Welcome to the dark side of crypto’s permissionless dream

“We’re out of airspace now. We can do whatever we want,” Jean-Paul Thorbjornsen tells me from the pilot’s seat of his Aston Martin helicopter. As we fly over suburbs outside Melbourne, Australia, it’s becoming clear that doing whatever he wants is Thorbjornsen’s MO. 

Upper-middle-class homes give way to vineyards, and Thorbjornsen points out our landing spot outside a winery. People visiting for lunch walk outside. “They’re going to ask for a shot now,” he says, used to the attention drawn by his luxury helicopter, emblazoned with the tail letters “BTC” for bitcoin (the price tag of $5 million in Australian dollars—$3.5 million in US dollars today—was perhaps reasonable for someone who claims a previous crypto project made more than AU$400 million, although he also says those funds were tied up in the company). 

Thorbjornsen is a founder of THORChain, a blockchain through which users can swap one cryptocurrency for another and earn fees from making those swaps. THORChain is permissionless, so anyone can use it without getting prior approval from a centralized authority. As a decentralized network, the blockchain is built and run by operators located across the globe, most of whom use pseudonyms. 

During its early days, Thorbjornsen himself hid behind the pseudonym “leena” and used an AI-generated female image as his avatar. But around March 2024, he revealed that he, an Australian man in his mid-30s, with a rural Catholic upbringing, was the mind behind the blockchain. More or less. 

If there is a central question around THORChain, it is this: Exactly who is responsible for its operations? Blockchains as decentralized as THORChain are supposed to offer systems that operate outside the centralized leadership of corruptible governments and financial institutions. If a few people have outsize sway over this decentralized network—one of a handful that operate at such a large scale—it’s one more blemish on the legacy of bitcoin’s promise, which has already been tarnished by capitalistic political frenzy.   

Who’s responsible for THORChain matters because in January last year, its users lost more than $200 million worth of their cryptocurrency in US dollars after THORChain transactions and accounts were frozen by a singular admin override, which users believed was not supposed to be possible given the decentralized structure. When the freeze was lifted, some users raced to pull their money out. The following month, a team of North Korean hackers known as the Lazarus Group used THORChain to move roughly $1.2 billion of stolen ethereum taken in the infamous hack of the Dubai-based crypto exchange Bybit. 

Thorbjornsen explains away THORChain’s inability to stop the movement of stolen funds, or prevent a bank run, as a function of its decentralized and permissionless nature. The lack of executive powers means that anyone can use the network for any reason, and arguably there’s no one to hold accountable when even the worst goes down.

But when the worst did go down, nearly everyone in the THORChain community, and those paying attention to it in channels like X, pointed their fingers at Thorbjornsen. A lawsuit filed by the THORChain creditors who lost millions in January 2025 names him. A former FBI analyst and North Korea specialist, reflecting on the potential repercussions for helping move stolen funds, told me he wouldn’t want to be in Thorbjornsen’s shoes.

THORChain was designed to make decisions based on votes by node operators, where two-thirds majority rules.

That’s why I traveled to Australia—to see if I could get a handle on where he sees himself and his role in relation to the network he says he founded.

According to Thorbjornsen, he should not be held responsible for either event. THORChain was designed to make decisions based on votes by node operators—people with the computer power, and crypto stake, to run a cluster of servers that process the network’s transactions. In those votes, a two-thirds majority rules.

Then there’s the permissionless part. Anyone can use THORChain to make swaps, which is why it’s been a popular way for widely sanctioned entities such as the government of North Korea to move stolen money. This principle goes back to the cypherpunk roots of bitcoin, a currency that operates outside of nation-states’ rules. THORChain is designed to avoid geopolitical entanglements; that’s what its users like about it.

But there are distinct financial motivations for moving crypto, stolen or not: Node operators earn fees from the funds running through the network. In theory, this incentivizes them to act in the network’s best interests—and, arguably, Thorbjornsen’s interests too, as many assume his wealth is tied to the network’s profits. (Thorbjornsen says it is not, and that it comes instead from “many sources,” including “buying bitcoin back in 2013.”)

Now recent events have raised critical questions, not just about Thorbjornsen’s outsize role in THORChain’s operations, but also about the blockchain’s underlying nature.

If THORChain is decentralized, how was a single operator able to freeze its funds a month before the Bybit hack? Could someone have unilaterally decided to stop the stolen Bybit funds from coming through the network, and chosen not to? 

Thorbjornsen insists THORChain is helping realize bitcoin’s original purpose of enabling anyone to transact freely outside the reach of purportedly corrupt governments. Yet the network’s problems suggest that an alternative financial system might not be much better.

Decentralized? 

On February 21, 2025, Bybit CEO Ben Zhou got an alarming call from the company’s chief financial officer. About $1.5 billion US of the exchange’s ethereum token, ETH, had been stolen. 

The FBI attributed the theft to the Lazarus Group. Typically, criminals will want to convert ETH to bitcoin, which is much easier to convert in turn to cash. Knowing this, the FBI issued a public service announcement on February 26 to “exchanges, bridges … and other virtual asset service providers,” encouraging them to block transactions from accounts related to the hack. 

Someone posted that announcement in THORChain’s private, invite-only developer channel on Discord, a chat app used widely by software engineers and gamers. While other crypto exchanges and bridges (which facilitate transactions across different blockchains) heeded the warning, THORChain’s node operators, developers, and invested insiders debated about whether or not to close the trading gates, a decision requiring a majority vote.

“Civil war is a very strong term, but there was a strong rift in the community,” says Boone Wheeler, a US-based crypto enthusiast. In 2021, Wheeler purchased some rune, THORChain’s Norse-mythology-themed native token, and he has been paid to write articles about the network to help advertise it. The rift formed “between people who wanted to stay permissionless,” he says, “and others who wanted to blacklist the funds.”

Wheeler, who says he doesn’t run a node or code for THORChain, fell on the side of remaining permissionless. However, others spoke up for blocking the transfers. THORChain, they argued, wasn’t decentralized enough to keep those running the network safe from law enforcement—especially when those operators were identifiable by their IP addresses, some based in the US.

“We are not the morality police,” someone with the username @Swing_Pop wrote on February 27 in the developer Discord.

THORChain’s design includes up to 120 nodes whose operators manage transactions on the network through a voting process. Anyone with hosting hardware can become an operator by funding nodes with rune as collateral, which provides the network with liquidity. Nodes can respond to a transaction by validating it or doing nothing. While individual transactions can’t be blocked, trading can be halted by a two-thirds majority vote. 

Nodes are also penalized for not participating in voting, which the system labels as “bad behavior.” Every 2.5 days, THORChain automatically “churns” nodes out to ensure that no one node gains too much control. The nodes that chose not to validate transactions from the Bybit hack were automatically “churned” out of the system. Thorbjornsen says about 20 or 30 nodes were booted from the network in this way. (Node operators can run multiple nodes, and 120 are rarely running simultaneously; at the time of writing, 55 unique IDs operated 103 nodes.)

By February 27, some node operators were prepared to leave the network altogether. “It’s personally getting beyond my risk tolerance,” wrote @Runetard in the dev Discord. “Sorry to those of the community that feel otherwise. There are a bunch of us holding all the risk and some are getting ready to walk away.”

Even so, the financial incentive for the network operators who remained was significant. As one member of the dev Discord put it earlier that day, $3 million had been “extracted as commission” from the theft by those operating THORChain. “This is wrong!” they wrote.

Thorbjornsen weighed in on this back-and-forth, during which nodes paused and unpaused the network. He now says there was a right and wrong way for node operators to have behaved. “The correct way of doing things,” he says, was for node operators who opposed processing stolen funds to “go offline and … get [themselves] kicked out” rather than try to police who could use THORChain. He also says that while operators could discuss stopping transactions, “there was simply no design in the code that allowed [them] to do that.” However, a since-deleted post from his personal X account on March 3, 2025, stated: “I pushed for all my nodes to unhalt trading [keep trading]. Threatened to yank bond if they didn’t comply. Every single one.” (Thorbjornsen says his social media team ran this account in 2025.) 

In an Australian 7 News Spotlight documentary last June, Thorbjornsen estimated that THORChain earned between $5 million and $10 million from the heist.

When asked in that same documentary if he received any of those fees, he replied, “Not directly.” When we spoke, I asked him to elaborate. He said he’s “not a recipient” of any funds THORChain sets aside for developers or marketers, nor does he operate any nodes. He was merely speaking generally, he told me: “All crypto holders profit indirectly off economic activity on any chain.”

KAGAN MCLEOD

Most important to Thorbjornsen was that, despite “huge pressure to shut the protocol down and stop servicing these swaps,” THORChain chugged along. He also notes that the hackers’ tactics, moving fast and splitting funds across multiple addresses, made it difficult to identify “bad swaps.”

Blockchain experts like Nick Carlsen, a former FBI analyst at the blockchain intelligence company TRM Labs, don’t buy this assessment. Other services similar to THORChain were identifying and rejecting these transactions. Had THORChain done the same, Carlsen adds, the stolen funds could have been contained on the Ethereum network, which “would have basically denied North Korea the ability to kick off this laundering process.” 

And while THORChain touts its decentralization, in “practical applications” like the Lazarus Group’s theft, “most de-fi [decentralized finance] protocols are centralized,” says Daren Firestone, an attorney who represents crypto industry whistleblowers, citing a 2023 US Treasury Department risk assessment on illicit finance. 

With centralization comes culpability, and in these cases, Firestone adds, that comes down to “who profits from [the protocol], so who creates it? But most importantly, who controls it?” Is there someone who can “hit an emergency off switch? … Direct nodes?”

Many answer these questions with Thorbjornsen’s name. “Everyone likes to pass the blame,” he says, even though he wasn’t alone in building THORChain. “​​In the end, it all comes back to me anyway.”

THORChain origins

“We lived close to a local airfield,” Thorbjornsen says, “and I was always mesmerized by these planes.” He joined the Australian air force and studied engineering, but he says the military left him feeling like “a square peg in a round hole.” He adds that doing things his own way got him frequently “pulled aside” by superiors.

“That’s when I started looking elsewhere,” he says, and in 2013, he found bitcoin. It appealed because it existed “outside the system.”

During the 2017 crypto bull run, Thorbjornsen raised AU$12 million in an initial coin offering for CanYa, a decentralized marketplace he cofounded. CanYa ultimately “died” in 2018, and Thorbjornsen pivoted to a “decentralized liquidity” project that would become THORChain.

He worked with a couple of different developer teams, and then, in 2019, he clicked with an American developer, Chad Barraford, at a hackathon in Germany. Barraford (who declined to be interviewed for this story) was an early public face of THORChain. 

Around this time, Thorbjornsen says, “a couple of us helped manage the payroll and early investment funds.” In a 2020 interview, Kai Ansaari, identified as a THORChain “project lead,” wrote, “We’re all contributors … There’s no real ‘lead,’ ‘CEO,’ ‘founder,’ etc.”

In interviews conducted since he came out from behind the “leena” account in 2024, Thorbjornsen has positioned himself as a key lead. He now says his plan had always been to hand over the account, along with command powers and control of THORChain social media accounts, once the blockchain had matured enough to realize its promise of decentralization.

In 2021, he says, he started this process, first by ceasing to use his own rune to back node operators who didn’t have enough to supply their own funding (this can be a way to influence node votes without operating a node yourself). That year, the protocol suffered multiple hacks that resulted in millions of dollars in losses. Nine Realms, a US-incorporated coding company, was brought on to take over THORChain’s development. Thorbjornsen says he passed “leena” over to “other community members” and “left crypto” in 2021, selling “a bunch of bitcoin” and buying the helicopter. 

Despite this crypto departure, he came back onto the scene with gusto in 2024 when he revealed himself as the operator of the “leena” account. “​​For many years, I stayed private because I didn’t want the attention,” he says now. 

By early 2024 Thorbjornsen considered the network to be sufficiently decentralized and began advertising it publicly. He started regularly posting videos on his TikTok and YouTube channels (“Two sick videos every week,” in the words of one caption) that showed him piloting his helicopter wearing shirts that read “Thor.”

By November 2024, Thorbjornsen, who describes himself as “a bit flamboyant,” was calling himself THORChain’s CEO (“chief energy officer”) and the “master of the memes” in a video from Binance Blockchain Week, an industry conference in Dubai. You need “strong memetic energy,” he says in the video, “to create the community, to create the cult.” Cults imply centralized leadership, and since outing himself as “leena,” Thorbjornsen has publicly appeared to helm the project, with one interviewer deeming him the “THORChain Satoshi” (an allusion to the pseudonymous creator of bitcoin). 

One consequence of going public as a face of the protocol: He’s received death threats. “I stirred it up. Do I regret it? Who knows?” he said when we met in Australia. “It’s caused a lot of chaos.” 

But, he added, “this is the bed that I’ve laid.” When we spoke again, months later, he backtracked, saying he “got sucked into” defending THORChain in 2024 and 2025 because he was involved from 2018 to 2021 and has “a perspective on how the protocol operates.”

Centralized? 

Ryan Treat, a retired US Army veteran, woke up one morning in January 2025 to some disturbing activity on X. “My heart sank,” he says. THORFi, the THORChain program he’d used to earn interest on the bitcoin he’d planned to save for his retirement, had frozen all accounts—but that didn’t make sense.

THORFi featured a lending and saving program said to give users “complete control” and self-custody of their crypto, meaning they could withdraw it at any time. 

Treat was no crypto amateur. He bought his first bitcoin at around “$5 apiece,” he says, and had always kept it off centralized exchanges that would maintain custody of his wallets. He liked THORChain because it claimed to be decentralized and permissionless. “I got into bitcoin because I wanted to have government-less money,” he says. 

We were told it was decentralized. Then you wake up one morning and read this guy had an admin mimir.

Many who’d used THORFi lending and saving programs felt similarly. Users I interviewed differentiated THORChain from centralized lending platforms like BlockFi and Celsius, both of which offered extraordinarily high yields before filing for bankruptcy in 2022. “I viewed THORChain as a decentralized system where it was safer,” says Halsey Richartz, a Florida-based THORFi creditor, with “vanilla, 1% passive yield.” Indeed, users I spoke with hadn’t felt the need to monitor their THORFi deposits. “Only your key can be used to withdraw your funds,” the product’s marketing materials insisted. “Savers can withdraw their position to native assets at any time.”

So on January 9, when the “leena” account announced that an admin key had been used to pause withdrawals, it took THORFi users by surprise—and seemed to contradict the marketing messaging around decentralization. “We were told that it was decentralized, and you wake up one morning and read an article that says ‘This guy, JP, had an admin mimir,’” says Treat, referring to Thorbjornsen, “and I’m like, ‘What the fuck is an admin mimir?’”

The admin mimir was one of “a bunch of hard-coded admin keys built into the base code of the system,” says Jonathan Reiter, CEO of the blockchain intelligence company ChainArgos. Those with access to the keys had the ability to make executive decisions on the blockchain—a function many THORChain users didn’t realize could supersede the more democratic decisions made by node votes. These keys had been in THORChain’s code for years and “let you control just about anything,” Reiter adds, including the decision to pause the network during the hacks in 2021 that resulted in a loss of more than $16 million in assets. 

Thorbjornsen says that one key was given to Nine Realms, while another was “shared around the original team.” He told me at least three people had them, adding, “I can neither confirm nor deny having access to that mimir key, because there’s no on-chain registry of the keys.”

Regardless of who had access, Thorbjornsen maintains that the admin mimir mechanism was “widely known within the community, and heavily used throughout THORChain’s history” and that any action taken using the keys “could be largely overruled by the nodes.” Indeed, nodes voted to open withdrawals back up shortly after the admin key was used to pause them. By then, those burned by THORFi argue, the damage had already been done. The executive pause to withdrawals, for some, signaled that something was amiss with THORFi. This led to a bank run after the pause was lifted, until the nodes voted to freeze withdrawals permanently (which Thorbjornsen had suggested in a since-deleted post on X), separating users from crypto worth around $200 million in US dollars on January 23. THORFi users were then offered a token called TCY (THORChain Yield), which they could claim with the idea that, when its price rose to $1, they would be made whole. (The price, as of writing, sits at $0.16.)

Who used the key? Thorbjornsen maintains he didn’t do it, but he claims he knows who did and won’t say. He says he’d handed over the “leena” account and doesn’t “have access to any of the core components of the system,” nor has he for “at least three years.” He implies that whoever controlled “leena” at the time used the admin key to pause network withdrawals.

A video released by Nine Realms on February 20, 2025, names Thorbjornsen as the activator of the key, stating, “JP ended up pausing lenders and savers, preventing withdrawals so that we can work out … [a] payback plan on them.” Thorbjornsen told me the video was “not factual.”

Multiple blockchain analysts told me it would be extremely difficult to determine who used the admin mimir key. A month after it was used to pause the network, THORChain said the key had been “removed from the network.” At least you can’t find the words “admin mimir” in THORChain’s base code; I’ve looked. 

Culpability

After the debacle of the THORFi withdrawal freeze, Richartz says, he tried to file reports with the Miami-Dade Police Department, the Florida Department of Law Enforcement, the FBI, the Securities and Exchange Commission, the Commodity Futures Trading Commission, the Federal Trade Commission, and Interpol. When we spoke in November, he still hadn’t been able to file with the city of Miami. They told him to try small claims court.

“I was like, no, you don’t understand … a post office box in Switzerland is the company address,” he says. “It underscored to me how little law enforcement even knows about these crimes.” 

As for the Bybit hack, at least one government has retaliated against those who facilitate blockchain projects. Last April German authorities shut down eXch, an exchange suspected of using THORChain to process funds Lazarus stole from Bybit, says Julia Gottesman, cofounder and head of investigations at the cybersecurity group zeroShadow. Australia, she adds, where Thorbjornsen was based, has been “slow to try to engage with the crypto community, or any regulations.”

KAGAN MCLEOD

In response to requests for comment, Australia’s Department of Home Affairs wrote that at the end of March 2026, the country’s regulatory powers will expand to include “exchanges between the same type of cryptocurrency and transfers between different types.” They did not comment on specific investigations.

Crypto and finance experts disagree about whether THORChain engaged in money laundering, defined by the UN as “the processing of criminal proceeds to disguise their illegal origin.” But some think it fits the definition.

Shlomit Wagman, a Harvard fellow and former head of Israel’s anti-money-laundering agency and its delegation to the Financial Action Task Force (FATF), thinks the Bybit activity was money laundering because THORChain helped the hackers “transfer the funds in an unsupervised manner, completely outside of the scope of regulated or supervised activity.” 

And by helping with conversions, Carlsen says, THORChain enabled bad actors to turn stolen crypto into usable currency. “People like [Thorbjornsen] have a personal degree of culpability in sustaining the North Korean government,” he says. Thorbjornsen counters that THORChain is “open-source infrastructure.”

Meanwhile, just days after the hack, Bybit issued a 10% bounty on any funds recovered. As of mid-January this year, between $100 million and $500 million worth of those funds in US dollars remain unaccounted for, according to Gottesman of zeroShadow, which was hired by Bybit to recover funds following the hack.

Thorbjornsen hacked

For Thorbjornsen, it’s just another day at the casino. That’s the comparison he made during his regrettable 7 News Spotlight interview about the Bybit heist, and he repeated it when we met. “You go to a casino, you play a few games, you expect to lose,” he told me. “When you do actually go to zero, don’t cry.”

Thorbjornsen, it should be noted, has lost at the casino himself.

In September, he says, he got a Telegram message from a friend, inviting him to a Zoom meeting. He accepted and participated in a call with people who had “American voices.”

Ultimately, Thorbjornsen describes himself as a guy who’s had a bad year, fending off “threat vectors” left and right.

After the meeting, Thorbjornsen learned that his friend’s Telegram had been hacked. Whoever was responsible had used the Zoom link to remotely install software on Thorbjornsen’s computer, which “got access to everything”—his email, his crypto wallets, a bitcoin-based retirement fund. It cost him at least $1.2 million. The blockchain sleuth known as ZachXBT traced the funds and attributed the hack to North Korea. 

ZachXBT called it “poetic.”

Ultimately, Thorbjornsen describes himself as a guy who’s had a bad year. He says he had to liquidate his crypto assets because he’s dealing with the fallout of a recent divorce. He also feels he is fending off “threat vectors” left and right. More than once, he asked if I was a private investigator masquerading as a journalist.

Still, his many contradictions don’t inspire confidence. He doesn’t have any more crypto assets, he says. However, the crypto wallet he shared with me so I could pay him back for lunch showed that it contained assets worth more than $143,000 in US dollars. He now says it wasn’t his wallet. He says he doesn’t control THORChain’s social media, but he’d also told me that he runs the @THORChain X account (later backtracking and saying the account is “delegated” to him for trickier questions).

He insists that he does not care about money. He says that in the robot future, the AI-powered hive mind will become our benevolent overlord, rendering money obsolete, so why give it much thought? Yet as we flew back from the vineyard, he pointed out his new house from the helicopter. It resembles a compound. He says he lives there with his new wife. 

Multiple people I spoke with about Thorbjornsen before I met him warned me he wasn’t trustworthy, and he’s undeniably made fishy statements. For instance, the presence of a North Korean flag in a row of decals on the tail of his helicopter suggested an affinity with the country for which THORChain has processed so much crypto. Thorbjornsen insists he had requested the flag of Australia’s Norfolk Island, calling the mix-up “a complete coincidence.” The flags were gone by the time of our flight, apparently removed during a recent repair.

“Money is a meme,” he says. “Money does not exist.” Meme or not, it’s had real repercussions for those who have interacted with THORChain, and those who wound up losing have been looking for someone to blame. 

When I spoke with Thorbjornsen again in January, he appeared increasingly concerned that he is that someone. He’s spending more time in Singapore, he told me. Singapore happens to have historically denied extraditions to the US for money-laundering prosecutions. 

Jessica Klein is a Philadelphia-based freelance journalist covering intimate partner violence, cryptocurrency, and other topics.

Hackers made death threats against this security researcher. Big mistake.

The threats started in spring. 

In April 2024, a mysterious someone using the online handles “Waifu” and “Judische” began posting death threats on Telegram and Discord channels aimed at a cybersecurity researcher named Allison Nixon. 

“Alison [sic] Nixon is gonna get necklaced with a tire filled with gasoline soon,” wrote Waifu/Judische, both of which are words with offensive connotations. “Decerebration is my fav type of brain death, thats whats gonna happen to alison Nixon.” 

It wasn’t long before others piled on. Someone shared AI-generated nudes of Nixon.

These anonymous personas targeted Nixon because she had become a formidable threat: As chief research officer at the cyber investigations firm Unit 221B, named after Sherlock Holmes’s apartment, she had built a career tracking cybercriminals and helping get them arrested. For years she had lurked quietly in online chat channels or used pseudonyms to engage with perpetrators directly while piecing together clues they’d carelessly drop about themselves and their crimes. This had helped her bring to justice a number of cybercriminals—especially members of a loosely affiliated subculture of anarchic hackers who call themselves the Com.

But members of the Com aren’t just involved in hacking; some of them also engage in offline violence against researchers who track them. This includes bricking (throwing a brick through a victim’s window) and swatting (a dangerous type of hoax that involves reporting a false murder or hostage situation at someone’s home so SWAT teams will swarm it with guns drawn). Members of a Com offshoot known as 764 have been accused of even more violent acts—including animal torture, stabbings, and school shootings—or of inciting others in and outside the Com to commit these crimes.

Nixon started tracking members of the community more than a decade ago, when other researchers and people in law enforcement were largely ignoring them because they were young—many in their teens. Her early attention allowed her to develop strategies for unmasking them.

Ryan Brogan, a special agent with the FBI, says Nixon has helped him and colleagues identify and arrest more than two dozen members of the community since 2011, when he first began working with her, and that her skills in exposing them are unparalleled. “If you get on Allison’s and my radar, you’re going [down]. It’s just a matter of time,” he says. “No matter how much digital anonymity and tradecraft you try to apply, you’re done.”

Though she’d done this work for more than a decade, Nixon couldn’t understand why the person behind the Waifu/Judische accounts was suddenly threatening her. She had given media interviews about the Com—most recently on 60 Minutes—but not about her work unmasking members to get them arrested, so the hostility seemed to come out of the blue. And although she had taken an interest in the Waifu persona in years past for crimes he boasted about committing, he hadn’t been on her radar for a while when the threats began, because she was tracking other targets. 

Now Nixon resolved to unmask Waifu/Judische and others responsible for the death threats—and take them down for crimes they admitted to committing. “Prior to them death-threatening me, I had no reason to pay attention to them,” she says. 

Com beginnings

Most people have never heard of the Com, but its influence and threat are growing.

It’s an online community comprising loosely affiliated groups of, primarily, teens and twentysomethings in North America and English-speaking parts of Europe who have become part of what some call a cybercrime youth movement. 

International laws and norms, and fears of retaliation, prevent states from going all out in cyber operations. That doesn’t stop the anarchic Com.

Over the last decade, its criminal activities have escalated from simple distributed denial-of-service (DDoS) attacks that disrupt websites to SIM-swapping hacks that hijack a victim’s phone service, as well as crypto theft, ransomware attacks, and corporate data theft. These crimes have affected AT&T, Microsoft, Uber, and others. Com members have also been involved in various forms of sextortion aimed at forcing victims to physically harm themselves or record themselves doing sexually explicit activities. The Com’s impact has also spread beyond the digital realm to kidnapping, beatings, and other violence. 

One longtime cybercrime researcher, who asked to remain anonymous because of his work, says the Com is as big a threat in the cyber realm as Russia and China—for one unusual reason.

“There’s only so far that China is willing to go; there’s only so far that Russia or North Korea is willing to go,” he says, referring to international laws and norms, and fears of retaliation, that prevent states from going all out in cyber operations. That doesn’t stop the anarchic Com, he says.

FRANZISKA BARCZYK

“It is a pretty significant threat, and people tend to … push it under the rug [because] it’s just a bunch of kids,” he says. “But look at the impact [they have].”

Brogan says the amount of damage they do in terms of monetary losses “can become staggering very quickly.”

There is no single site where Com members congregate; they spread across a number of web forums and Telegram and Discord channels. The group follows a long line of hacking and subculture communities that emerged online over the last two decades, gained notoriety, and then faded or vanished after prominent members were arrested or other factors caused their decline. They differed in motivation and activity, but all emerged from “the same primordial soup,” says Nixon. The Com’s roots can be traced to the Scene, which began as a community of various “warez” groups engaged in pirating computer games, music, and movies.

When Nixon began looking at the Scene, in 2011, its members were hijacking gaming accounts, launching DDoS attacks, and running booter services. (DDoS attacks overwhelm a server or computer with traffic from bot-controlled machines, preventing legitimate traffic from getting through; booters are tools that anyone can rent to launch a DDoS attack against a target of choice.) While they made some money, their primary goal was notoriety.

This changed around 2018. Cryptocurrency values were rising, and the Com—or the Community, as it sometimes called itself—emerged as a subgroup that ultimately took over the Scene. Members began to focus on financial gain—cryptocurrency theft, data theft, and extortion.

The pandemic two years later saw a surge in Com membership that Nixon attributes to social isolation and the forced movement of kids online for schooling. But she believes economic conditions and socialization problems have also driven its growth. Many Com members can’t get jobs because they lack skills or have behavioral issues, she says. A number who have been arrested have had troubled home lives and difficulty adapting to school, and some have shown signs of mental illness. The Com provides camaraderie, support, and an outlet for personal frustrations. Since 2018, it has also offered some a solution to their money problems.

Loose-knit cells have sprouted from the community—Star Fraud, ShinyHunters, Scattered Spider, Lapsus$—to collaborate on clusters of crime. They usually target high-profile crypto bros and tech giants and have made millions of dollars from theft and extortion, according to court records. 

But dominance, power, and bragging rights are still motivators, even in profit operations, says the cybercrime researcher, which is partly why members target “big whales.”

“There is financial gain,” he says, “but it’s also [sending a message that] I can reach out and touch the people that think they’re untouchable.” In fact, Nixon says, some members of the Com have overwhelming ego-driven motivations that end up conflicting with their financial motives.

“Often their financial schemes fall apart because of their ego, and that phenomenon is also what I’ve made my career on,” she says.

The hacker hunter emerges

Nixon has straight dark hair, wears wire-rimmed glasses, and has a slight build and bookish demeanor that, on first impression, could allow her to pass for a teen herself. She talks about her work in rapid cadences, like someone whose brain is filled with facts that are under pressure to get out, and she exudes a sense of urgency as she tries to make people understand the threat the Com poses. She doesn’t suppress her happiness when someone she’s been tracking gets arrested.

In 2011, when she first began investigating the communities from which the Com emerged, she was working the night shift in the security operations center of the security firm SecureWorks. The center responded to tickets and security alerts emanating from customer networks, but Nixon coveted a position on the company’s counter-threats team, which investigated and published threat-intelligence reports on mostly state-sponsored hacking groups from China and Russia. Without connections or experience, she had no path to investigative work. But Nixon is an intensely curious person, and this created its own path.

YLVA EREVALL

Where the threat team focused on the impact hackers had on customer networks—how they broke in, what they stole—Nixon was more interested in their motivations and the personality traits that drove their actions. She assumed there must be online forums where criminal hackers congregated, so she googled “hacking forums” and landed on a site called Hack Forums.

“It was really stupid simple,” she says.

She was surprised to see members openly discussing their crimes there. She reached out to someone on the SecureWorks threat team to see if he was aware of the site, and he dismissed it as a place for “script kiddies”—a pejorative term for unskilled hackers.

This was a time when many cybersecurity pros were shifting their focus away from cybercrime to state-sponsored hacking operations, which were more sophisticated and getting a lot of attention. But Nixon likes to zig where others zag, and her colleague’s dismissiveness fueled her interest in the forums. Two other SecureWorks colleagues shared that interest, and the three studied the forums during downtime on their shifts. They focused on trying to identify the people running DDoS booters. 

What Nixon loved about the forums was how accessible they were to a beginner like herself. Threat-intelligence teams require privileged access to a victim’s network to investigate breaches. But Nixon could access everything she needed in the public forums, where the hackers seemed to think no one was watching. Because of this, they often made mistakes in operational security, or OPSEC—letting slip little biographical facts such as the city where they lived, a school they attended, or a place they used to work. These details revealed in their chats, combined with other information, could help expose the real identities behind their anonymous masks. 

“It was a shock to me that it was relatively easy to figure out who [they were],” she says. 

She wasn’t bothered by the immature boasting and petty fights that dominated the forums. “A lot of people don’t like to do this work of reading chat logs. I realize that this is a very uncommon thing. And maybe my brain is built a little weird that I’m willing to do this,” she says. “I have a special talent that I can wade through garbage and it doesn’t bother me.” 

Nixon soon realized that not all the members were script kiddies. Some exhibited real ingenuity and “powerful” skills, she says, but because they were applying these to frivolous purposes—hijacking gamer accounts instead of draining bank accounts—researchers and law enforcement were ignoring them. Nixon began tracking them, suspecting that they would eventually direct their skills at more significant targets—an intuition that proved to be correct. And when they did, she had already amassed a wealth of information about them. 

She continued her DDoS research for two years until a turning point in 2013, when the cybersecurity journalist Brian Krebs, who made a career tracking cybercriminals, got swatted. 

About a dozen people from the security community worked with Krebs to expose the perpetrator, and Nixon was invited to help. Krebs sent her pieces of the puzzle to investigate, and eventually the group identified the culprit (though it would take two years for him to be arrested). When she was invited to dinner with Krebs and the other investigators, she realized she’d found her people.

“It was an amazing moment for me,” she says. “I was like, wow, there’s all these like-minded people that just want to help and are doing it just for the love of the game, basically.”

Staying one step ahead

It was porn stars who provided Nixon with her next big research focus—one that underscored her skill at spotting Com actors and criminal trends in their nascent stages, before they emerged as major threats.

In 2018, someone was hijacking the social media accounts of certain adult-film stars and using those accounts to blast out crypto scams to their large follower bases. Nixon couldn’t figure out how the hackers had hijacked the social media profiles, but she promised to help the actors regain access to their accounts if they agreed to show her the private messages the hackers had sent or received during the time they controlled them. These messages led her to a forum where members were talking about how they stole the accounts. The hackers had tricked some of these actors into disclosing the mobile phone numbers of others. Then they used a technique called SIM swapping to reset passwords for social media accounts belonging to those other stars, locking them out. 

In SIM swapping, fraudsters get a victim’s phone number assigned to a SIM card and phone they control, so that calls and messages intended for the victim go to them instead. This includes one-time security codes that sites text to account holders to verify themselves when accessing their account or changing its password. In some of the cases involving the porn stars, the hackers had manipulated telecom workers into making the SIM swaps for what they thought were legitimate reasons, and in other cases they bribed the workers to make the change. The hackers were then able to alter the password on the actors’ social media accounts, lock out the owners, and use the accounts to advertise their crypto scams. 

SIM swapping is a powerful technique that can be used to hijack and drain entire cryptocurrency and bank accounts, so Nixon was surprised to see the fraudsters using it for relatively unprofitable schemes. But SIM swapping had rarely been used for financial fraud at that point, and like the earlier hackers Nixon had seen on Hack Forums, the ones hijacking porn star accounts didn’t seem to grasp the power of the technique they were using. Nixon suspected that this would change and SIM swapping would soon become a major problem, so she shifted her research focus accordingly. It didn’t take long for the fraudsters to pivot as well.

Nixon’s skill at looking ahead in this way has served her throughout her career. On multiple occasions a hacker or hacking group would catch her attention—for using a novel hacking approach in some minor operation, for example—and she’d begin tracking their online posts and chats in the belief that they’d eventually do something significant with that skill. 

They usually did. When they later grabbed headlines with a showy or impactful operation, these hackers would seem to others to have emerged from nowhere, sending researchers and law enforcement scrambling to understand who they were. But Nixon would already have a dossier compiled on them and, in some cases, had unmasked their real identity as well. Lizard Squad was an example of this. The group burst into the headlines in 2014 and 2015 with a series of high-profile DDoS campaigns, but Nixon and colleagues at the job where she worked at the time had already been watching its members as individuals for a while. So the FBI sought their assistance in identifying them.

“The thing about these young hackers is that they … keep going until they get arrested, but it takes years for them to get arrested,” she says. “So a huge aspect of my career is just sitting on this information that has not been actioned [yet].”

It was during the Lizard Squad years that Nixon began developing tools to scrape and record hacker communications online, though it would be years before she began using these concepts to scrape the Com chatrooms and forums. These channels held a wealth of data that might not seem useful during the nascent stage of a hacker’s career but could prove critical later, when law enforcement got around to investigating them; yet the contents were always at risk of being deleted by Com members or getting taken down by law enforcement when it seized websites and chat channels.

Nixon’s work is unique because she engages with the actors in chat spaces to draw out information from them that “would not be otherwise normally available.”

Over several years, she scraped and preserved whatever chatrooms she was investigating. But it wasn’t until early 2020, when she joined Unit 221B, that she got the chance to scrape the Telegram and Discord channels of the Com. She pulled all of this data together into a searchable platform that other researchers and law enforcement could use. The company hired two former hackers to help build scraping tools and infrastructure for this work; the result is eWitness, a community-driven, invitation-­only platform. It was initially seeded only with data Nixon had collected after she arrived at Unit 221B, but has since been augmented with data that other users of the platform have scraped from Com social spaces as well, some of which doesn’t exist in public forums anymore.

Brogan, of the FBI, says it’s an incredibly valuable tool, made more so by Nixon’s own contributions. Other security firms scrape online criminal spaces as well, but they seldom share the content with outsiders, and Brogan says Nixon’s work is unique because she engages with the actors in chat spaces to draw out information from them that “would not be otherwise normally available.” 

The preservation project she started when she got to Unit 221B could not have been better timed, because it coincided with the pandemic, the surge in new Com membership, and the emergence of two disturbing Com offshoots, CVLT and 764. She was able to capture their chats as these groups first emerged; after law enforcement arrested leaders of the groups and took control of the servers where their chats were posted, this material went offline.

CVLT—pronounced “cult”—was reportedly founded around 2019 with a focus on sextortion and child sexual abuse material. 764 emerged from CVLT and was spearheaded by a 15-year-old in Texas named Bradley Cadenhead, who named it after the first digits of his zip code. Its focus was extremism and violence. 

In 2021, because of what she observed in these groups, Nixon turned her attention to sextortion among Com members.

The type of sextortion they engaged in has its roots in activity that began a decade ago as “fan signing.” Hackers would use the threat of doxxing to coerce someone, usually a young female, into writing the hacker’s handle on a piece of paper. The hacker would use a photo of it as an avatar on his online accounts—a kind of trophy. Eventually some began blackmailing victims into writing the hacker’s handle on their face, breasts, or genitals. With CVLT, this escalated even further; targets were blackmailed into carving a Com member’s name into their skin or engaging in sexually explicit acts while recording or livestreaming themselves.

During the pandemic a surprising number of SIM swappers crossed into child sexual abuse material and sadistic sextortion, according to Nixon. She hates tracking this gruesome activity, but she saw an opportunity to exploit it for good. She had long been frustrated at how leniently judges treated financial fraudsters because of their crimes’ seemingly nonviolent nature. But she saw a chance to get harsher sentences for them if she could tie them to their sextortion and began to focus on these crimes. 

At this point, Waifu still wasn’t on her radar. But that was about to change.

Endgame

Nixon landed in Waifu’s crosshairs after he and fellow members of the Com were involved in a large hack involving AT&T customer call records in April 2024.

Waifu’s group gained access to dozens of cloud accounts with Snowflake, a company that provides online data storage for customers. One of those customers had more than 50 billion call logs of AT&T wireless subscribers stored in its Snowflake account. 

They tried to re-extort the telecom, threatening on social media to leak the records. They tagged the FBI in the post. “It’s like they were begging to be investigated,” says Nixon.

Among the subscriber records were call logs for FBI agents who were AT&T customers. Nixon and other researchers believe the hackers may have been able to identify the phone numbers of agents through other means. Then they may have used a reverse-lookup program to identify the owners of phone numbers that the agents called or that called them and found Nixon’s number among them. This is when they began harassing her.

But then they got reckless. They allegedly extorted nearly $400,000 from AT&T in exchange for promising to delete the call records they’d stolen. Then they tried to re-extort the telecom, threatening on social media to leak the records they claimed to have deleted if it didn’t pay more. They tagged the FBI in the post.

“It’s like they were begging to be investigated,” says Nixon.

The Snowflake breaches and AT&T records theft were grabbing headlines at the time, but Nixon had no idea her number was in the stolen logs or that Waifu/Judische was a prime suspect in the breaches. So she was perplexed when he started taunting and threatening her online.

FRANZISKA BARCZYK

Over several weeks in May and June, a pattern developed. Waifu or one of his associates would post a threat against her and then post a message online inviting her to talk. She assumes now that they believed she was helping law enforcement investigate the Snowflake breaches and hoped to draw her into a dialogue to extract information from her about what authorities knew. But Nixon wasn’t helping the FBI investigate them yet. It was only after she began looking at Waifu for the threats that she became aware of his suspected role in the Snowflake hack.

It wasn’t the first time she had studied him, though. Waifu had come to her attention in 2019 when he bragged about framing another Com member for a hoax bomb threat and later talked about his involvement in SIM-swapping operations. He made an impression on her. He clearly had technical skills, but Nixon says he also often appeared immature, impulsive, and emotionally unstable, and he was desperate for attention in his interactions with other members. He bragged about not needing sleep and using Adderall to hack through the night. He was also a bit reckless about protecting personal details. He wrote in private chats to another researcher that he would never get caught because he was good at OPSEC, but he also told the researcher that he lived in Canada—which turned out to be true.

Nixon’s process for unmasking Waifu followed a general recipe she used to unmask Com members: She’d draw a large investigative circle around a target and all the personas that communicated with that person online, and then study their interactions to narrow the circle to the people with the most significant connections to the target. Some of the best leads came from a target’s enemies; she could glean a lot of information about their identity, personality, and activities from what the people they fought with online said about them.

“The enemies and the ex-girlfriends, generally speaking, are the best [for gathering intelligence on a suspect],” she says. “I love them.”

While she was doing this, Waifu and his group were reaching out to other security researchers, trying to glean information about Nixon and what she might be investigating. They also attempted to plant false clues with the researchers by dropping the names of other cybercriminals in Canada who could plausibly be Waifu. Nixon had never seen cybercriminals engage in counterintelligence tactics like this.

Amid this subterfuge and confusion, Nixon and another researcher working with her did a lot of consulting and cross-checking with other researchers about the clues they were gathering to ensure they had the right name before they gave it to the FBI.

By July she and the researcher were convinced they had their guy: Connor Riley Moucka, a 25-year-old high school dropout living with his grandfather in Ontario. On October 30, Royal Canadian Mounted Police converged on Moucka’s home and arrested him.

According to an affidavit filed in Canadian court, a plainclothes Canadian police officer visited Moucka’s house under some pretense on the afternoon of October 21, nine days before the arrest, to secretly capture a photo of him and compare it with an image US authorities had provided. The officer knocked and rang the bell; Moucka opened the door looking disheveled and told the visitor: “You woke me up, sir.” He told the officer his name was Alex; Moucka sometimes used the alias Alexander Antonin Moucka. Satisfied that the person who answered the door was the person the US was seeking, the officer left. Waifu’s online rants against Nixon escalated at this point, as did his attempts at misdirection. She believes the visit to his door spooked him.

Nixon won’t say exactly how they unmasked Moucka—only that he made a mistake.

“I don’t want to train these people in how to not get caught [by revealing his error],” she says.

The Canadian affidavit against Moucka reveals a number of other violent posts he’s alleged to have made online beyond the threats he made against her. Some involve musings about becoming a serial killer or mass-mailing sodium nitrate pills to Black people in Michigan and Ohio; in another, his online persona talks about obtaining firearms to “kill Canadians” and commit “suicide by cop.” 

Prosecutors, who list Moucka’s online aliases as including Waifu, Judische, and two more in the indictment, say he and others extorted at least $2.5 million from at least three victims whose data they stole from Snowflake accounts. Moucka has been charged with nearly two dozen counts, including conspiracy, unauthorized access to computers, extortion, and wire fraud. He has pleaded not guilty and was extradited to the US last July. His trial is scheduled for October this year, though hacking cases usually end in plea agreements rather than going to trial. 

It took months for authorities to arrest Moucka after Nixon and her colleague shared their findings with the authorities, but an alleged associate of his in the Snowflake conspiracy, a US Army soldier named Cameron John Wagenius (Kiberphant0m online), was arrested more quickly. 

On November 10, 2024, Nixon and her team found a mistake Wagenius made that helped identify him, and on December 20 he was arrested. Wagenius has already pleaded guilty to two charges around the sale or attempted sale of confidential phone records and will be sentenced this March.

These days Nixon continues to investigate sextortion among Com members. But she says that remaining members of Waifu’s group still taunt and threaten her.

“They are continuing to persist in their nonsense, and they are getting taken out one by one,” she says. “And I’m just going to keep doing that until there’s no one left on that side.” 

Kim Zetter is a journalist who covers cybersecurity and national security. She is the author of Countdown to Zero Day.