Lesson 1.1: Europol's Project Compass nets 30 arrests in crackdown on “The Com” - Security Affairs

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Europol's Project Compass nets 30 arrests in crackdown on “The Com” - Security Affairs! Over the next 45 minutes, we will explore how a coordinated law enforcement operation dismantled a major cybercrime network, and what this teaches us about modern threat intelligence and defence.

But first, let me tell you about Marcus Webb.

It's 3:17 PM on a Tuesday in October. Marcus Webb, a senior network administrator at a regional bank in Manchester, is reviewing firewall logs. The office is quiet, the only sound the hum of servers and the faint click of his keyboard. He sips cold coffee, his eyes scanning for anomalies in the usual traffic patterns.

A series of alerts pop up on his secondary monitor. Unusual outbound traffic to an IP range in Eastern Europe. The volume is low, but the pattern is consistent—small, encrypted packets leaving the network every few minutes. Marcus dismisses it initially; it could be a misconfigured update service or a developer's VPN. But the destination IP, when he looks it up, is flagged in a threat feed he subscribes to. The tag is vague: 'Suspected C2 Infrastructure'.

He escalates it to his manager, who asks for more concrete evidence of a breach. 'We can't justify shutting down a core banking server based on a vague threat feed, Marcus. Get me proof of data exfiltration.' Marcus knows he needs packet captures, but the bank's monitoring tools are limited. He makes a decision: he'll write a custom script to monitor the traffic more closely overnight. By the time he returns the next morning, the traffic has stopped. The server logs show nothing. He assumes it was a false alarm. He was wrong.

This is the story of a Cyberattack. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: What Was 'The Com' and Project Compass?

Think of a traditional organised crime syndicate, but its territory is the internet and its weapons are lines of code. That was 'The Com'—not a single group, but a sprawling network of cybercriminals operating a digital marketplace for crime.

The Criminal Marketplace

'The Com' functioned as a central hub. Research suggests it was a platform where individuals could buy and sell the tools and services needed for cyberattacks. This included malware, stolen login credentials, and access to compromised corporate networks.

This model is efficient for criminals. A hacker in one country could sell access to a breached server to a fraudster in another, who could then deploy ransomware or steal data. The platform itself took a cut, creating a sustainable business model for the administrators.

The implication is a lower barrier to entry for cybercrime. You don't need to be a technical expert to launch an attack; you just need to know where to shop and have some cryptocurrency.

The Law Enforcement Response

Project Compass was Europol's coordinated response. It involved law enforcement from multiple countries working together to infiltrate and dismantle 'The Com' network.

The operation resulted in 30 arrests across several nations. These arrests targeted not just the end-users of the platform, but also its key administrators and high-level vendors, aiming to disrupt the entire ecosystem.

DORA Article 5 DORA Article 5 requires financial entities like Marcus's bank to establish a strong ICT risk management framework. This includes processes for using threat intelligence, like the feeds Marcus saw, to inform defensive actions, not just to note and dismiss alerts.

ISO A.5.24 ISO 27001 A.5.24 mandates that organisations have a prepared plan for managing information security incidents. Marcus's story shows what happens without one: a lone analyst with no clear process for escalating and acting on ambiguous threats.

Content Section 2: The Attack Chain and Defence Gaps

Understanding the marketplace model reveals why these attacks are so effective. Let me show you exactly how Marcus was compromised, step-by-step.

The Attack Flow

Phase 1: Initial Access. A vendor on 'The Com' sells access to Marcus's bank's network. This access was likely obtained months earlier through a phishing email, an unpatched vulnerability, or a compromised third-party supplier. The bank was unaware it was already breached.

Phase 2: Persistence & Discovery. The buyer of this access installs lightweight malware to maintain a foothold. This malware, possibly a simple remote access trojan (RAT), calls back to a command-and-control (C2) server—the traffic Marcus saw. It quietly maps the network, looking for valuable data like customer databases or financial records.

Phase 3: Action. The goal could be data theft for resale, or to deploy ransomware. The low-and-slow exfiltration Marcus detected was likely the thief siphoning data out in small chunks to avoid traditional data loss prevention (DLP) systems that look for large file transfers.

Key Technical Components

The C2 infrastructure is critical. These are the servers that malware phones home to for instructions. They are often rented, bulletproof hosting or compromised legitimate servers, and they change frequently. The IP Marcus found was just one node in a flexible network.

The malware used is often 'commodity' code—readily available for purchase. It might be configured to use common ports and encryption to blend in with normal web traffic, making it hard to distinguish from legitimate SSL connections.

Why Traditional Defences Fail

Notice what all of these methods have in common. They are static or reactive. The attack is dynamic and patient, operating just below the threshold of what these tools are designed to catch.

Marcus's tools were looking for the wrong things. Here’s how common defences are bypassed:

NIST RS.RP-1 NIST CSF RS.RP-1 requires the execution of a response plan during or after an incident. Marcus identified a potential incident but had no clear plan to execute. The response was ad-hoc and delayed, allowing the attacker to complete their objective.

NIS2 Article 21 NIS2 Article 21 mandates incident handling obligations, including early warning and situational awareness. The bank's inability to investigate Marcus's alert effectively represents a failure in early warning, a core requirement for essential entities like banks.

Content Section 3: Detection: Seeing What Marcus Missed

Marcus's computer knew something was wrong. The network traffic was anomalous. It just couldn't tell him clearly enough. Modern detection looks for patterns, not just signatures.

Network-Level Indicators

Look for 'beaconing'—the regular, periodic calls to a C2 server. This creates a pattern in network logs: consistent outbound connections at fixed intervals, even if the traffic volume is tiny. Security tools can analyse connection timing to spot this.

Domain Generation Algorithms (DGAs) are sometimes used, where malware generates thousands of random domain names to find its C2. A sudden spike in DNS requests for nonsense domain names is a major red flag.

Practically, this means enabling and monitoring full netflow or similar metadata. You're not looking at packet contents, but at connection patterns: who is talking to whom, how often, and for how long.

Endpoint-Level Indicators

Unexpected processes making network connections. A standard accounting software executable shouldn't be opening raw sockets to an IP in another country. Endpoint Detection and Response (EDR) tools can correlate processes with network activity.

Persistence mechanisms: look for new scheduled tasks, services, or registry entries that launch on startup. The malware Marcus faced would have installed something to ensure it survived a reboot.

Threat Intelligence Signals

This is where Marcus had a clue but lacked confirmation. A good threat intelligence feed doesn't just provide IPs; it provides context: 'This IP is part of a cluster known as 'The Com' C2 infrastructure, used for post-compromise activity like data theft.'

Specific signals to monitor include tactical indicators (IPs, domains, file hashes) and strategic intelligence about criminal groups' methods. Integrating this intelligence into your security tools allows for automated alert enrichment, turning Marcus's vague alert into a high-priority incident.

SOC2 CC7.1 SOC 2 CC7.1 requires using monitoring procedures to identify changes that introduce new vulnerabilities. The illicit C2 communication was a new vulnerability introduced to the bank's environment. Effective monitoring for beaconing or anomalous connections is a control that satisfies this criterion.

GDPR Article 33 GDPR Article 33 requires notification of a personal data breach within 72 hours of awareness. If Marcus's bank had confirmed the exfiltration, the clock would start ticking. Having detection mechanisms that provide faster, more confident awareness is critical for GDPR compliance.

Content Section 4: Documenting Your Defence

Compliance documentation is often seen as a checkbox exercise. But in incidents like this, it's your evidence of due care. It's the script you should have been able to follow when Marcus raised the alert.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5 auditors... For DORA auditors, you can now demonstrate staff training on advanced threat patterns (like beaconing) and have a completed activity showing evaluation of threat intelligence sources as part of your ICT risk management framework.

For ISO A.5.24 auditors... For ISO 27001 assessors, you can evidence that your team understands the need for defined incident response procedures for ambiguous alerts, using the 'Marcus scenario' as a training case study in your records.

For NIST RS.RP-1 auditors... For NIST CSF reviewers, you can show that this lesson has informed the development or refinement of your response plans, specifically for scenarios involving low-and-slow data exfiltration and C2 communication.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified (e.g., 'Review our threat intelligence feed context', 'Schedule a tabletop exercise on ambiguous alerts')

Conclusion

Let me tell you how Marcus's story ended.

Three months after the traffic stopped, the bank received a ransom note. A group claimed to have stolen 100,000 customer records and demanded a large sum in Bitcoin. The proof was a sample of the data. The investigation traced the breach back to the C2 traffic Marcus had seen. The data had been siphoned out during those quiet, persistent connections. Marcus wasn't fired, but his role was changed. The trust was broken.

The organisation eventually hired a managed detection and response (MDR) service, implemented an EDR platform, and started conducting regular threat hunting exercises. They also revised their incident response plan to define clear authority levels for analysts to isolate systems based on correlated alerts, not absolute proof.

But it doesn't have to be your story. That's why we're here.

You should now understand how cybercrime marketplaces like 'The Com' lower the barrier for attackers. You understand the attack chain of a compromised network leading to low-and-slow data theft. You know the key detection indicators beyond simple signatures, like beaconing and process-network correlation. And you understand how threat intelligence needs context to be actionable.

Next, we'll explore Next, we'll explore Lesson 1.2: Analysing a Modern Ransomware Attack Chain. We'll break down how the data stolen in attacks like the one Marcus faced is often used as leverage in the final, most disruptive stage.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators (beaconing patterns, DGA traffic, process-network correlation) and immediate isolation steps for a suspected 'The Com'-style network compromise on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls for detecting command-and-control communication and data exfiltration to the specific DORA, NIST CSF, and NIS2 requirements discussed in this lesson.
• Risk Assessment Template - Assess your organisation's exposure to marketplace-facilitated cyberattacks based on your reliance on threat intelligence, network monitoring depth, and incident response authority levels.
• Further reading - Links to Europol press releases on similar operations, CISA guidance on detecting lateral movement and exfiltration, and MITRE ATT&CK techniques for Command and Control (TA0011).

Europol's Project Compass nets 30 arrests in crackdown on “The Com” - Security Affairs Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026