Guest Post – Malicious employees for hire: How dark web criminals recruit insiders
Cybercriminals can use malicious insiders as a direct means to access sensitive company resources, stealing confidential data or using the access to deploy a devastating cyberattack. Experts fromNordStellar, a threat exposure management platform, have discovered that dark web actors are actively seeking insiders from specific organizations to recruit for their operations.
Researchers at NordStellar found 25 unique dark web posts from users who claim that they are searching for employees from specific organizations over the past year. A significant part of these posts focuses explicitly on insiders who work for social media or cryptocurrency platforms.
“Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” says Vakaris Noreika, cybersecurity expert at NordStellar. “This data can be utilized to deploy ransomware attacks, sell intel on business agreements to competitors, or to carry out sophisticated phishing scams on unsuspecting victims whose personal data they managed to get their hands on.”
According to Noreika, insider threats can be challenging to spot and, therefore, may go undetected by security teams for a significant amount of time. Employees are trusted members of the organization and have legitimate access to company resources. Consequently, it can be challenging to pinpoint any anomalies in their behavior.
“Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” says Noreika. “Insiders are also familiar with the organization’s internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion.”
Direct insider recruitment
Noreika emphasizes that although some cybercriminals are searching for insiders on the dark web, the recruitment process is usually carried out privately. Bad actors target specific employees within the organization, especially those with technical capabilities that aid in their operations or have access to highly sensitive company data.
Mantas Sabeckis, a senior threat intelligence researcher at Nord Security, home to NordStellar and other advanced cybersecurity solutions, shares that he has been contacted by cybercriminals for possible recruitment opportunities numerous times. He explains that in the past, bad actors have reached out to him on LinkedIn, most likely intrigued by his experience in cybersecurity, and notes that the process of cybercriminals recruiting insiders likely follows the same playbook.
“In my experience, after the first few messages, bad actors try to direct the communication to a different channel, such as Telegram or WhatsApp,” says Sabeckis. “One time, I was contacted by a recruitment specialist from Singapore searching for a candidate for a role in a large organization. She did not name the specific organization and asked to continue our conversation on WhatsApp, which is not an unusual request in itself, as different messaging platforms are popular in different countries.”
According to Sabeckis, after their conversation moved to WhatsApp, the recruiter started sharing more details — she explained that she was looking to recruit an individual to work for a wealthy and influential family in Singapore, without disclosing which one.
“The statement definitely raised red flags, but I was curious to hear what exactly they were looking for,” says Sabeckis. “She continued to explain that the role would be similar to a bug bounty. When asked for more details, the recruiter finally divulged that they were looking for an individual to take down websites containing very sensitive and illegal material, offering to provide compensation in cryptocurrency.”
Sabeckis explains that, by its nature, the role fell into a “gray area,” which is a common tactic used by bad actors to recruit individuals. After the recruited individuals have their foot in the door, the tasks eventually become more demanding. Evidence of the individuals completing the tasks is later used as leverage to blackmail the person into carrying out illegal activity or risk being compromised.
Safeguarding against insider threats
Noreika emphasizes that high observability into system and data usage is the foundation of an insider threat-resistant cybersecurity strategy. He explains that any unexpected system behavior or access patterns must be flagged, reported, and thoroughly examined.
“Patterns of unusual behaviour are the first indicator that the user might be an insider,” says Noreika. “Security teams should keep an eye out for employees who are frequently accessing sensitive information and make sure that they have the proper authorization. Data exfiltration to external parties or devices is another major red flag to look out for.”
He explains that data loss prevention tools are essential for reducing the possibility of data theft and transfer from within. Proper network segmentation and the implementation of strong access controls to prevent privilege drift, the accumulation of excess access rights, are other necessary security measures to stop insiders and attackers who have already infiltrated the network from acquiring sensitive data.
“Dark web monitoring for information leaks or posts looking for insiders at the company is also crucial,” says Noreika. “It can be the first warning sign that a company might be at greater risk of being exposed. After flagging such activity, it’s necessary to stay on high alert and ensure that all of the precautionary measures, as well as a recovery plan, are in place.”
According to Noreika, an incident recovery plan is a significant requisite in minimizing the fallout of a cyberattack caused by insider threats. An effective recovery plan should cover incident detection and outline the key steps the organization should take to contain the threat and mitigate damage.
These steps may include removing the malicious employee’s access to sensitive data and ensuring that an external attacker who has been working with the insider connection to the network has been terminated.
ABOUT NORDSTELLAR
NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. It includes solutions like dark web and data breach monitoring, helping to prevent account takeovers, session hijacking, and other threats. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com
This entry was posted on January 6, 2026 at 9:26 am and is filed under Commentary with tags NordStellar. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post – Malicious employees for hire: How dark web criminals recruit insiders
Cybercriminals can use malicious insiders as a direct means to access sensitive company resources, stealing confidential data or using the access to deploy a devastating cyberattack. Experts from NordStellar, a threat exposure management platform, have discovered that dark web actors are actively seeking insiders from specific organizations to recruit for their operations.
Researchers at NordStellar found 25 unique dark web posts from users who claim that they are searching for employees from specific organizations over the past year. A significant part of these posts focuses explicitly on insiders who work for social media or cryptocurrency platforms.
Real‑world incidents highlight how these threats can translate into actual breaches — for instance, in 2025, the cryptocurrency exchange platform Coinbase revealed that cybercriminals bribed its employees to leak user information.
“Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” says Vakaris Noreika, cybersecurity expert at NordStellar. “This data can be utilized to deploy ransomware attacks, sell intel on business agreements to competitors, or to carry out sophisticated phishing scams on unsuspecting victims whose personal data they managed to get their hands on.”
According to Noreika, insider threats can be challenging to spot and, therefore, may go undetected by security teams for a significant amount of time. Employees are trusted members of the organization and have legitimate access to company resources. Consequently, it can be challenging to pinpoint any anomalies in their behavior.
“Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” says Noreika. “Insiders are also familiar with the organization’s internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion.”
Direct insider recruitment
Noreika emphasizes that although some cybercriminals are searching for insiders on the dark web, the recruitment process is usually carried out privately. Bad actors target specific employees within the organization, especially those with technical capabilities that aid in their operations or have access to highly sensitive company data.
Mantas Sabeckis, a senior threat intelligence researcher at Nord Security, home to NordStellar and other advanced cybersecurity solutions, shares that he has been contacted by cybercriminals for possible recruitment opportunities numerous times. He explains that in the past, bad actors have reached out to him on LinkedIn, most likely intrigued by his experience in cybersecurity, and notes that the process of cybercriminals recruiting insiders likely follows the same playbook.
“In my experience, after the first few messages, bad actors try to direct the communication to a different channel, such as Telegram or WhatsApp,” says Sabeckis. “One time, I was contacted by a recruitment specialist from Singapore searching for a candidate for a role in a large organization. She did not name the specific organization and asked to continue our conversation on WhatsApp, which is not an unusual request in itself, as different messaging platforms are popular in different countries.”
According to Sabeckis, after their conversation moved to WhatsApp, the recruiter started sharing more details — she explained that she was looking to recruit an individual to work for a wealthy and influential family in Singapore, without disclosing which one.
“The statement definitely raised red flags, but I was curious to hear what exactly they were looking for,” says Sabeckis. “She continued to explain that the role would be similar to a bug bounty. When asked for more details, the recruiter finally divulged that they were looking for an individual to take down websites containing very sensitive and illegal material, offering to provide compensation in cryptocurrency.”
Sabeckis explains that, by its nature, the role fell into a “gray area,” which is a common tactic used by bad actors to recruit individuals. After the recruited individuals have their foot in the door, the tasks eventually become more demanding. Evidence of the individuals completing the tasks is later used as leverage to blackmail the person into carrying out illegal activity or risk being compromised.
Safeguarding against insider threats
Noreika emphasizes that high observability into system and data usage is the foundation of an insider threat-resistant cybersecurity strategy. He explains that any unexpected system behavior or access patterns must be flagged, reported, and thoroughly examined.
“Patterns of unusual behaviour are the first indicator that the user might be an insider,” says Noreika. “Security teams should keep an eye out for employees who are frequently accessing sensitive information and make sure that they have the proper authorization. Data exfiltration to external parties or devices is another major red flag to look out for.”
He explains that data loss prevention tools are essential for reducing the possibility of data theft and transfer from within. Proper network segmentation and the implementation of strong access controls to prevent privilege drift, the accumulation of excess access rights, are other necessary security measures to stop insiders and attackers who have already infiltrated the network from acquiring sensitive data.
“Dark web monitoring for information leaks or posts looking for insiders at the company is also crucial,” says Noreika. “It can be the first warning sign that a company might be at greater risk of being exposed. After flagging such activity, it’s necessary to stay on high alert and ensure that all of the precautionary measures, as well as a recovery plan, are in place.”
According to Noreika, an incident recovery plan is a significant requisite in minimizing the fallout of a cyberattack caused by insider threats. An effective recovery plan should cover incident detection and outline the key steps the organization should take to contain the threat and mitigate damage.
These steps may include removing the malicious employee’s access to sensitive data and ensuring that an external attacker who has been working with the insider connection to the network has been terminated.
ABOUT NORDSTELLAR
NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. It includes solutions like dark web and data breach monitoring, helping to prevent account takeovers, session hijacking, and other threats. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com
Share this:
Like this:
Related
This entry was posted on January 6, 2026 at 9:26 am and is filed under Commentary with tags NordStellar. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.