The menaces began in the spring.
In April 2024, an enigmatic individual utilizing the online aliases “Waifu” and “Judische” initiated a series of death threats on Telegram and Discord channels directed at a cybersecurity analyst named Allison Nixon.
“Alison [sic] Nixon is about to be necklaced with a gasoline-filled tire,” stated Waifu/Judische, both of which carry offensive implications. “Decerebration is my favored kind of brain death; that’s what’s going to happen to alison Nixon.”
It didn’t take long for others to join in. Someone shared AI-generated nude images of Nixon.
These anonymous identities targeted Nixon due to her being a significant threat: serving as the chief research officer at the cyber investigations company Unit 221B, which draws its name from Sherlock Holmes’s residence, she had established a career focused on tracing cybercriminals and aiding in their apprehension. For years she had quietly lingered in online chat forums or utilized aliases to directly interact with offenders, gathering clues they negligently disclosed about themselves and their unlawful activities. This enabled her to bring several cybercriminals to justice—especially those belonging to a loosely connected group of anarchic hackers identifying themselves as the Com.
However, members of the Com are not solely engaged in hacking; several of them also perpetrate physical violence against analysts who monitor them. This encompasses tactics like bricking (throwing a brick through a victim’s window) and swatting (dangerously fabricating a murder or hostage incident to provoke a SWAT response). Members of a Com splinter group referred to as 764 have been accused of even graver acts—including animal cruelty, stabbings, and school shootings—or provoking others within and outside the Com to carry out these offenses.
Nixon commenced tracking individuals within the community over ten years ago, at a time when other analysts and law enforcement largely overlooked them due to their youth—predominantly teenagers. Her early focus allowed her to formulate strategies for identifying them.
Ryan Brogan, an FBI special agent, attests to Nixon’s assistance in identifying and arresting over two dozen members of the community since 2011, when he initially collaborated with her, noting that her expertise in exposing them is unrivaled. “If you get on Allison’s and my radar, it’s game over for you. It’s merely a question of time,” he remarks. “Regardless of the digital anonymity and tricks you employ, you’re finished.”
Despite having undertaken this work for more than a decade, Nixon could not comprehend why the individual behind the Waifu/Judische accounts began threatening her. While she had engaged in media interviews regarding the Com—most recently on 60 Minutes—she had not discussed her efforts to identify members for their arrests, rendering the hostility seemingly unexpected. Although she had shown interest in the Waifu persona previously due to crimes he boasted of committing, he had not been on her radar for some time when the threats initiated, as she was focused on other subjects.
Now Nixon was determined to reveal the identities of Waifu/Judische and the others accountable for the death threats—and to take them down for crimes they excitedly confessed to. “Before they started making death threats against me, I had no motive to focus on them,” she states.
Beginnings of the Com
Most individuals are unaware of the Com, yet its influence and danger are expanding.
This is an online network featuring loosely aligned groups made up mainly of teenagers and young adults in North America and English-speaking regions of Europe, who have become a part of what some refer to as a cybercrime youth movement.
International regulations and apprehensions about retaliation deter states from executing sweeping cyber operations. This, however, does not deter the anarchic Com.
Over the last decade, its unlawful activities have progressed from basic distributed denial-of-service (DDoS) attacks disrupting websites to SIM-swapping hacks that hijack victims’ phone services, alongside cryptocurrency theft, ransomware incidents, and corporate data pilfering. These offenses have impacted firms like AT&T, Microsoft, Uber, and several others. Members of the Com have also been involved in various forms of sextortion intended to coerce victims into self-harm or to capture themselves performing sexually explicit acts. The Com’s influence has also transcended the digital space into kidnapping, assaults, and other forms of violence.
A seasoned cybercrime researcher, who preferred to remain anonymous due to his work, asserts that the Com poses as significant a threat in the cyber domain as Russia and China—for one unusual reason.
“There’s only a certain extent that China will go; similarly, there’s a limit to what Russia or North Korea will do,” he explains, referring to global regulations and fears of retaliation that hinder states from fully engaging in cyber operations. “That doesn’t inhibit the anarchic Com,” he clarifies.
“It represents a considerable threat, and people tend to downplay it [because] it consists primarily of youths,” he points out. “But observe the effect [they have].”
Brogan comments that the damage incurred in terms of monetary losses “can escalate remarkably fast.”
There isn’t a singular location where Com members gather; they are dispersed across various web forums and Telegram and Discord channels. The group is part of a prolonged lineage of hacking and subculture communities that have arisen online over the past two decades, gained notoriety, and subsequently faded or disappeared following the arrests of prominent members or other factors contributing to their decline. They varied in motivation and actions, yet all stemmed from “the same primordial soup,” states Nixon. The origins of the Com can be traced back to the Scene, which started as a community among various “warez” groups involved in pirating video games, music, and films.
When Nixon began exploring the Scene in 2011, its members were hijacking gaming accounts, conducting DDoS attacks, and running booter services. (DDoS attacks overwhelm a server or computer with traffic from bot-controlled devices, obstructing legitimate traffic; booters are tools that can be rented by anyone to launch a DDoS attack against a target.) While they earned some income, their primary goal was notoriety.
This changed around 2018. With rising cryptocurrency values, the Com—or the Community, as it occasionally referred to itself—surfaced as a subgroup that ultimately overshadowed the Scene. Members began to pursue financial gain through cryptocurrency theft, data breaches, and extortion efforts.
The pandemic two years later resulted in a spike in Com membership, which Nixon attributes to social isolation and the shift of children online for education. However, she believes economic conditions and socialization challenges have also fueled its expansion. Many Com participants are unable to secure jobs due to a lack of skills or behavioral problems, she comments. Several of those arrested have come from troubled family backgrounds and faced difficulties adapting to school, with some displaying signs of mental health issues. The Com offers companionship, support, and an outlet for personal grievances. Since 2018, it has also provided solutions for their economic struggles.
Loose-knit factions have emerged from the community—Star Fraud, ShinyHunters, Scattered Spider, Lapsus$—to collaborate on clusters of crime. They typically target high-profile crypto influencers and tech corporations, having amassed millions of dollars through theft and extortion, per court documents.
Yet dominance, power, and bragging rights remain motivations, even within profit-oriented ventures, asserts the cybercrime researcher, which is partly why members pursue “big whales.”
“There’s financial gain,” he asserts, “but it’s also about showing that I can reach those who believe they are untouchable.” In fact, Nixon mentions that some Com members possess overwhelming ego-driven motivations that tend to conflict with their financial objectives.
“Frequent occurrences arise where their financial schemes collapse due to their ego, and that phenomenon contributes to my career,” she states.
Emergence of the hacker hunter
Nixon has straight dark hair, sports wire-rimmed glasses, and possesses a slight frame and bookish demeanor that could easily allow her to pass for a teenager herself upon first sight. She discusses her work in quick succession, as if her mind is flooded with facts that must be communicated, and she radiates a sense of urgency as she seeks to convey the threat posed by the Com. She does not conceal her delight when someone she’s tracked gets apprehended.
In 2011, when she initially began probing the communities from which the Com originated, she was stationed on the night shift within the security operations center of the security company SecureWorks. The center addressed tickets and security alerts originating from client networks; however, Nixon yearned for a role on the company’s counter-threat team, which investigated and published threat intelligence reports regarding predominantly state-sponsored hacking factions from China and Russia. Lacking connections or experience, she had no pathway to investigative work. Yet Nixon is an intensely inquisitive individual, and this curiosity created its own pathway.
While the threat team concentrated on the repercussions hackers had on client networks—how they infiltrated systems and what they took—Nixon was more interested in their motivations and the personality traits that propelled their actions. She presumed there must be online forums where criminal hackers gathered, prompting her to search for “hacking forums” and discover a site called Hack Forums.
“It was really quite simple,” she recalls.
She was astonished to observe members openly discussing their crimes there. She reached out to someone on the SecureWorks threat team to inquire if he was familiar with the site, and he dismissed it as a space for “script kiddies”—a derogatory term for untalented hackers.
This was during a period when numerous cybersecurity professionals were diverting their focus away from cybercrime toward state-sponsored hacking operations, which were more intricate and received considerable attention. However, Nixon preferred to diverge from the norm, and her colleague’s dismissive view only intensified her interest in the forums. Two other SecureWorks associates shared this interest, and the three analyzed the forums during downtime in their shifts, particularly focusing on identifying individuals operating DDoS booters.
What Nixon appreciated about the forums was their accessibility to a novice like herself. Threat intelligence teams require privileged access to a victim’s network to investigate breaches. However, she could obtain everything necessary from public forums, where hackers assumed no one was monitoring. Consequently, they frequently made operational security (OPSEC) errors by inadvertently revealing biographical details such as their city of residence, schools attended, or previous workplaces. These informational nuances revealed in their discussions, combined with other data, could aid in uncovering the true identities hidden behind their anonymous fronts.
“I was shocked to discover how relatively simple it was to ascertain who [they were],” she states.
She wasn’t perturbed by the juvenile bravado and minor disputes that dominated the forums. “Many individuals are reluctant to undertake the tedious work of analyzing chat logs. I understand that this is quite an uncommon task. Perhaps my brain is wired unusually, with a willingness to engage in this,” she mentions. “I possess a unique talent for sifting through rubbish without being bothered.”
Nixon quickly recognized that not all participants were script kiddies. Some displayed genuine creativity and “powerful” abilities, she observes, yet because they directed these talents towards trivial goals—hijacking gaming accounts rather than draining bank accounts—researchers and law enforcement disregarded them. Nixon began monitoring them, predicting that they would eventually redirect their skills toward more formidable targets—an intuition that was validated. By the time they did, she had already compiled extensive information about them.
She maintained her DDoS research for two years until a pivotal moment in 2013 when cybersecurity journalist Brian Krebs, known for tracking cybercriminals, was swatted.
Approximately a dozen members from the security community collaborated with Krebs to identify the perpetrator, and Nixon was invited to participate. Krebs provided her with segments of the puzzle to investigate, and ultimately the group pinpointed the guilty party (although it would take two years for an arrest to occur). Upon receiving an invitation to dine with Krebs and the other investigators, she realized she had found her community.
“It was a remarkable moment for me,” she remarks. “I thought, wow, here are all these like-minded individuals who genuinely want to assist and are doing it purely out of passion for the work.”
Staying ahead of the curve
Adult film stars provided Nixon with her next significant research focus—this underscored her ability to identify Com actors and emerging criminal trends in their formative stages before they developed into major threats.
In 2018, someone began hijacking the social media profiles of certain adult film stars and utilizing those accounts to disseminate cryptocurrency scams to their extensive follower bases. Nixon couldn’t unravel how the hackers were taking over the social media profiles, but she promised to assist the actors in regaining access to their accounts if they consented to show her the private messages the hackers had sent or received during their control of the accounts. These messages led her to a forum where members discussed the tactics they employed to steal the accounts. The hackers had manipulated some of these actresses into revealing the mobile phone numbers of others. They then employed a technique termed SIM swapping to reset passwords for social media accounts belonging to those additional actresses, thereby locking them out.
In SIM swapping, fraudsters obtain a victim’s phone number assigned to a SIM card and device they command, redirecting calls and messages intended for the victim to themselves. This includes one-time security codes that sites text to account holders for authentication during account access or password modifications. In several of the incidents involving the adult film stars, the hackers had fooled telecom personnel into conducting the SIM swaps for arbitrary legitimate reasons, while in other instances they bribed the workers to facilitate the alteration. The hackers could then alter the password on the actresses’ social media accounts, lock out the account holders, and use the profiles to promote their cryptocurrency scams.
SIM swapping stands as a potent technique for hijacking and depleting entire cryptocurrency and banking accounts, thus Nixon was taken aback to observe the fraudsters utilizing it for relatively low-gain schemes. However, SIM swapping had seldom been exploited for financial fraud at that moment, and similar to the earlier hackers she had encountered on Hack Forums, those hijacking the adult actors’ accounts didn’t seem to grasp the potential of the technique they were wielding. Nixon anticipated that this would soon transform, making SIM swapping a critical concern, prompting her to modify her research focus accordingly. It wasn’t long before the fraudsters adjusted as well.
Nixon’s ability to anticipate in this manner has been valuable throughout her career. On numerous occasions, a hacker or hacking group would draw her interest—for utilizing a novel hacking method in a minor operation, for example—and she would commence monitoring their online posts and discussions, believing they would eventually apply that skill in a significant way.
Typically, they did. When they later garnered media attention through a high-profile or significant operation, these hackers appeared to others as if they had emerged from nowhere, prompting researchers and law enforcement to scramble to identify their identities. However, Nixon would already possess a dossier compiled on them and, in certain instances, had even unmasked their real identities. Lizard Squad is one such example. This group gained prominence in 2014 and 2015 through a series of high-profile DDoS campaigns, but Nixon and her colleagues had already been observing its members individually for some time. Thus, the FBI sought their cooperation in pinpointing them.
“The reality for these young hackers is that they … persist until they are apprehended, but this process can span years,” she states. “Therefore, a substantial part of my career involves sitting on this information that remains unaddressed [for now].”
During the Lizard Squad era, Nixon began crafting tools to harvest and record hacker communications online, although years passed before she could apply these concepts to retrieve data from Com chatrooms and forums. These channels harbored a treasure trove of information that, while seemingly insignificant during a hacker’s early career, could become crucial later on when law enforcement launched investigations; yet, the content remained at risk of being deleted by Com members or removed by law enforcement when seizing websites and chat channels.
Nixon’s efforts are distinctive as she interacts with the participants in chat spaces to elicit information that “would not be typically accessible otherwise.”
Brogan, from the FBI, describes it as an exceptionally valuable resource, enhanced further by Nixon’s personal contributions. Other security companies also harvest online criminal spaces, yet they seldom share the content with outsiders; Brogan notes that Nixon’s approach is distinctive, as she engages with the actors in chat environments to extract information from them that “would not normally be obtainable.”
The preservation project she initiated upon joining Unit 221B couldn’t have occurred at a more opportune time, coinciding with the pandemic, the increase in new Com members, and the advent of two alarming Com splinter groups, CVLT and 764. She was able to capture their conversations as these factions emerged; after law enforcement apprehended the leaders and gained control over the servers hosting their communication, this material went offline.
CVLT—phonetically articulated as “cult”—is said to have been established around 2019, focusing on sextortion and child sexual abuse materials. 764 branched off from CVLT and was led by a 15-year-old Texan named Bradley Cadenhead, who designated it after the initial digits of his zip code. Its emphasis was on extremism and brutality.
In 2021, due to what she observed within these groups, Nixon shifted her focus to sextortion practices among Com members.
The sextortion they engaged in has origins in activities that began a decade earlier as “fan signing.” Hackers coerced individuals, usually young women, into writing the hacker’s handle on a piece of paper under the threat of doxxing. The hacker would then utilize the photo as an avatar on his online profiles—a sort of trophy. Eventually, some escalated to blackmailing victims into inscribing the hacker’s handle on their face, breasts, or genitals. With CVLT, this escalated even further; targets were coerced into inscribing a Com member’s name on their bodies or performing sexually explicit acts while recording or live streaming themselves.
Throughout the pandemic, a surprising number of SIM swappers ventured into child sexual abuse material and sadistic sextortion, according to Nixon. Although she despises tracking this grisly conduct, she recognized an opportunity to leverage it for positive purposes. She had long been frustrated with the leniency judges displayed toward financial fraudsters due to the seemingly nonviolent nature of their offenses. However, she discerned a chance to secure harsher sentences for them by associating them with sextortion, thus immersing herself in these crimes.
At this juncture, Waifu still wasn’t on her radar. But that was soon to change.
Final Stages
Nixon found herself in Waifu’s sights after he and fellow Com members were implicated in a significant hack involving AT&T customer call records in April 2024.
Waifu’s group managed to infiltrate numerous cloud accounts with Snowflake, a firm providing online data storage to clients. One client held over 50 billion call logs of AT&T wireless subscribers within its Snowflake account.
They attempted to re-extort the telecom by threatening to leak the records on social media. They tagged the FBI in their post. “It’s like they were inviting an investigation,” Nixon observes.
Among the subscriber records were call logs for FBI agents using AT&T services. Nixon and other investigators suspect the hackers may have identified the agents’ phone numbers through various means. They may have used a reverse lookup tool to pinpoint the owners of phone numbers dialed by the agents and discovered Nixon’s number among them. It was at this point that they began to harass her.
However, they grew careless. They reportedly extorted nearly $400,000 from AT&T in exchange for claiming they would delete the stolen call records. Then they attempted to re-extort the telecom, threatening on social media to leak the records they purported to have deleted unless they received additional payment. They tagged the FBI in the post.
“It was as if they were soliciting an investigation,” Nixon remarks.
The breaches at Snowflake and the theft of AT&T records were capturing media attention at that time, but Nixon was unaware that her number was included in the stolen logs or that Waifu/Judische was a leading suspect in the breaches. Thus, she was confused when he began taunting and threatening her online.
Over the course of several weeks in May and June, a discernible pattern emerged. Waifu or one of his associates would issue a threat against her and subsequently post a message online inviting her to engage in conversation. She now theorizes they believed she was assisting law enforcement with the investigation regarding the Snowflake breaches and aimed to lure her into dialogue to extract insights about what authorities knew. Yet, Nixon wasn’t aiding the FBI in investigating them at this time. It was only after she started examining Waifu due to the threats that she became aware of his suspected involvement in the Snowflake breach.
It wasn’t the first instance she had scrutinized him, though. Waifu had caught her interest in 2019 when he boasted about framing another Com member for a fabricated bomb threat and later addressed his participation in SIM-swapping schemes. He left an impression on her. He clearly exhibited technical prowess, though Nixon claims he also often appeared immature, impulsive, and emotionally unstable, displaying a desperate need for attention in his interactions with fellow members. He bragged about being able to function without sleep and utilizing Adderall to hack through the night. He also exhibited a degree of recklessness regarding his personal information security. He mentioned in private discussions to another researcher that he would never be apprehended because of his adeptness at OPSEC, yet he also disclosed to the researcher that he resided in Canada—which turned out to be accurate.
Nixon’s approach to unmasking Waifu followed her typical strategy for identifying Com members: She would draw a wide investigative circle around a target and all the personas that communicated with that individual online, then scrutinize their interactions to tighten the circle on the individuals with the most meaningful connections to the target. Some of the most valuable leads emerged from a target’s adversaries; she could extract a considerable amount of information about their identity, character, and actions from what those they clashed with online disclosed about them.
“Generally speaking, enemies and ex-girlfriends are the most effective sources [for gathering insights on a suspect],” she asserts. “I have a fondness for them.”
While she was executing this, Waifu and his colleagues were reaching out to other security analysts, attempting to gather intel about Nixon and her investigations. They also endeavored to plant misleading clues among researchers by introducing names of other cybercriminals in Canada who could feasibly be Waifu. Nixon had never witnessed cybercriminals engaging in counterintelligence tactics such as this.
Publicly amid this subterfuge and confusion, Nixon and another researcher collaborating with her conducted extensive consultations and cross-referencing with various researchers concerning the clues they were collecting to confirm they had the correct identity before delivering it to the FBI.
By July, she and her colleague were confident they had identified their suspect: Connor Riley Moucka, a 25-year-old high school dropout residing with his grandfather in Ontario. On October 30, the Royal Canadian Mounted Police descended on Moucka’s residence and apprehended him.
As indicated in an affidavit submitted in Canadian court, a plainclothes police officer visited Moucka’s home under a fabricated pretense on the afternoon of October 21, nine days prior to the arrest, to clandestinely capture his photo and compare it with an image provided by US authorities. The officer knocked and rang the bell; Moucka opened the door appearing disheveled and stated to the visitor: “You woke me up, sir.” He informed the officer that his name was Alex; Moucka sometimes operated under the alias Alexander Antonin Moucka. Assured that the individual who answered the door matched the description US authorities were seeking, the officer departed. At this juncture, Waifu’s online outbursts directed at Nixon intensified, as did his attempts at distraction. She suspects the visit to his home instilled fear in him.
Nixon refrains from divulging the precise methods they used to unmask Moucka—only that he made an error.
“I don’t wish to instruct these individuals on how to avoid capture [by revealing his mistake],” she mentions.
The Canadian affidavit against Moucka outlines a number of additional violent remarks he allegedly made online beyond the threats directed at her. Some pertain to considerations about becoming a serial killer or mass mailing sodium nitrate pills to Black individuals in Michigan and Ohio; in another, his online persona discusses procuring firearms to “eliminate Canadians” and commit “suicide by cop.”
Prosecutors, who enumerate Moucka’s online aliases as including Waifu, Judische, and two more in the indictment, allege that he and others extorted at least $2.5 million from at least three victims whose data they pilfered from Snowflake accounts. Moucka faces nearly twenty counts, including conspiracy, unauthorized computer access, extortion, and wire fraud. He has pleaded not guilty and was extradited to the US last July. His trial is set for October this year, although hacking cases commonly conclude in plea deals instead of proceeding to trial.
Authorities took several months to arrest Moucka after Nixon and her colleague shared their findings with law enforcement, but an alleged accomplice in the Snowflake conspiracy, a US Army soldier named Cameron John Wagenius (online known as Kiberphant0m), was detained more swiftly.
On November 10, 2024, Nixon and her team uncovered a mistake made by Wagenius that contributed to identifying him, resulting in his arrest on December 20. Wagenius has already pled guilty to two charges related to the sale or attempted sale of confidential phone records and will face sentencing this coming March.
Nowadays, Nixon continues to scrutinize sextortion cases among Com members. However, she indicates that remaining members of Waifu’s faction persist in taunting and threatening her.
“They are still persisting with their foolishness, and they’re being removed one by one,” she asserts. “And I intend to keep pursuing this until there’s no one left on that front.”
Kim Zetter is a journalist focusing on cybersecurity and national security. She is the author of Countdown to Zero Day.
