Cybercriminals Recruit Business Insiders on the Dark Web

Cybercriminals are increasingly targeting business insiders as a means to infiltrate organizations and access sensitive data. Researchers at NordStellar have uncovered a concerning trend: posts on the dark web explicitly seeking employees from specific companies, particularly in the social media and cryptocurrency sectors. This shift highlights a growing strategy among cybercriminals to exploit trusted insiders for malicious purposes.

Over the past year, NordStellar identified 25 unique dark web posts where users claimed to be on the lookout for employees willing to assist in cyberattacks. The recruitment methods range from public postings to private communications on platforms like LinkedIn, demonstrating a calculated effort to target individuals within organizations with access to critical information.

The implications of these insider threats are significant. In a notable case, the cryptocurrency exchange Coinbase reported in 2025 that criminals bribed employees to leak user data, underscoring the real-world consequences of such recruitment tactics. Vakaris Noreika, a cybersecurity expert at NordStellar, indicated that while some cybercriminals are overt in their recruitment efforts, many operate discreetly, focusing on specific employees known for their technical skills or access to sensitive resources.

Insider threats represent a unique challenge in cybersecurity. Employees inherently possess legitimate access to company systems, making it difficult for security teams to detect suspicious behavior. Noreika noted, “Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers.” This familiarity with internal protocols allows malicious insiders to evade detection, making them particularly dangerous.

Recognizing the signs of insider threats is crucial. Noreika emphasizes the need for organizations to maintain high observability of system and data usage. “Patterns of unusual behavior are the first indicator that the user might be an insider,” he explained. Security teams should monitor access to sensitive information and investigate any unauthorized data exfiltration to external devices.

To mitigate the risks posed by insider threats, Noreika advises that companies implement a robust incident recovery plan. This plan should encompass incident detection and outline steps to contain threats and minimize damage.

In a related cybersecurity development, Google announced plans to discontinue its dark web monitoring tool, the Dark Web Report. As of January 15, 2026, the tool will cease scanning for exposed personal information, with the report’s availability ending on February 16, 2026. While Google aims to refocus on tools that offer actionable cybersecurity steps, no new initiatives have been announced to date.

The evolving landscape of cybercrime requires organizations to be vigilant in safeguarding against insider threats. As cybercriminals continue to exploit weaknesses within companies, understanding their tactics and implementing proactive measures can help mitigate potential breaches.