Cybercriminals Target Insiders on Dark Web for Company Breaches

Cybercriminals are increasingly targeting employees within organizations, seeking to exploit insider access to sensitive information. Researchers at NordStellar have identified multiple dark web recruitment posts aimed at enlisting individuals from specific companies, particularly those in social media and cryptocurrency sectors. This trend poses significant risks, as malicious insiders can facilitate data theft or assist in launching cyberattacks that disrupt business operations.

Recent findings from NordStellar reveal that over the past year, 25 distinct dark web posts have surfaced, with users actively searching for employees in high-stakes industries. One notable incident occurred in 2025, when Coinbase, a leading cryptocurrency exchange, disclosed that cybercriminals had bribed employees to leak user information. Such incidents underscore the potential for these threats to evolve into real-world breaches.

Understanding Insider Threats

Vakaris Noreika, a cybersecurity expert with NordStellar, explains how insider threats can be particularly challenging to detect. Employees often possess legitimate access to sensitive data, making it difficult for security teams to identify suspicious behavior. Unlike external threats, insiders may not trigger typical alerts associated with unauthorized access, such as unusual login attempts or large data transfers. Noreika notes that these individuals are familiar with internal security measures and can adapt their actions to evade detection.

“Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” says Noreika. He highlights that once compromised, this information can facilitate ransomware attacks, enable competitors to gain insights into business deals, or lead to sophisticated phishing scams targeting unsuspecting victims.

Recruitment and Prevention Strategies

While some cybercriminals openly recruit on the dark web, Noreika emphasizes that recruitment is often done discreetly. Malicious actors typically target specific employees, particularly those with technical expertise or access to sensitive data. This targeted approach heightens the risk of insider threats, as these individuals may be more susceptible to manipulation.

To mitigate these risks, organizations must enhance their monitoring of system and data usage. Noreika suggests that unexpected behaviors or access patterns should be flagged and thoroughly investigated. “Patterns of unusual behavior are the first indicator that the user might be an insider,” he advises. Monitoring access to sensitive information and ensuring proper authorization are essential steps in identifying potential threats.

Another critical aspect of safeguarding against insider threats is having an incident recovery plan in place. An effective strategy should outline processes for detecting incidents, containing threats, and mitigating damage. By preparing for potential breaches, organizations can minimize the fallout from cyberattacks initiated by insiders.

In related news, Google plans to discontinue its dark web monitoring tool, the Dark Web Report, which was designed to scan for users’ exposed personal information. Starting on January 15, 2026, scans for new breaches will cease, and by February 16, 2026, the report will no longer be accessible. Google has indicated a shift toward developing tools that provide clearer protective measures for online information, although specific announcements regarding new cybersecurity initiatives have yet to be made.

As cyber threats continue to evolve, the focus on insider recruitment underscores the need for organizations to remain vigilant and proactive in protecting their sensitive data from malicious actors.