Cybercriminals Target Company Insiders via Dark Web Tactics

Cybercriminals are increasingly turning to the dark web to recruit insiders from various organizations, exploiting vulnerabilities within companies to gain access to sensitive information. This recruitment process often involves targeted posts on dark web forums as well as discreet approaches through professional networks like LinkedIn. By enlisting malicious employees, these criminals can directly access critical company resources, facilitating data theft or even extensive cyberattacks.

In a revealing study, researchers at NordStellar analyzed dark web posts from users actively seeking employees from specific companies over the past year. A notable number of these posts focus on insiders from social media and cryptocurrency platforms, highlighting a pressing concern for organizations in these sectors. For instance, in 2025, the cryptocurrency exchange Coinbase reported that cybercriminals managed to bribe its employees, resulting in the leakage of user information.

According to Vakaris Noreika, a cybersecurity expert at NordStellar, the methods employed by cybercriminals vary widely. Some openly advertise their need for insiders on dark web platforms, while others prefer a more covert approach. Over the last year, NordStellar identified 25 unique posts that explicitly sought out insiders, underscoring the growing threat posed by insider recruitment.

The Nature of Insider Threats

Insider threats present a unique challenge for organizations. Employees often have legitimate access to sensitive data, making it difficult for security teams to identify potential threats. “Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” explains Noreika. This data can then be exploited for various malicious activities, including ransomware attacks, selling sensitive information to competitors, or executing sophisticated phishing scams.

Noreika also notes that insider threats may remain undetected for extended periods as “insiders may not trigger typical security alerts, such as unusual login attempts or data transfers.” Since these employees are already trusted members of the organization, their behavior may go unchecked, allowing them to manipulate internal security policies to avoid raising suspicion.

Strategies for Safeguarding Against Insider Threats

To mitigate the risks associated with insider threats, organizations must adopt a proactive cybersecurity strategy that emphasizes high observability of system and data usage. Noreika emphasizes that any unexpected system behavior or access patterns should be flagged and thoroughly examined. “Patterns of unusual behavior are the first indicator that the user might be an insider,” he states. Security teams should closely monitor employees who frequently access sensitive information, ensuring that they possess the proper authorization.

Data exfiltration to external parties or devices also serves as a significant red flag. According to Noreika, having a well-defined incident recovery plan is essential for minimizing the impact of a cyberattack driven by insider threats. Such a plan should outline the necessary steps for incident detection, containment, and damage mitigation.

In related news, Google plans to discontinue its dark web monitoring tool, the Dark Web Report, which was designed to scan for exposed personal information. The shutdown will begin on January 15, 2026, when scans for new dark web breaches will cease, followed by the complete removal of the report and all associated data on February 16, 2026. Google has indicated a shift in focus towards tools that provide clearer, actionable steps for customers to protect their online information, although no specific new cybersecurity tools have been announced.

As cybercriminals continue to evolve their tactics, organizations must remain vigilant in their efforts to safeguard against insider threats. By implementing comprehensive monitoring systems and maintaining a proactive approach, businesses can better protect themselves from these insidious attacks.