Hackers made death threats against this security researcher. Big mistake.

Cybersecurity expert unmasks prolific hackers

Cybersecurity researcher Allison Nixon successfully unmasked and helped law enforcement arrest high-profile hackers Connor Riley Moucka and Cameron John Wagenius following a series of death threats and a massive data breach at AT&T. Nixon, the chief research officer at investigations firm Unit 221B, identified the suspects after they targeted her with AI-generated harassment and violent Telegram messages.

The harassment began in April 2024 when an individual using the handles "Waifu" and "Judische" posted graphic threats against Nixon. These messages described specific acts of violence, including "necklacing" the researcher with a gasoline-filled tire. The attackers also distributed AI-generated nude images of Nixon across various online channels to intimidate her.

These hackers belong to a digital subculture known as "the Com," a loose affiliation of primarily young, English-speaking cybercriminals. Nixon has spent more than a decade tracking this group, which law enforcement previously ignored due to the young age of its members. Her investigation eventually linked the "Waifu" persona to Connor Riley Moucka, a 25-year-old living in Ontario, Canada.

The rise of a youth movement

The Com functions as an anarchic network of teens and young adults who coordinate complex cybercrimes for profit and notoriety. While state-sponsored hackers from Russia or China often follow geopolitical rules, members of the Com operate without restraint or fear of retaliation. This lack of boundaries makes them one of the most significant threats in the current cyber landscape.

The group’s activities have evolved significantly over the last decade. Early members focused on simple website disruptions, but the modern movement executes sophisticated financial crimes and physical attacks. Their repertoire includes several high-stakes tactics:

• SIM swapping to hijack phone numbers and bypass two-factor authentication.
• Ransomware attacks and corporate data theft targeting global tech giants.
• Swatting, which involves sending armed police teams to a victim's home under false pretenses.
• Sextortion and "fan signing," where victims are coerced into self-harm or recording explicit videos.
• Physical violence, including "bricking" windows or orchestrating real-world assaults.

Major corporations including Microsoft, Uber, and AT&T have fallen victim to cells originating from this community. Groups like Scattered Spider, Lapsus$, and ShinyHunters have stolen millions of dollars through these methods. Nixon traces the origins of this movement to "the Scene," an older community focused on pirating games and movies.

Nixon tracks the digital underworld

Nixon began her career in 2011 at the security firm SecureWorks, where she worked the night shift in a security operations center. While her colleagues focused on sophisticated state-sponsored threats, Nixon took an interest in "script kiddies" on public forums like Hack Forums. She realized these unskilled hackers were making critical mistakes in their operational security (OPSEC).

She discovered that young hackers often dropped biographical details, such as their city, school, or former employers, during petty online arguments. Nixon began archiving these details, building dossiers on individuals long before they committed major crimes. She realized that these "kids" would eventually apply their ingenuity to more profitable targets.

In 2013, Nixon joined a group of investigators to help journalist Brian Krebs after he was swatted. This collaboration solidified her role in the security community and proved the value of her unconventional research methods. She now uses her ability to "wade through garbage" chat logs to identify the real-world identities of anonymous personas.

A massive breach exposes the hackers

The investigation into Moucka intensified after a massive data breach involving Snowflake, a cloud storage provider. In April 2024, hackers gained access to dozens of Snowflake accounts, including one belonging to AT&T. The attackers stole more than 50 billion call logs belonging to wireless subscribers.

The stolen records included the phone numbers of FBI agents and other high-profile targets. Nixon believes the hackers used these logs to perform reverse lookups, which eventually led them to her personal phone number. Shortly after the breach, the "Waifu" persona began his targeted harassment campaign against her.

The hackers allegedly extorted $400,000 from AT&T in exchange for a promise to delete the stolen data. However, they later attempted to "re-extort" the company by threatening to leak the records on social media. In a display of extreme overconfidence, the hackers even tagged the FBI in their public posts.

The final takedown in Ontario

Nixon and her team at Unit 221B used a proprietary platform called eWitness to track the hackers' movements. This tool scrapes and archives messages from Telegram and Discord, preserving evidence that hackers often delete. By analyzing years of chat logs and cross-referencing them with new mistakes, Nixon narrowed the search to Moucka.

On October 21, 2024, a plainclothes officer visited Moucka’s home in Ontario under a pretense to confirm his identity. Moucka answered the door looking disheveled and identified himself as "Alex," an alias he frequently used online. This confirmation allowed the Royal Canadian Mounted Police to execute an arrest warrant on October 30, 2024.

Authorities have charged Moucka with nearly two dozen counts, including:

• Conspiracy to commit computer fraud and wire fraud.
• Unauthorized access to protected computers.
• Extortion involving the threat of releasing stolen data.
• Wire fraud related to the Snowflake breaches.

Prosecutors allege that Moucka and his associates extorted at least $2.5 million from three separate victims. While Moucka has pleaded not guilty, his alleged associate Cameron John Wagenius was arrested in December 2024. Wagenius, a U.S. Army soldier known online as "Kiberphant0m," has already pleaded guilty to charges involving the sale of confidential records.

The hunt for the Com continues

Nixon’s work continues as she tracks the violent offshoots of the Com, specifically groups like 764 and CVLT. These subgroups focus on "sadistic sextortion," often forcing victims to carve names into their skin or engage in extreme self-harm. Nixon recently shifted her focus to these crimes to ensure hackers receive harsher prison sentences than those typically given for financial fraud.

Despite the high-profile arrests of Moucka and Wagenius, other members of the "Waifu" group continue to threaten Nixon online. She remains undeterred and continues to collaborate with the FBI and international law enforcement. Nixon states she will continue her work until she has "taken out" every remaining member of the group.

The FBI credits Nixon with identifying more than two dozen cybercriminals since 2011. Special Agent Ryan Brogan notes that Nixon’s ability to engage with hackers in their own spaces provides intelligence that traditional law enforcement methods cannot reach. Her persistence has turned the Com’s ego-driven culture into their greatest vulnerability.