Cybercriminals Recruit Insiders via Dark Web for Corporate Breaches

Cybercriminals are increasingly targeting employees within organizations as a means to infiltrate corporate systems and access sensitive information. Researchers from NordStellar have uncovered a disturbing trend on the dark web, where posts actively seek to recruit insiders from various companies, particularly those in the social media and cryptocurrency sectors.

Over the past year, NordStellar identified 25 unique dark web postings urging individuals from specific organizations to engage in malicious activities. These insiders are seen as valuable assets, capable of providing direct access to confidential data or assisting in orchestrated cyberattacks. A notable incident occurred in 2025, when the cryptocurrency exchange platform Coinbase reported that cybercriminals had bribed employees to leak user information.

According to Vakaris Noreika, a cybersecurity expert at NordStellar, the recruitment methods vary. While some cybercriminals openly advertise their search for malicious employees, others prefer a more discreet approach, targeting specific individuals within organizations. “Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” Noreika explained.

The ramifications of insider threats can be severe. Cybercriminals can exploit insider access to deploy ransomware attacks, sell intel on business agreements to competitors, or carry out sophisticated phishing scams. Noreika notes that identifying insider threats can be particularly challenging for security teams, as trusted employees often have legitimate access to company resources. This complicates the detection of any suspicious behavior.

Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers. “Insiders are also familiar with the organization’s internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion,” Noreika added.

Understanding Insider Recruitment Tactics

Noreika emphasizes that while the dark web serves as a recruitment ground for some cybercriminals, the actual process is often conducted privately. Bad actors tend to target employees with technical skills or those who hold sensitive information. This specificity increases the effectiveness of their operations.

For businesses looking to safeguard against insider threats, Noreika advocates for heightened observability into system and data usage. “Any unexpected system behavior or access patterns must be flagged, reported, and thoroughly examined,” he stated. Security teams should pay particular attention to employees accessing sensitive information frequently and ensure they have the appropriate authorization.

Additionally, data exfiltration to external parties or devices should raise significant concerns. Noreika recommends that organizations develop a robust incident recovery plan as a vital component of their cybersecurity strategy. A well-structured recovery plan should encompass incident detection and outline key steps to contain the threat and mitigate damage.

Google’s Dark Web Monitoring Tool Shutdown

In related news, Google is set to discontinue its dark web monitoring tool, the Dark Web Report, which was designed to scan the dark web for exposed personal information. The cessation of scans for new breaches will occur on January 15, 2026, with the report being completely unavailable by February 16, 2026. Google has indicated a shift in focus towards tools that offer users clearer, actionable steps for safeguarding their online information, though no specific new cybersecurity tools have been announced at this time.

The alarming trend of insider recruitment by cybercriminals necessitates heightened vigilance from organizations. As the digital landscape continues to evolve, the threat posed by malicious insiders underscores the importance of robust cybersecurity measures and proactive risk management strategies.