “about us” pages to understand:

• Company culture and communication style
• Technology vendors and systems used
• Recent initiatives or changes (creating plausible pretexts)

Technical Reconnaissance: Using tools like:

• Shodan: Identifying exposed services and infrastructure
• Hunter.io: Harvesting corporate email addresses
• Certificate Transparency Logs: Discovering internal domain names
• Have I Been Pwned: Checking if corporate emails appear in previous breaches

This reconnaissance phase costs nothing and reveals a shocking amount of actionable intelligence. Before making a single phone call, attackers know who to target, how to sound legitimate, and which pressure points to exploit.

Phase 2: Vishing (Voice Phishing) – The $300 Call

The core tactic that makes Scattered Spider so effective is vishing—voice phishing. This isn’t robocalling or automated attacks. It’s live, human conversation specifically crafted to manipulate help desk employees.

The Impersonation Call: A typical attack scenario:

Ring, ring.

Help Desk: “IT Service Desk, this is Michael. How can I help you?”

Attacker: “Hey Michael, this is David Chen from the Denver office. Badge number 47293. Look, I’m in a terrible situation—I’m at a client site trying to close this huge deal, and I can’t access my email. My phone’s not getting the MFA push notifications. Client’s getting impatient. Can you help me out here? This is kind of urgent.”

Notice what’s happening:

• Authority and urgency: Creates pressure to act quickly
• Specific details: Badge number, office location, realistic scenario
• Emotional manipulation: Appealing to help desk’s problem-solving instinct
• Legitimate-sounding problem: MFA issues are common and believable

The Help Desk Response: If the employee follows proper protocols, they’ll verify identity through secondary channels. But under pressure, with a convincing story, and a desire to be helpful, many employees take shortcuts.

The Bypass: The attacker might say:

“Can you just approve the MFA on your end? Or temporarily disable it so I can get in? I’ve got the VP breathing down my neck. You’re saving my life here.”

If successful, the attacker now has authenticated access to corporate email. From there, password reset emails for other services flow through, and the breach expands.

Phase 3: MFA Fatigue and Push Bombing

When direct social engineering doesn’t work, Scattered Spider employs technical harassment techniques:

MFA Fatigue Attacks: Attackers use stolen credentials to generate dozens or hundreds of MFA push notifications to the victim’s phone. At 2 AM, after being woken by the 47th notification, exhausted employees often approve the request just to make it stop.

The Follow-Up Call: The attacker then calls the victim’s personal phone (number obtained through OSINT):

“Hi, this is IT Security. We’re seeing suspicious login attempts on your account. For security purposes, you’re going to receive a verification prompt. Please approve it so we can secure your account.”

The victim, already bombarded with notifications and confused, approves the prompt—unknowingly granting the attacker access.

This technique exploits both technology (MFA systems) and human psychology (confusion, sleep deprivation, desire to resolve the problem). As covered in our guide on phishing awareness, these attacks succeed because they exploit human nature, not technical vulnerabilities.

Phase 4: SIM Swapping for Higher Value Targets

For executives and high-value targets, The Com uses SIM swapping attacks. This technique involves convincing a mobile carrier to transfer the target’s phone number to a SIM card controlled by the attacker.

The Attack Process:

1. Research target’s mobile carrier (visible from phone number format)
2. Gather personal information through OSIT (birthdate, address, SSN if available from previous breaches)
3. Contact carrier pretending to be the victim: “I lost my phone and need my number transferred to my new SIM”
4. Once transferred, attacker receives all SMS messages, including MFA codes and password reset links
5. Systematically compromise email, banking, and corporate accounts

SIM swapping has become so prevalent that the FBI issued a public service announcement warning about the threat. Yet mobile carriers continue to fall for social engineering, making this attack vector frustratingly effective.

Phase 5: Lateral Movement and Privilege Escalation

Once inside the network with initial access, teenage hackers don’t need elite technical skills. They use readily available tools:

Credential Harvesting: Tools like Mimikatz extract credentials from memory on compromised systems. These credentials often work across multiple systems due to password reuse.

Privilege Escalation: Following guides available on hacking forums, attackers exploit misconfigurations:

• Overly permissive service accounts
• Unpatched vulnerabilities in Windows or Linux
• Weak Active Directory security policies
• Forgotten administrator accounts

Network Mapping: Tools like BloodHound automatically map Active Directory relationships, showing the shortest path from current access level to domain administrator.

Persistence: Installing backdoors and creating additional user accounts ensures access remains even if the initial compromise is discovered.

The sophistication isn’t in the tools—these are publicly available and well-documented. The sophistication is in the social engineering that got them inside in the first place.

The Victims: Fortune 500 Companies Under Siege

The High-Profile Breaches

MGM Resorts (September 2023): Scattered Spider’s most notorious attack paralyzed one of Las Vegas’s largest casino operators for days. Slot machines stopped working, digital room keys failed, and the company lost an estimated $100 million. The initial access? A 10-minute phone call to the help desk. As documented in our ransomware attacks analysis, the recovery process took weeks and required rebuilding entire systems.

Caesars Entertainment (September 2023): Rather than face operational disruption like MGM, Caesars reportedly paid a $15 million ransom. The attackers gained access through similar social engineering tactics, demonstrating that even after MGM’s public breach, enterprises remained vulnerable to the same techniques.

Nike: The athletic apparel giant confirmed unauthorized access to internal systems. While Nike hasn’t disclosed the full extent of the compromise, sources indicate customer data and proprietary product designs were accessed.

Chick-fil-A: The fast-food chain discovered that attackers had accessed employee and customer information through compromised corporate accounts. The breach highlighted vulnerabilities in franchisee management systems.

Instacart: The grocery delivery platform detected suspicious account activity traced back to internal credential compromise. The timing, shortly before their IPO, added financial pressure and regulatory scrutiny.

News Corporation: Media companies have become attractive targets for both financial and political reasons. News Corp’s breach potentially exposed journalist communications and unpublished content.

The Common Thread

Every single one of these breaches began with social engineering. Not zero-day exploits. Not advanced persistent threat techniques. Not nation-state malware. Just teenagers making phone calls.

The pattern is consistent:

1. Research the target using public information
2. Call the help desk impersonating an employee
3. Obtain initial access through password reset or MFA bypass
4. Move laterally through the network
5. Sell access to ransomware operators or directly extort the victim

The entire process, from initial research to full network compromise, can happen in less than 24 hours. As we’ve detailed in our Enterprise Cybersecurity Policy guide, the weakest link in any security chain is human behavior under pressure.

The Federal Response: FBI’s Escalating Manhunt

Arrests and Indictments

The FBI, working with CISA and international partners, has begun making arrests. Several teenage members of Scattered Spider have been apprehended:

November 2023: A 19-year-old was arrested in the UK on charges related to the MGM and Caesars attacks. Extradition proceedings are ongoing.

January 2024: Federal agents arrested three individuals in California and Florida, charging them with conspiracy to commit wire fraud and computer intrusion.

Ongoing Investigations: The FBI has identified dozens of additional suspects but faces challenges. Many are minors, complicating prosecution. Some operate internationally, requiring complex extradition processes. And the decentralized nature of The Com means arresting a few individuals doesn’t dismantle the network.

The Legal Consequences

Teenagers arrested for cybercrime face serious federal charges:

Computer Fraud and Abuse Act (CFAA): Violations carry up to 10 years per count. Multiple counts are typically charged in complex breaches.

Wire Fraud: Each fraudulent communication is a separate count, with penalties up to 20 years per count.

Conspiracy: Coordinating with others adds additional charges and penalties.

Aggravated Identity Theft: Using stolen credentials carries a mandatory 2-year sentence on top of other penalties.

For a first-time offender involved in a major breach like MGM, federal sentencing guidelines could recommend 5-10 years in federal prison. The era of lenient treatment for “just kids” is over—prosecutors are pursuing maximum sentences to deter others.

The Challenge of Attribution

Despite the arrests, attribution remains challenging. The Com operates as a loosely affiliated network, not a hierarchical organization. Members use pseudonyms, VPNs, encrypted communications, and cryptocurrency. Proving specific individuals conducted specific attacks requires extensive digital forensics.

Moreover, the international nature of the threat complicates prosecution. A 17-year-old in the UK who social engineered a company in the US may face charges in multiple jurisdictions with different legal standards for cybercrime and juvenile offenders.

Defense Strategies: How Enterprises Can Protect Against Teenage Hackers

Rethinking Help Desk Security

Your help desk is your weakest link. Here’s how to strengthen it:

Multi-Channel Verification: Never reset credentials or disable MFA based solely on a phone call. Require:

• Verification through a different communication channel (email to verified address, callback to registered phone number)
• Validation of multiple identity factors (not just badge number, which can be guessed)
• Manager approval for sensitive changes
• Mandatory waiting periods for urgent requests (if it’s truly urgent, the manager can expedite)

Standardized Protocols: Create scripts that help desk staff MUST follow, regardless of pressure:

“I understand this is urgent, but our security policy requires I verify your identity through your registered email address. I’m sending a verification code now. This policy applies to everyone, including executives. I’ll wait while you check your email.”

Pressure Testing: Run regular simulations where security teams attempt to social engineer help desk staff. Make it game-like, not punitive. Employees who successfully resist social engineering attempts should be recognized and rewarded.

Authority Hierarchy: Help desk employees should never feel pressured to violate security policies, even for executives. Establish clear escalation paths and empower staff to say: “Let me get my supervisor to help with this request.”

As outlined in our zero trust architecture guide, never trust, always verify applies especially to identity verification.

MFA Done Right

Multi-factor authentication is essential, but implementation matters:

Avoid SMS and Voice Calls: These are vulnerable to SIM swapping. Use:

• Hardware security keys (YubiKey, Titan)
• Authenticator apps (Microsoft Authenticator, Google Authenticator)
• Push notifications with number matching (user must enter a specific number to approve)

Implement MFA Fatigue Protection: Modern MFA systems can detect rapid-fire authentication attempts and automatically:

• Block additional attempts after 3-5 denials
• Alert security teams to potential attacks
• Lock accounts pending investigation
• Require in-person verification to unlock

Conditional Access Policies: Require stronger authentication for:

• Access from new devices or locations
• Administrative actions
• Sensitive data access
• Outside business hours

Education: Employees must understand they should NEVER approve an MFA request they didn’t initiate, regardless of who calls claiming to be IT.

Training That Actually Works

Most security awareness training fails because it’s boring, abstract, and disconnected from real threats. Effective training:

Uses Real Scenarios: Show actual attack transcripts from Scattered Spider breaches. Let employees hear what these social engineering calls sound like.

Tests Under Pressure: Don’t just teach—test. Conduct realistic phishing and vishing simulations. When employees fail, provide immediate, personalized feedback.

Gamification: Track department performance. Celebrate teams that successfully identify and report simulated attacks. Create friendly competition.

Executive Participation: When the CEO participates in security training and publicly acknowledges being fooled by a simulation, it removes stigma and increases buy-in.

Continuous Reinforcement: Annual training doesn’t work. Brief, frequent reminders and ongoing simulations keep security top-of-mind.

For comprehensive training frameworks, see our guide on phishing awareness for employees.

Technical Controls

Technology can’t replace human vigilance, but it can provide crucial guardrails:

User Behavior Analytics (UBA): AI-powered systems that learn normal behavior patterns and alert on anomalies:

• Account access from unusual locations
• Unusual data downloads
• Access to systems the user doesn’t normally use
• Activity outside normal working hours

Privileged Access Management (PAM): Strictly control and monitor administrative accounts:

• Just-in-time access (privileges granted only when needed, automatically revoked)
• Session recording for all administrative actions
• Approval workflows for sensitive operations
• Automatic account deprovisioning when employees leave

Identity Threat Detection and Response (ITDR): Specialized tools that monitor for identity-based attacks:

• Unusual privilege escalation attempts
• Credential spray attacks
• Anomalous authentication patterns
• Potential account takeover indicators

Network Segmentation: Limit lateral movement by segmenting networks:

• Separate networks for different trust levels
• Micro-segmentation for critical assets
• Zero trust network access (ZTNA) replacing VPNs
• Least-privilege network permissions

Incident Response Planning

When (not if) a breach occurs, response speed matters enormously:

Pre-Approved Actions: Security teams should have authority to:

• Immediately disable compromised accounts
• Isolate affected systems from the network
• Activate communication protocols
• Engage external incident response support

Communication Templates: Pre-written templates for:

• Internal notifications (IT, leadership, legal)
• Customer communications
• Regulatory notifications
• Media responses

Tabletop Exercises: Regular simulations of various breach scenarios, including social engineering attacks by teenage hackers. Test communication, decision-making, and technical response capabilities.

Retainer Agreements: Pre-negotiate contracts with:

• Incident response firms
• Digital forensics specialists
• Crisis communication consultants
• Legal counsel specialized in cybersecurity

For comprehensive incident response frameworks, review our ICS cybersecurity breach response guide.

The Bigger Picture: What The Com Reveals About Modern Cybersecurity

The Failure of Technology-First Security

The success of teenage hackers using simple social engineering exposes a fundamental flaw in how organizations approach cybersecurity. Billions are spent on firewalls, intrusion detection systems, endpoint protection, and security information and event management (SIEM) platforms. Yet all that technology is bypassed by a convincing phone call.

This isn’t a criticism of security technology—these tools are essential. But they’re insufficient. Organizations have optimized for defending against technical attacks while leaving the human attack surface largely unprotected.

The Social Engineering Crisis

According to the Verizon 2024 Data Breach Investigations Report, 74% of breaches involved the human element—social engineering, errors, or misuse of privileges. This statistic hasn’t improved despite years of security awareness training.

Why? Because traditional training doesn’t account for human psychology under pressure:

• Authority bias: We’re conditioned to comply with authority figures
• Urgency pressure: Time pressure reduces critical thinking
• Helpfulness instinct: Help desk employees want to solve problems
• Cognitive overload: Employees juggling multiple priorities miss red flags
• Normalization of deviance: Small security violations become routine

Effective defenses must acknowledge these psychological realities and build systems that work with human nature, not against it.

The Evolution of Threat Actors

The cybersecurity industry has traditionally categorized threat actors by sophistication: nation-states at the top, followed by organized crime, hacktivists, and amateur hackers at the bottom.

Scattered Spider doesn’t fit this model. They’re technically unsophisticated but strategically brilliant. They understand that the path of least resistance isn’t through firewalls—it’s through people. They’ve industrialized social engineering, creating repeatable processes that require no specialized technical skills.

This has profound implications. If teenagers with no formal training can breach Fortune 500 companies, what does that mean for threat modeling? For security investment priorities? For vulnerability assessment?

It means the human factor can no longer be treated as a secondary concern. It must be central to security strategy, with investments in training, process, and culture proportional to the risk it represents.

Conclusion: The Insider Threat You Didn’t Expect

The story of The Com and Scattered Spider isn’t really about teenage hackers. It’s about the fundamental vulnerability of trust in digital systems.

Every security framework assumes that authenticated users are who they claim to be. When that assumption breaks—when a teenager can convincingly impersonate an employee—the entire security model collapses. No amount of firewalls, encryption, or endpoint protection matters when attackers walk through the front door using stolen credentials obtained through a phone call.

The teenagers earning $300 per call on Telegram aren’t exploiting zero-day vulnerabilities or deploying sophisticated malware. They’re exploiting something far more fundamental: the human desire to be helpful, combined with inadequate verification processes and pressure to prioritize productivity over security.

What This Means for Your Organization

If Scattered Spider teaches us anything, it’s that your security is only as strong as your weakest verification process. The teenager who calls your help desk tomorrow might sound exactly like your CFO. Can your employees tell the difference? Do they know what to do if something feels off? Are they empowered to push back against authority when security is at stake?

These aren’t technical questions—they’re cultural ones. Building resilience against social engineering requires:

• Leadership commitment: Security must be a core value, not a compliance checkbox
• Process discipline: Following verification procedures even when inconvenient
• Psychological safety: Employees must feel safe questioning authority and reporting mistakes
• Continuous improvement: Learning from each incident and simulation to strengthen defenses

The Future of Social Engineering Attacks

As AI and deepfake technology advance, social engineering attacks will become even more convincing. Voice cloning can now perfectly replicate someone’s voice from a few seconds of audio. Video deepfakes can convincingly impersonate executives on video calls. The attackers will have better tools, more realistic impersonation capabilities, and greater scale.

Your defense must evolve accordingly. Multi-channel verification isn’t optional—it’s essential. Out-of-band confirmation isn’t paranoid—it’s prudent. Training employees to trust their instincts when something feels wrong isn’t sufficient—they need clear protocols and organizational support.

As we explored in our article on cybersecurity in 2025, the threat landscape is evolving faster than most organizations can adapt. The gap between attacker sophistication and defensive capabilities is widening, particularly in the human layer of security.