Cybercriminals Recruit Insiders on Dark Web to Breach Companies

Cybercriminals are increasingly targeting employees within organizations, using the dark web to recruit individuals willing to compromise their companies. This recruitment strategy involves everything from public posts on dark web forums to private messages on platforms like LinkedIn. By enlisting malicious insiders, these criminals gain direct access to sensitive company resources, enabling them to steal confidential data or launch damaging cyberattacks.

According to research conducted by NordStellar, the dark web has seen a notable increase in recruitment posts aimed at employees from specific companies over the past year. Many of these posts focus on insiders working for social media and cryptocurrency platforms, which are often rich in sensitive information. For instance, in 2025, the cryptocurrency exchange platform Coinbase publicly disclosed that cybercriminals had bribed its employees to leak user information, demonstrating the real-world implications of these threats.

Vakaris Noreika, a cybersecurity expert at NordStellar, highlighted that while some cybercriminals openly seek out malicious employees through dark web advertisements, others prefer a more discreet approach. In the past year, NordStellar identified 25 unique dark web posts specifically looking for insiders.

Understanding Insider Threats

Insider threats present a significant challenge to organizations as they can provide cybercriminals with access to critical data. “Employees can grant cybercriminals access to personal customer information and confidential business agreements,” Noreika explained. This data can be exploited to conduct ransomware attacks, sell intelligence on business dealings to competitors, or execute sophisticated phishing scams targeting unsuspecting victims whose personal data has been compromised.

Noreika noted that insider threats are difficult to detect, often eluding security teams for extended periods. Employees, being trusted members of the organization, have legitimate access to company resources, making it challenging to identify any unusual behavior. “Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” he added. Familiarity with the organization’s internal security policies allows insiders to adjust their actions to avoid arousing suspicion.

Recruitment Tactics and Prevention Strategies

The recruitment of insiders by cybercriminals typically occurs in a subtle manner. They often target specific employees, especially those with technical skills or access to sensitive data. This targeted approach increases the likelihood of successful infiltration.

To safeguard against insider threats, Noreika emphasizes the necessity of maintaining high observability into system and data usage. Organizations should implement robust monitoring systems that flag any unexpected behavior or access patterns. “Patterns of unusual behavior are the first indicator that a user might be an insider,” he said. Security teams should be vigilant about employees who frequently access sensitive information and ensure they have proper authorization. Additionally, data exfiltration to external parties or devices is a significant red flag.

Noreika also advocates for an incident recovery plan as an essential component in minimizing the fallout from cyberattacks driven by insider threats. Such a plan should outline the key steps an organization must take to detect incidents and contain threats effectively.

In related news, Google has announced it will discontinue its dark web monitoring tool, the Dark Web Report, which was designed to scan the dark web for exposed personal information. The final scans for new breaches will cease on January 15, 2026, and the report will be entirely unavailable by February 16, 2026. Google plans to focus on tools that provide clearer, actionable steps to protect users’ information, but has yet to reveal new cybersecurity initiatives.

The increase in dark web recruitment of insiders highlights the evolving landscape of cyber threats and underscores the importance of proactive measures for businesses to protect sensitive information.