Cybercriminals are actively searching for insiders from various organizations on the dark web. From dark web recruitment posts to private messages on LinkedIn, how cybercriminals enlist malicious employees to compromise a selected company.
This way cybercriminals can use malicious insiders as a direct means to access sensitive company resources, stealing confidential data or using the access to deploy a devastating cyberattack.
Real world examples
Researchers at NordStellar found dark web posts from users who claim that they are searching for employees from specific organizations over the past year. A significant part of these posts focuses explicitly on insiders who work for social media or cryptocurrency platforms.
Real world incidents highlight how these threats can translate into actual breaches — for instance, in 2025, the cryptocurrency exchange platform Coinbase revealed that cybercriminals bribed its employees to leak user information.
This is according to Vakaris Noreika, cybersecurity expert at NordStellar, who has told Digital Journal that while some cybercriminals openly recruit malicious employees through dark web posts, others are more discreet. Over the past 12 months, the NordStellar team identified 25 unique dark web posts seeking out insiders.
Insider threats take on a new dimension
“Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” says Noreika.
The expert adds: “This data can be utilized to deploy ransomware attacks, sell intel on business agreements to competitors, or to carry out sophisticated phishing scams on unsuspecting victims whose personal data they managed to get their hands on.”
According to Noreika, insider threats can be challenging to spot and, therefore, may go undetected by security teams for a significant amount of time. Employees are trusted members of the organization and have legitimate access to company resources. Consequently, it can be challenging to pinpoint any anomalies in their behaviour.
“Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” adds Noreika. “Insiders are also familiar with the organization’s internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion.”
Direct insider recruitment
Noreika emphasizes that although some cybercriminals are searching for insiders on the dark web, the recruitment process is usually carried out privately. Bad actors target specific employees within the organization, especially those with technical capabilities that aid in their operations or have access to highly sensitive company data.
Safeguarding against insider threats
For businesses seeking to protect themselves, Noreika emphasises that high observability into system and data usage is the foundation of an insider threat-resistant cybersecurity strategy. He explains that any unexpected system behaviour or access patterns must be flagged, reported, and thoroughly examined.
“Patterns of unusual behaviour are the first indicator that the user might be an insider,” says Noreika. “Security teams should keep an eye out for employees who are frequently accessing sensitive information and make sure that they have the proper authorization. Data exfiltration to external parties or devices is another major red flag to look out for.”
According to Noreika, an incident recovery plan is a significant requisite in minimizing the fallout of a cyberattack caused by insider threats. An effective recovery plan should cover incident detection and outline the key steps the organization should take to contain the threat and mitigate damage.
Google and the dark web – related news
Google will start shutting down its dark web monitoring tool — the Dark Web Report — which was designed to scan the dark web for users’ exposed personal information:
- January 15, 2026: The scans for new dark web breaches stop.
- February 16, 2026: The dark web report is no longer available, all data related to the report will be deleted.
Google previously stated its intention to focus on tools that provide customers with clearer, more actionable steps to protect their online information. However, no concrete announcements regarding new cybersecurity tools have been made by the company to date.
