Pressure is mounting on Instructure, the company behind Canvas, as cybercriminals threaten to leak a trove of sensitive data they claim was stolen during a prolonged cyberattack on the widely used education tech platform.

Widespread outages left schools, students and teachers temporarily unable to access critical data late last week after the company took Canvas offline following additional malicious activity, including a defacement of the platform’s login page. By Friday, the company said Canvas — a central hub for K-12 and university coursework, exams, grades and communication — was back online and fully operational. 

ShinyHunters, a decentralized crew of prolific cybercriminals affiliated with The Com, claimed responsibility for the attack on its data leak site and is attempting to extort the company for an unknown ransom amount. Instructure hasn’t confirmed the existence of a ransom demand and declined to answer questions about its response.

The threat group initially set a deadline of May 6 — four days after Instructure previously said the incident was contained soon after it disclosed the attack — claiming it stole 3.65 terabytes of data spanning 275 million records across 8,809 school systems. 

When that deadline passed without payment, ShinyHunters escalated its pressure on the company by “injecting an extortion message directly into the Canvas login pages of roughly 330 institutions, and pivoted to school-by-school extortion with a current deadline of May 12,” Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told CyberScoop.

“The scope makes this one of the largest single education-sector exposures we’ve tracked,” she added.

The additional public pressure prompted Infrastructure to take Canvas offline, disrupting schoolwork and access to critical systems nationwide. 

Instructure CEO Steve Daly apologized over the weekend for the company’s inconsistent communication and deficient public response to the cyberattack. 

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that,” he said in a statement.

Daly acknowledged that the attack, which remains under investigation aided by CrowdStrike, exposed usernames, email addresses, course names, enrollment information and messages. He insisted that course content, submissions and credentials were not compromised.

The temporary but widespread disruption caused has spurred broad concern across the education sector as ransomware experts and threat hunters continue to track developments. The cyberattack also caught the attention of lawmakers on Capitol Hill. 

The House Homeland Security Committee on Monday published a letter to Daly seeking a briefing with him or a senior leader at Instructure by May 21. 

“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” House Homeland Security Chairman Andrew Garbarino, R-N.Y., wrote in the letter to Daly.

The committee wants to learn more about the “circumstances of both intrusions, the the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency,” he added. 

CISA did not describe the extent of its involvement in Instructure’s response. “CISA is aware of a potential cyber incident affecting Canvas. As the nation’s cyber defense agency, we provide voluntary support and cybersecurity services to organizations in responding to and recovering from incidents,” Chris Butera, the agency’s acting executive assistant director for cybersecurity, said in a statement.

Instructure’s timeline of the attack has changed and remains incomplete. The company said it first detected unauthorized activity in Canvas on April 29 and immediately revoked the attacker’s access and initiated an incident response. Researchers not directly involved with the formal investigation said ShinyHunters gained access to Canvas at least a few days earlier.

The follow-on malicious activity on May 7 — the defacement of public login pages — was tied to the same incident, the company said. 

“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts,” the company said in an updated post about the incident.

Instructure did not answer questions about the vulnerability or explain how attackers intruded its systems. The company said it also revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls and monitoring.

Canvas is fully operational and safe to use, the company said, adding that CrowdStrike has reviewed known indicators of compromise and “found no evidence that the threat actor currently has access to the platform.”

Access still remains spotty and unavailable for some Canvas users as school districts restore the platform in phases after conducting their own internal checks.

Halcyon published an alert about the attack Friday, including a screenshot of the message that some school staff, guardians and students encountered before Instructure took the learning management system offline.

ShinyHunters threatened Instructure and all affected schools to contact the threat group and reach a resolution by end of day Tuesday. The cybercrime group, which has a “known pattern of removing victim entries once communications and negotiations have started,” removed Instructure from its data leak site after it defaced the Canvas login pages, Halcyon said. 

ShinyHunters is a notorious data theft extortion group that previously hit major cloud platforms, including Salesforce and Snowflake, via voice phishing, credential theft and supply-chain attacks. 

“Historically, their claims of compromise typically hold up, but they often exaggerate the impact, scale, and type of data stolen,” Kaiser said.

Education is a recurring and consistent target for cybercriminals. Researchers at Halcyon tracked more than 250 ransomware attacks on education institutions globally last year. Yet, the attack on Canvas stands apart from most of these attacks because of its widespread use and downstream impact.

“This is student, parent, and staff data, including minors, which creates downstream phishing and impersonation risk that will outlast the immediate incident,” Kaiser said. 

“By compromising a shared platform used across thousands of schools, ShinyHunters hit the entire education sector in one move, which is the same playbook Clop ran against Oracle EBS customers last fall,” she added. “Among 2026 incidents against critical infrastructure, this is at or near the top for education-sector impact, and it highlights a trend of third-party software vendors now being part of an attack surface, and causing cascading effects across an entire sector.”

Cybersecurity professionals focused on ransomware and data theft extortion consistently encourage victims to not pay ransoms, but they also often acknowledge that companies have to make tough decisions based on their own interests and the security of their customers or users caught up in the aftermath.

Allison Nixon, chief research officer at Unit 221B, said the threat group claiming responsibility for the attack should not be trusted. 

“They are claiming they will delete the data after they are paid, and if they are not paid that they will leak the data,” she told CyberScoop. “This is in line with the past data extortion scams run by the same and related Com actors, who have made false statements to victims and to the public in the past.”

Instructure hasn’t indicated what it plans to do as part of any effort to prevent the leak of stolen data. 

Daly — a longtime security executive who was previously CEO at Ivanti — ended his mea culpa with a pledge to improve communications and provide a summary of a forensics report soon.

“Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward,” he said. 

“Rebuilding trust takes time,” Daly added. “We’re going to earn it back through consistent action and honest communication.”

The post Pressure mounts on Canvas as data leak extortion deadline looms appeared first on CyberScoop.

A pair of persistent and problematic threat groups affiliated with The Com are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to CrowdStrike.

The financially-motivated attackers, which CrowdStrike tracks as Cordial Spider and Snarky Spider, have used voice-phishing and social engineering attacks to break into victims’ identity platforms and traverse SaaS environments since at least October 2025, the company said in a report Thursday, which it shared exclusively with CyberScoop prior to release. 

Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the subgroups composed of native English speakers primarily target U.S.-based organizations in the academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.

This “new wave of ecrime threat actors” are closely aligned with Scattered Spider and linked to other subsets of The Com, including SLSH and ShinyHunters, Meyers said. 

Because these attacks target identity systems and can expose data in other connected services beyond the initial breach point, it’s difficult to determine how many victims have been caught up in these campaigns. 

CrowdStrike’s warning closely follows research Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center shared last week about Cordial Spider’s string of attacks targeting organizations in the retail and hospitality industry, among others. 

Cordial and Snarky Spider have set lures via voice calls, text messages and emails directing targeting employees to phishing pages posing as their employer’s legitimate single sign-on page or primary identity provider, researchers said. 

These phishing pages, which capture credentials, session keys or tokens, depending on the workflow, provide attackers an entry point into systems, which they exploit for widespread access across victims’ entire SaaS ecosystems.

Attackers use these initial hooks to remove and establish multi-factor authentication devices, then delete emails and other alerts that would otherwise warn organizations of potential malicious activity, researchers said. 

The data theft for extortion campaigns share striking similarities, but CrowdStrike said the tactics, techniques and procedures for each subgroup are distinct. These variances include hours of operation, different phishing domain providers, preferred operating systems, data leak sites, and the tools or devices they used to register for multi-factor authentication. 

The domain for BlackFile, Cordial Spider’s data-leak site, was offline as of Wednesday, according to Meyers.

CrowdStrike declined to put a range on the groups’ extortion demands, but Unit 42 previously said Cordial Spider, which is also tracked as CL-CRI-1116 and UNC6671, are typically in the seven-figure range.

Some victims that didn’t pay extortion demands have been subjected to DDoS attacks, and Snarky Spider has used more aggressive follow-on harassment tactics, including the swatting of victim organizations’ employees, Meyers said. 

CrowdStrike said Cordial and Snarky Spider also use residential proxy networks — including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS — to evade IP-based detection and blend in with typical traffic. 

Residential proxy networks, which rely on IP addresses assigned to real home users, can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.

Cordial and Snarky Spider haven’t achieved the impact or technical capability of Scattered Spider, but the groups share many commonalities and objectives, Meyers said. 

“They’ve kind of taken their playbook and they’re using a lot of their techniques, but we haven’t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider,” he said. “It’s kind of the new generation of Scattered Spider.”

The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.

Researchers warn that BlackFile, an extortion group likely associated with The Com, continues to impersonate IT support in voice-phishing and social engineering attacks that have impacted organizations in multiple industries, including healthcare, technology, transportation, logistics, wholesale and retail.

Attackers have been actively targeting organizations in the retail and hospitality industry since February, according to Unit 42’s latest intelligence on the campaign, which the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) released alongside indicators of compromise Thursday.

The threat group, which is also tracked as CL-CRI-1116, UNC6671 and Cordial Spider, appears to be targeting victims opportunistically in a campaign that remains active and ongoing, Matt Brady, senior principal researcher at Palo Alto Networks’ Unit 42, told CyberScoop. 

“The core objective of these threat actors is to pressure targeted organizations into paying large ransom demands, typically in the seven-figure range,” Brady said.

Unit 42 declined to say how many organizations have been impacted thus far, and RH-ISAC did not respond to a request for comment.

BlackFile’s attacks against companies in the retail and hospitality sector are part of a broader wave of voice-phishing attacks initiated by multiple cybercrime groups, which Google Threat Intelligence Group and Okta warned about in January. 

Unit 42 also noted that BlackFile’s activities overlap with an ongoing data theft and extortion campaign CrowdStrike has been tracking as Cordial Spider since at least October 2025.

Yet, the threat group’s tactics have been far from cordial. RH-ISAC said some attackers have swatted company personnel, including executives, to increase leverage and pressure victims to pay their ransom demands. 

The threat group lures victims via voice-phishing attacks and phishing pages mimicking corporate single-sign on services to steal credentials before moving into privileged accounts. 

“They scrape internal employee directories to obtain contact lists for executives,” RH-ISAC wrote in a blog post. “By compromising these senior accounts via further social engineering, they gain persistent, broad-spectrum access to the environment that mirrors legitimate executive session activity.”

The group’s unauthorized access and data theft for extortion activity spans SaaS environments, Microsoft Graph API permissions, Salesforce API access, internal repositories, SharePoint sites and datasets containing employee’s phone numbers and business records. 

BlackFile also created a data-leak site to extort victims that it claims ignored or failed to agree to its demands, according to researchers. 

Brady said Unit 42 has observed relatively consistent activity from the threat group since February. 

RH-ISAC advises organizations to manage multi-factor identity verification for callers and limit the IT support actions that can be completed in a single call without escalation to management.

The post BlackFile actively extorting data-theft victims in retail and hospitality sector appeared first on CyberScoop.

A core leader of the hacker subset of The Com responsible for a series of high-profile phishing attacks and cryptocurrency thefts from September 2021 to April 2023 pleaded guilty to federal charges, the Justice Department said Friday. 

Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24-year-old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. 

Buchanan has been in federal custody since April 2025 and faces up to 22 years in federal prison at his sentencing, which is scheduled for August 21. 

The British national and his co-conspirators, including Noah Michael Urban, who was sentenced to a 10-year federal prison sentence last year, harvested thousands of credentials via phishing and stole more than $8 million in cryptocurrency from U.S. residents via SIM-swapping attacks.

Victims included high net worth individuals and businesses in the entertainment, telecom, technology, business process outsourcing, IT, cloud and virtual currency sectors, officials said.

Buchanan and his co-conspirators were part of an aggressive subset of The Com coined Scattered Spider. While The Com and its offshoots don’t operate with formal leaders in the traditional sense, Buchanan played a crucial role in the operation, according to Allison Nixon, chief research officer at Unit 221B.

“[Buchanan] was the glue that held this gang together. His success at wiping out victims’ savings made him a target for both law enforcement and rival Com gangs,” Nixon told CyberScoop.

“[Buchanan] is part of an older generation that came from certain toxic gaming servers before the pandemic. People from this generation learned hacking in order to steal vanity usernames and bully kids before using it to steal peoples’ savings,” she added.

Federal authorities filed charges against five individuals with links to the Scattered Spider cybercrime outfit in 2024. Buchanan and Urban’s alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo and Joel Martin Evans — still face charges in the case, officials said. 

Nixon lauded law enforcement for acting decisively to arrest Buchanan during a brief window of opportunity while he was traveling internationally. 

“Com members are obsessed with private jets and foreign vacations, and the feds took that dream away with one arrest,” she said. 

The tactic, which U.S. officials also use against Russian cybercriminals, works because most countries are willing to support in the arrest of foreign criminals, thereby keeping them out of their respective jurisdictions, Nixon said. 

“As a foreigner, he was caught in a weaker legal position than if he was arrested at home, and cases following this tactic tend to have very long sentences,” she added. “The takeaway for Com members watching this case is that criminal foreigners associated with violence are the lowest class in every country. And that’s what Com members are when they travel.”

The Justice Department said Buchanan and his co-conspirators defrauded at least a dozen companies and their employees throughout the United States. A digital device police found at his residence in April 2023 contained personal data on numerous individuals and victim companies, according to his plea agreement.

It’s unclear what transpired between that search in April 2023 in Scotland and his June 2024 arrest at a resort city on the Spanish island of Mallorca. Moreover, his plea agreement doesn’t include the entirety of his alleged crimes. 

Buchanan attracted a lot of attention and successfully coordinated many attacks before a rival Com gang allegedly broke into his home and used a blowtorch on him to extract crypto keys in his possession, according to Nixon. 

Following his arrest, Spanish police said Buchanan had gained control of bitcoin worth more than $27 million at that time. 

While early leaders of Scattered Spider have been arrested or sentenced for their crimes, others have filled those roles with even more exceptional impact. 

The Com has grown to thousands of members, typically between 11 and 25 years old, splintered into three primary subsets the FBI describes as Hacker Com, In Real Life Com and Extortion Com.

Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes. 

You can read the indictment against Buchanan and some of his co-conspirators below.

The post Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety appeared first on CyberScoop.

Europol reports: In its first year of operation, Project Compass has delivered concrete operational results against “The Com”, a decentralised extremist network targeting minors and vulnerable individuals both online and offline. Since January 2025, Project Compass has contributed to: 4 victims safeguarded 30 perpetrators arrested 62 identified and partially identified victims 179 identified and partially...

Source

A global law enforcement effort has taken root to combat The Com, a sprawling nihilistic network of thousands of minors and young adults engaged in various forms of cybercrime, including physical violence and extortion.

Project Compass, an operation coordinated by Europol with support from 28 countries, including all members of the Five Eyes, has resulted in the arrest of 30 perpetrators since the initiative got underway in January 2025, authorities said in a news release Thursday. 

Officials said sustained countermeasures have contributed to the full and partial identification of 179 perpetrators, while the operation has also safeguarded four victims and identified up to 62 victims. 

The Com is splintered into three primary subsets with different objectives the FBI describes as Hacker Com, In Real Life Com and Extortion Com. Crimes attributed to group members have grown increasingly complex, with perpetrators going to great lengths to mask identities, hide financial transactions and launder money. 

“These networks deliberately target children in the digital spaces where they feel most at ease,” Anna Sjöberg, head of Europol’s European Counter Terrorism Centre, said in a statement.

Various branches of The Com have been linked to high-profile crimes over the past few years, and law enforcement has responded with heightened activity and interest in the group’s activities. 

The Com is vast — many perpetrators remain at large and even more victims are still suffering and awaiting aid. 

This growing global effort to thwart shifting crime trends with appropriate resources has built a foundation that will foster results beyond those achieved to date, said Allison Nixon, chief research officer at Unit 221B.

“How do you eat an elephant? One bite at a time,” she told CyberScoop. “The Com represents a major social problem impacting youth, and peoples’ expectations need to be realistic. These early numbers and ramping up effort over time is what success looks like and we need to encourage that.”

An effective police response to The Com requires a different way of thinking and retooling, “but it is more solvable than crime originating from hostile nations,” Nixon said.

Project Compass is built around an information-sharing network, which enables each of the partner nations to assist with investigations across various specialized units. Countries are also sharing advice for preventative measures and mobilizing data sprints to bring intelligence together for ongoing cases.

“Project Compass allows us to intervene earlier, safeguard victims and disrupt those who exploit vulnerability for extremist purposes,” Sjöberg said. “No country can address this threat alone — and through this cooperation, we are closing the gaps they try to hide in.”

Europol did not identify the 30 people arrested under Project Compass thus far. Yet, at least some of those cases are public. 

Authorities during the past year have arrested multiple members of a Com offshoot known as 764, which is a growing online threat to coerce vulnerable children to produce child sexual abuse material of themselves, gor material, self mutilation, sibling abuse, animal abuses and other acts of violence. 

Two alleged leaders of 764, Leonidas Varagiannis and Prasan Nepal, were arrested and charged for directing and distributing CSAM in April.

Tony Christoper Long and Alexis Aldair Chavez both pleaded guilty late last year to multiple crimes linked to their involvement with the extremist group. Other alleged 764 members have been arrested in the United States more recently, including Erik Lee Madison and Aaron Corey.

The post Project Compass is Europol’s new playbook for taking on The Com appeared first on CyberScoop.

A 23-year-old New York man allegedly affiliated with 764 was arrested and charged with receiving child sexual abuse material. Aaron Corey of Albany, N.Y., faces up to 20 years in prison for trafficking CSAM during a three-month period ending in December.

Corey, also known as “Baggeth,” is accused of running multiple 764-related chats, seeking CSAM from other people affiliated with the nihilistic violent extremist collective. Investigators said they found multiple images and videos of children, some as young as 2 years old, depicting child sexual abuse on Corey’s mobile device, according to a court records.

Officials also found evidence on Corey’s computer also, including a search for “parks near me for kids” and multiple visited URLs about relationships with minors. An FBI agent investigating Corey said his online moniker was potentially derived from his attempts to get girls to place bags over their heads, according to a criminal complaint filed in the U.S. District Court for the Northern District of New York. 

“The 764 network is a depraved criminal group that exploits vulnerable children and revels in their abuse,” Deputy Attorney General Todd Blanche said in a statement. “The very serious crimes alleged in this indictment will be aggressively prosecuted until justice is served, as the Justice Department and federal partners continue efforts to take down this violent extremist network.”

Authorities have arrested multiple members of 764 during the past year, reflecting heightened law enforcement activity targeting the violent extremist collective and other offshoots affiliated with The Com. The FBI has long been investigating the group’s use of cybercriminal tactics to carry out their crimes.

The sprawling nihilistic network of thousands of people, typically between 11 and 25 years old, engages in a growing online threat to coerce vulnerable children to produce CSAM of themselves, gore material, self mutilation, sibling abuse, animal abuse and other acts of violence. 

Two alleged leaders of 764, Leonidas Varagiannis and Prasan Nepal, were arrested and charged for directing and distributing CSAM in April. The two men are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

Tony Christopher Long, of California, pleaded not guilty in November to multiple charges carrying a maximum penalty up to 69 years in prison related to his alleged involvement in the nihilistic violent extremist group. 

Erik Lee Madison, of Maryland, was arrested in November and is accused of victimizing at least five children this fall, including one as young as 13 at the time. His alleged criminality dates back to 2020 when he was a minor.

Alexis Aldair Chavez, of San Antonio, pleaded guilty in December to multiple crimes involving the sexual exploitation of children while acting as an administrator and leader of 8884, a splinter group of 764. He faces up to 60 years in prison.

“Preying on our nation’s children, who are among the most vulnerable members of society, is beyond comprehension,” Christopher Raia, co-deputy director of the FBI, said in a statement.

Corey was arrested Monday, appeared in federal court Tuesday and is being detained pending his next court appearance. You can read the full criminal complaint below.

The post Alleged 764 member arrested, charged with CSAM possession in New York appeared first on CyberScoop.

A 19-year-old man from San Antonio pleaded guilty Friday to multiple crimes involving the sexual exploitation of children while acting as an administrator and leader of 8884, a splinter group of the violent extremist collective known as 764. 

Alexis Aldair Chavez faces up to 60 years in prison for racketeering, distribution and possession of child sexual abuse material (CSAM). He was arrested and has been detained without bail since October 2024.

Chavez began associating with 764 as a minor in 2022 when a co-conspirator introduced him to 7997, one of many 764 offshoots affiliated with The Com. Authorities describe The Com as a sprawling nihilistic violent extremist network of thousands of people, typically between 11 and 25 years old, engaged in a growing online threat to coerce vulnerable children to produce CSAM of themselves, gore material, self mutilation, sibling abuse, animal abuse and other acts of violence.

“Chavez led a group of online predators whose ultimate purpose is to destroy our society,” Sue Bai, principal deputy assistant attorney general for national security, said in a statement. “They tried to achieve that heinous goal by desensitizing innocent children to violence — coercing them to perform gruesome and harmful acts against themselves and animals — with the hope of encouraging further violence and spreading chaos.”

Prosecutors said Chavez “earned the right” to participate in 7997 chat rooms by killing his cat and posting a video of the crime for others to view. He later groomed multiple victims to blackmail and coerce additional victims, all to increase reputation within the group’s ranks, according to federal court records.

Chavez attempted to coerce a girl to commit suicide and blackmailed another girl into self-mutiliation, animal torture and illicit content production in late 2023. He later worked with multiple co-conspirators and blackmailed some of his victims to coerce other girls to degrade themselves on camera and produce CSAM.

The indictment filed against Chavez in the U.S. District Court for the Western District of Texas details a series of horrifying crimes he committed with co-conspirators and some of his victims. 

Separately, Chavez coerced multiple minors to harm themselves or engage in various acts of depravity on video chats in the 8884 channel.

“The depraved acts described in the indictment are very normal for these people,” Allison Nixon, chief research officer at Unit 221B, told CyberScoop. 

Nixon, who has studied domestic and English-speaking cybercrime and tracked its rise for more than a decade, said 764 is a “very important tar pit for certain rare, risky personalities” that is likely worthy of scientific study. 

“8884 and 7997 are part of a homogenous 764 copycat soup. All of these groups start to blend together,” she said. “Most of these actors are motivated by attention seeking, and their culture is based on competing to be the worst. Ironically, they all end up being the same.”

When the FBI executed a search warrant at Chavez’s residence in July 2024, prosecutors said he came out the backdoor and threw his phone over a neighbor’s fence in an attempt to hide evidence.

Chavez’s guilty plea follows a year of heightened law enforcement activity, which has netted arrests of multiple alleged 764 leaders and members.

Two alleged leaders of 764, Leonidas Varagiannis and Prasan Nepal, were arrested and charged for directing and distributing CSAM in April. The two men are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

Baron Cain Martin, of Tucson, Arizona, allegedly joined the child sextortion ring as early as 2019, eventually acting as a leader until his arrest late last year. Martin faces 29 charges and, if convicted, up to life in prison.

Tony Christopher Long, of California, pleaded not guilty last month to multiple charges carrying a maximum penalty up to 69 years in prison related to his alleged involvement in the nihilistic violent extremist group. 

Erik Lee Madison, of Maryland, was arrested in November and is accused of victimizing at least five children this fall, including one as young as 13 at the time. His alleged criminality dates back to 2020 when he was a minor.

“All of the 764 cases I’ve seen presented by law enforcement have been high quality and successful, and I hope this work can continue,” Nixon said.

Chavez’s sentencing is set for March 25, 2026. You can read the full indictment below.

The post Leader of 764 offshoot pleads guilty, faces up to 60 years in jail appeared first on CyberScoop.

A 20-year-old Maryland man allegedly associated with violent extremist group 764 is in federal custody, facing charges for sexual exploitation of children, online coercement and enticement, and cyberstalking. 

Erik Lee Madison, of Halethorpe, Maryland, is accused of victimizing at least five children this fall, including one as young as 13 at the time. His alleged criminality dates back to 2020 when he was a minor.

Madison’s alleged association with 764, an offshoot of The Com, and the crimes he’s accused of follow a common thread of nihilistic violent extremism. Members of the loose-knit collective and associated groups, which spans thousands of people, typically between 11 and 25 years old, commit financially motivated, sexual and violent crimes, according to the FBI.

Prosecutors accuse Madison of targeting, stalking and coercing his victims on Discord, Roblox, Instagram, Snapchat and Telegram. Authorities have warned that 764 members use these services to target minors. Some of these platforms sent tips to authorities to report on Madison’s alleged crimes. 

Investigators found multiple pieces of evidence linking Madison to these alleged crimes on his iCloud accounts. The FBI, pursuant to a warrant, searched Madison’s residence Nov. 6 and found multiple accounts and files on his phone linking him to his alleged crimes, according to an affidavit filed in the U.S. District Court for the District of Maryland. 

Madison’s mother provided authorities with the password to his phone. Prosecutors accuse Madison of coercing his victims to create child sexual abuse material and commit self harm and animal torture under threat of harm to the victims, their families and friends. 

Madison’s arrest comes amid a heightened period of law enforcement activity targeting alleged 764 members and leaders.

Baron Cain Martin, 21, of Tucson, Arizona, allegedly joined the child sextortion ring as early as 2019, eventually acting as a leader until his arrest late last year. Martin faces 29 charges and, if convicted, up to life in prison.

Tony Christopher Long, a 19-year-old California man, pleaded not guilty last month to multiple charges carrying a maximum penalty up to 69 years in prison related to his alleged involvement in the nihilistic violent extremist group. 

Two alleged leaders of 764, Leonidas Varagiannis and Prasan Nepal, were arrested and charged for directing and distributing CSAM in April. The two men are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

“We are now seeing the fruits of the government recognizing this as a priority,” Allison Nixon, chief research officer at Unit 221B, told CyberScoop. “Law enforcement has learned a lot in the past few years about these emerging groups and what to look for. The nature of law enforcement will always be reactive, but they are reacting.”

Madison was known to authorities for years and had multiple run-ins with law enforcement while he was a minor. 

Baltimore County Police investigated Madison in May 2020, acting on a tip from Instagram. Madison admitted to a detective that he sent an image depicting child sexual abuse material to another user. The case was closed after the detective explained laws, appropriate internet behavior and proper supervision of teenagers online, according to court records.

In February 2022, the FBI got involved after one of his alleged victim’s parents reported to law enforcement that Madison possessed CSAM and was stalking their child. When an FBI agent interviewed Madison at his residence with his mother’s consent, he admitted to communicating with the girl on Instagram and Snapchat.

The FBI agent, at the time, advised Madison to cease all communications with the child and informed him about the legal consequences of his actions.

A few months later, in June 2022, Madison posted a video of himself sexually abusing his dog, according to court records. When law enforcement seized his phone and conducted forensics, investigators found CSAM. Madison was charged as a minor with animal abuse and possession of CSAM. 

Madison’s alleged yearslong criminality underscores the persistent cycle of hate and violent crime that 764 engenders among its members. The FBI previously said members of 764 and related groups are driven by a range of personal motives, including notoriety, sexual gratification or a sense of belonging. 

Martin wasn’t prominent in 764, but many members blend together in their attempt to achieve infamy, according to Nixon. 

“The problem is complicated by how many of them start before 18. When both sides in an incident are underage, it falls on law enforcement to exercise discretion,” she said. “His 2020 and 2022 interactions with law enforcement had red flags showing it wasn’t a normal teenager relationship.”

Knowledge of 764 wasn’t widespread at that time. “I think if a detective in 2025 was working the same set of facts, they would have reacted more forcefully,” Nixon said. 

She also questioned what resources or type of rehabilitation program could help in cases linked to 764. 

“I don’t think a good program exists that can break the intense human relationships that bond members of violent internet street gangs,” Nixon said. “It’s a huge factor in reoffending.”

You can read the full affidavit below.

The post Maryland man faces federal charges for crimes allegedly linked to 764 appeared first on CyberScoop.

Federal law enforcement said a leader of 764, a violent extremist group, has been in federal custody since he was arrested in December and faces 29 charges for running a loose-knit collective involved in child exploitation, cyberstalking, kidnapping, animal torture, wire fraud and murder.

Baron Cain Martin, 21, of Tucson, Arizona, allegedly joined the child sextortion ring as early as 2019, eventually acting as a leader until his arrest late last year, according to an indictment unsealed Thursday in the U.S. District Court for the District of Arizona.

Martin is charged with providing material support to terrorists, producing and distributing child sexual abuse material (CSAM), coercing minors to engage in sexual activity, cyberstalking, animal crushing and conspiracy to commit wire fraud. He faces up to life in prison, many times over.

“This man’s alleged crimes are unthinkably depraved and reflect the horrific danger of 764 — if convicted, he will face severe consequences as we work to dismantle this evil network,” Attorney General Pamela Bondi said in a statement. “I urge parents to remain vigilant about the threats their children face online.”

Martin’s arrest and indictment comes amid a flurry of law enforcement activity targeting 764 and its alleged members.

Federal authorities announced Martin’s arrest and unsealed charges filed against him shortly after another alleged 764 member, Tony Christopher Long, a 19-year-old California man, pleaded not guilty to multiple charges carrying a maximum penalty up to 69 years in prison related to his alleged involvement in the nihilistic violent extremist group.

Two alleged leaders of 764 were arrested and charged for directing and distributing CSAM in April. The two men, Leonidas Varagiannis and Prasan Nepal, are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

“Law enforcement is dogpiling these people and I think that’s great,” Allison Nixon, chief research officer at Unit221B, told CyberScoop.

“They don’t stop until they are physically ripped off the computer,” she said. “The enormous amount of charges isn’t surprising.”

764 is an offshoot of The Com, a global collective of loosely associated groups spanning thousands of people, typically between 11 and 25 years old, that commit financially motivated, sexual and violent crimes. The FBI previously said members of 764 and related groups are driven by a range of personal motives, including notoriety, sexual gratification or a sense of belonging. 

“[Martin’s] actions as a leader of this criminal network were so atrocious and extreme that he is charged with supporting terrorism,” FBI Director Kash Patel said in a statement. “It’s alleged that Martin not only committed these crimes but wrote and posted a guide for others to use to identify, groom, and extort their own victims.”

Nixon, who has tracked the rise of English-speaking cybercrime for more than a decade, said she found the grooming guide Martin allegedly produced and distributed online. The guide included details about how to identify, groom and extort vulnerable children and advised readers to target victims struggling with mental health, officials said.

Other federal law enforcement officials described Martin’s alleged crimes as “so depraved they defy comprehension,” “an assault on the basic foundations of human decency,” and “promoting some of the sickest forms of human depravity.”

Martin, also known by the online moniker “Convict” among many others, allegedly provided assistance as personnel, service and expert advice to carry out a conspiracy to kill or main a person in a foreign country, according to authorities. He is also accused of conspiring with others to coerce a victim living outside the United States to self-harm, self-main and self-kill, officials said. 

“He was respected in these communities because of his acts and was influential,” Nixon said. “I would agree he was a leader, and his friends will be reading his court documents with admiration.”

Martin is charged with five counts of producing CSAM, 11 counts of distributing CSAM and three counts of coercing minors to engage in sexual activity. He is accused of victimizing at least nine victims, eight of which were between the ages of 11 and 15 years old at the time.

“The FBI will not stop until we find those who perpetrate these horrific crimes that prey on the most vulnerable members of our communities,” Patel said.

You can read the full indictment below.

The post Alleged 764 leader arrested in Arizona, faces life in prison appeared first on CyberScoop.

A 20-year-old Florida man at the center of a prolific cybercrime group known as “Scattered Spider” was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.

Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000 from five victims via SIM-swapping attacks that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.

Although prosecutors had asked for Urban to serve eight years, Jacksonville news outlet News4Jax.com reports the federal judge in the case today opted to sentence Urban to 120 months in federal prison, ordering him to pay $13 million in restitution and undergo three years of supervised release after his sentence is completed.

In November 2024 Urban was charged by federal prosecutors in Los Angeles as one of five members of Scattered Spider (a.k.a. “Oktapus,” “Scatter Swine” and “UNC3944”), which specialized in SMS and voice phishing attacks that tricked employees at victim companies into entering their credentials and one-time passcodes at phishing websites. Urban pleaded guilty to one count of conspiracy to commit wire fraud in the California case, and the $13 million in restitution is intended to cover victims from both cases.

The targeted SMS scams spanned several months during the summer of 2022, asking employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other missives advised employees about changes to their upcoming work schedule.

That phishing spree netted Urban and others access to more than 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. The government says the group used that access to steal proprietary company data and customer information, and that members also phished people to steal millions of dollars worth of cryptocurrency.

For many years, Urban’s online hacker aliases “King Bob” and “Sosa” were fixtures of the Com, a mostly Telegram and Discord-based community of English-speaking cybercriminals wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering. King Bob constantly bragged on the Com about stealing unreleased rap music recordings from popular artists, presumably through SIM-swapping attacks. Many of those purloined tracks or “grails” he later sold or gave away on forums.

Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported in 2023 that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment and MGM Resorts extortion attacks that same year.

The Star Fraud SIM-swapping group gained the ability to temporarily move targeted mobile numbers to devices they controlled by constantly phishing employees of the major mobile providers. In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed internal access to T-Mobile on 100 separate occasions over a 7-month period in 2022.

Reached via one of his King Bob accounts on Twitter/X, Urban called the sentence unjust, and said the judge in his case discounted his age as a factor.

“The judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case,” Urban said in reply to questions, noting that he was sending the messages from a Florida county jail. “He should have been removed as a judge much earlier on. But staying in county jail is torture.”

A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. It involved an intrusion into a magistrate judge’s email account, where a copy of Urban’s sealed indictment was stolen. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case.

“What it ultimately turned into a was a big faux pas,” Judge Harvey E. Schlesinger said. “The Court’s password…business is handled by an outside contractor. And somebody called the outside contractor representing Judge Toomey saying, ‘I need a password change.’ And they gave out the password change. That’s how whoever was making the phone call got into the court.”