Cybercriminals Target Insiders on Dark Web to Access Sensitive Data

Cybercriminals are increasingly focusing on recruiting insiders from different organizations through the dark web. This trend includes everything from public recruitment posts to discreet messages on professional networks like LinkedIn. By enlisting individuals within a company, cybercriminals gain direct access to sensitive resources, which can lead to data theft or coordinated cyberattacks.

Research conducted by NordStellar revealed that in the past year, numerous dark web posts have surfaced from users actively seeking employees from specific companies. A significant portion of these requests targets insiders employed by social media and cryptocurrency platforms, indicating a targeted approach to recruitment.

Real-world incidents underscore the severity of these threats. In 2025, the cryptocurrency exchange platform Coinbase disclosed that cybercriminals managed to bribe employees, leading to the leakage of user information. According to Vakaris Noreika, a cybersecurity expert at NordStellar, while some malicious actors openly seek insiders on the dark web, others prefer a more covert approach. Over the last year, NordStellar identified 25 unique posts seeking insider recruits.

Understanding Insider Threats

Insider threats present a unique challenge as employees have legitimate access to critical data. This access can include personal customer information and confidential business agreements. Noreika explains, “This data can be utilized to deploy ransomware attacks, sell intel on business agreements to competitors, or conduct sophisticated phishing scams.”

Such threats can remain undetected by security teams for extended periods. “Employees are trusted members of the organization and often possess insights into internal security policies,” Noreika notes. This familiarity can allow them to manipulate their actions to avoid raising suspicion. Unlike external threats, insiders typically do not trigger standard security alerts like unusual login attempts or data transfers.

Recruitment Strategies and Prevention

Although some cybercriminals openly seek insiders, Noreika highlights that the recruitment process often occurs in private. Bad actors specifically target employees with technical skills or access to sensitive data, making it crucial for companies to safeguard against these threats.

To mitigate risks, Noreika emphasizes the importance of maintaining high observability into system and data usage. Organizations should flag and investigate any unexpected system behavior or access patterns. “Patterns of unusual behavior are the first indicator that the user might be an insider,” he states. Security teams should monitor employees frequently accessing sensitive data and ensure they have the appropriate authorization.

Another critical component of a robust cybersecurity strategy is having an incident recovery plan. This plan should outline steps for detecting incidents and contain strategies to mitigate damage. According to Noreika, “An effective recovery plan should cover incident detection and outline the key steps the organization should take to contain the threat.”

In related news, Google has announced the discontinuation of its dark web monitoring tool, the Dark Web Report, which was designed to help users scan for exposed personal information. The service will stop scans for new dark web breaches on January 15, 2026, with the report becoming unavailable on February 16, 2026. Google has stated its intention to focus on developing tools that provide customers with clearer and more actionable steps to protect their online information, although specific new cybersecurity tools have yet to be announced.

As cybercriminals adapt their tactics to exploit insider threats, organizations must remain vigilant and proactive in their cybersecurity measures to protect sensitive information from falling into the wrong hands.