Allison Nixon

Early Career

Nixon began her cybersecurity career around 2011, working the night shift in the security operations center at Dell SecureWorks. While the firm's counter-threats team concentrated on state-sponsored hacking groups, she independently began investigating the online forums and communities where criminal hackers congregated. This early work cultivated an interest in the motivations and social dynamics of cybercriminals, not merely their technical methods.

In 2013, while employed at Integralis — renamed NTT Com Security later that year — Nixon presented at Black Hat USA on techniques for bypassing DDoS protection services. She subsequently joined Flashpoint, a business risk intelligence firm, where she served as director of security research. In early 2020, she joined Unit 221B, a cybersecurity investigations firm named after Sherlock Holmes's address, as chief research officer and co-owner.

Research and Investigations

Mirai Botnet

In October 2016, while serving as director of security research at Flashpoint, Nixon led the firm's investigation into a series of large-scale DDoS attacks against DNS provider Dyn, which disrupted access to major websites including Amazon, Twitter, and Spotify. Flashpoint confirmed the involvement of the Mirai botnet in those attacks. Nixon's ongoing research contributed to the law enforcement investigation that culminated in the December 2017 guilty pleas of the three creators of the Mirai malware. She was a named subject in a resulting cover story by Andy Greenberg published in Wired.

The Com and Scattered Spider

Nixon has published extensive research on The Com, a loosely affiliated network of predominantly young, English-speaking cybercriminals responsible for offenses including social engineering, SIM swapping, cryptocurrency theft, sextortion, swatting, and ransomware attacks. She began tracking the online communities from which The Com emerged as early as 2011. At Unit 221B, she built eWitness, an invitation-only platform aggregating scraped data from Telegram and Discord channels used by Com members, which is shared with other researchers and law enforcement agencies.

Following the September 2023 cyberattacks on MGM Resorts International and Caesars Entertainment by Scattered Spider — a group associated with The Com — Nixon provided analysis to media outlets including the Wall Street Journal and TechCrunch. She has characterized Scattered Spider and related groups as Western, predominantly young cybercriminals who deliberately recruit minors due to the more lenient legal consequences minors face. In a June 2025 presentation at the Sleuthcon cybersecurity conference, Nixon described The Com as a youth subculture whose members are drawn in by financial incentives and peer influence, with criminal activity escalating from financially motivated fraud to violence and sextortion.

Snowflake Data Breaches and the Moucka Case

In April 2024, Nixon became the target of death threats posted on Telegram and Discord by a person using the handles "Waifu" and "Judische," later identified as Connor Riley Moucka, a Canadian national. Moucka was accused of involvement in a series of data breaches targeting customers of Snowflake, a cloud data platform, and of extorting victims for millions of dollars in Bitcoin. After the threats drew her attention, Nixon and Unit 221B, working with Mandiant and other partners, helped identify Moucka's real identity and passed that information to law enforcement. Moucka was arrested in Kitchener, Ontario, in October 2024 and faces 20 federal charges in the United States, including conspiracy, computer fraud, wire fraud, extortion, and aggravated identity theft.

Media Appearances and Recognition

Nixon appeared on 60 Minutes in a 2024 segment on Scattered Spider and its connection to the casino cyberattacks. She was featured in The New York Times Presents episode "The Teenager Who Hacked Twitter" (2020), about the 2020 Twitter hack, and in the documentary series Most Wanted: Teen Hacker (2025). In February 2026, MIT Technology Review published a feature profile detailing her career, her role in pursuing members of The Com, and the death threats she received from cybercriminals whose identities she helped expose. In May 2026, she appeared in an episode of Wired's web series "Tech Support." Her work has also been cited extensively by journalist Brian Krebs at Krebs on Security, covering topics including Mirai, LAPSUS$, SIM swapping, T-Mobile breaches, and DDoS-for-hire services.