Cybercriminals Target Business Insiders for Recruitment on Dark Web

Cybercriminals are increasingly seeking to recruit insiders from various organizations using the dark web. This recruitment often occurs through targeted postings and private messages, including platforms like LinkedIn. By enlisting these malicious insiders, cybercriminals gain direct access to sensitive company resources, which can lead to the theft of confidential data or the facilitation of cyberattacks.

Research conducted by cybersecurity firm NordStellar has revealed numerous dark web posts where users claim to be searching for employees from specific companies. Over the past year, a notable portion of these posts has focused on insiders employed by social media and cryptocurrency platforms. Real-world incidents illustrate the tangible risks associated with these threats. For instance, in 2025, Coinbase, a major cryptocurrency exchange, reported that cybercriminals had bribed employees to leak sensitive user information.

According to Vakaris Noreika, a cybersecurity expert at NordStellar, some cybercriminals actively recruit malicious employees through dark web postings, while others employ more discreet methods. In the last 12 months, NordStellar identified 25 unique dark web postings specifically seeking insiders.

Understanding the Insider Threat

Insider threats represent a complex challenge for organizations. Employees can inadvertently or intentionally grant cybercriminals access to critical data, including personal customer information and confidential business agreements. Noreika notes that this data can be exploited for various malicious activities, such as deploying ransomware attacks, selling intelligence on business agreements to competitors, or executing sophisticated phishing scams on unsuspecting victims.

Identifying insider threats can be particularly difficult. Employees, as trusted members of their organizations, typically possess legitimate access to company resources. This trust complicates the detection of any anomalies in their behavior. Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers. Noreika emphasizes that insiders are often familiar with their organization’s internal security policies and vulnerabilities, allowing them to adjust their actions to evade suspicion.

Recruitment Strategies and Preventive Measures

Noreika highlights that while some cybercriminals are actively searching for insiders on the dark web, the recruitment process often occurs in private. Bad actors typically target specific employees with technical expertise or access to sensitive information.

To safeguard against insider threats, Noreika advises businesses to establish high observability into system and data usage. Such a strategy serves as a foundation for a robust cybersecurity approach. Any unexpected behavior or access patterns should be promptly flagged, thoroughly examined, and reported.

“Patterns of unusual behavior are the first indicators that a user might be an insider,” Noreika states. “Security teams should closely monitor employees who frequently access sensitive information and verify that they have the appropriate authorization. Data exfiltration to external parties or devices is another significant red flag.”

In addition to monitoring access patterns, Noreika emphasizes the importance of having an incident recovery plan in place. Such a plan is essential for minimizing the fallout from a cyberattack attributed to insider threats. It should cover incident detection and outline the critical steps that an organization must take to contain the threat and mitigate damage.

In related news, Google has announced plans to discontinue its dark web monitoring tool, known as the Dark Web Report. This tool was designed to scan the dark web for users’ exposed personal information. The shutdown is scheduled as follows: on January 15, 2026, the scans for new dark web breaches will cease, and by February 16, 2026, the Dark Web Report will no longer be available, with all associated data slated for deletion. The company has indicated a shift in focus towards tools that provide customers with clearer, actionable steps for online protection. However, no specific announcements regarding new cybersecurity tools have been made to date.

As cybercriminals continue to refine their recruitment strategies on the dark web, organizations must remain vigilant and proactive in their cybersecurity measures to protect against insider threats.