The road to a successful cyberattack often leads through an organization\u2019s employees, since they already have authenticated access (perhaps to highly sensitive data), and they have intimate knowledge of the organization, its people, processes, and technology.\n\nSometimes, attackers use employees unwittingly, deploying social engineering to trick them into providing access. Other times, insiders knowingly partner with external attackers, selling access or data for cash. Insider threats have impacted a number of worldwide brands--one of the most noteworthy being a large healthcare firm where an employee stole data belonging to over 500,000 customers from its CRM system and attempted to sell it on the dark web. Similarly, in 2021, authorities charged an employee at a large telecom company for providing SIM swaps to threat actors for $500 apiece.\n\nInsiders can also willingly share sensitive and proprietary data when motivated by ideological reasons. Recently, two Tesla employees leaked data about self-driving features to a German newspaper. The shared data also included personal information of over 75,000 Tesla customers.\n\nConsidering that the deep and dark web are anonymous by design, it is a fitting venue for those seeking to find malicious insiders. Upon investigation, we were not disappointed. This report discusses our findings and details how organizations can protect themselves from a broad variety of insider threats.\n\nRecruiting Insiders\n\nSimilar to traditional targeted attacks by external threat actors, attacks harnessing insiders are often carried out over time, with the insider usually taking steps to hide their activity and remain undetected. They are attractive to threat actors because they have a high impact and are relatively low-cost to execute. They affect organizations of all sizes and industries because insiders are, by definition, those we normally trust. Contract staff, IT admins, individual contributors, lawyers, academics, and senior executives whether they be third-party contractors, current or past employees could all play the role of a malicious insider.\n\nThere are two common groups that criminal organizations gravitate towards:\n\nIt can be very difficult to predict human behavior. It is very rare that when somebody joins a company, they intend to become an insider. Employees can be persuaded to work on behalf of a threat actor as a result of cultural change or a change within their own personal circumstance that causes them to switch focus. While some individuals can be motivated by greed, anger, or ideology, this is not always the case.\n\nWhen recruiting insiders, threat actors use various tactics. They can use blackmail and coercive techniques to extort the information they need from an employee, but from our findings, the majority of insiders on the dark web are recruited by financial rewards.\n\nIn most cases, threat actors will want to keep the number of observables to a minimum and enable remote access as quickly as possible. This makes it easier to recruit an insider and minimize the risk of getting caught.\n\nMost targeted industries\n\nOur investigations found hundreds of posts on underground forums and Telegram during the past year, in which actors sought malicious insiders across many industries and for a variety of purposes. These include some of the world\u2019s largest companies such as Amazon, Meta, Walmart, Chase, PayPal, AT&T, and Verizon.\n\nWhile not all postings state the desired function of the insider, the ones that do fall into the following broad categories (roughly ranked from most to least common):\n\nThis order of industries is interesting. In general, financial services are the most targeted industry on the dark web, since actors are financially motivated. However, when it comes to insider fraud, financial services are far lower down the list. There are several reasons for this. First, bank employees have relatively higher salaries, and sanctions for fraudulent activities are far more severe, so they might be less inclined to risk termination and legal action.\n\nSecond, because the stakes of fraudulent financial transactions are higher than, for example, retail fraud, banks invest considerably in vetting employees and embedding anti-fraud measures, such as requiring multiple sign-off on some transactions and automated flagging of suspicious activities.\n\nHowever, a single instance of retail or shipping fraud (such as claiming an undeserved refund on an iPhone) is often far smaller than a fraudulent banking transaction. Therefore, companies in these sectors might not have similarly stringent measures.\n\nInsider Threats: Telecom Industry\n\nTelecom is the most popular industry for which underground threat actors solicit insiders. The purpose is generally clear: telecom employees can facilitate \u201cSIM swaps,\u201d a tactic in which the attacker causes the victim\u2019s phone number to be ported to a SIM card in their possession. Once the attacker controls the victim\u2019s phone number, they can carry out a number of attacks, such as intercepting one-time passwords sent via SMS or taking over cryptowallets tied to the number.\n\nPorting a phone number is a routine business procedure carried out by store employees. Thus, finding someone to execute an unauthorized port might be relatively easy: it could involve approaching an employee, offering payment, and even showing some fake IDs to grant plausible deniability.\n\nThere is a considerable quantity of underground posts discussing insiders for performing SIM swaps. In the image below an actor seeking an insider at a Verizon store to perform SIM swapping.\n\nTelegram is the most popular venue for actors to seek telecom insiders, also referred to as innys. In the examples below, threat actors seek SIM swaps through insiders at organizations including T-Mobile, AT&T, Metro and Verizon.\n\nOccasionally, the post\u2019s author will even state how much they will pay for swaps, such as this author (below), who offers $1,200 apiece.\n\nThis actor, who charges $2,000 per swap, offers proof of working with an insider, including a screenshot of AT&T\u2019s employee portal and DMs with the insider.\n\nIn addition to SIM swapping, underground actors also seek telecom insiders for credentials, customer data, and general information. In the images below you'll first see an actor on an underground forum seeking Vodafone insiders to provide customer data. Then an actor seeks telecom insiders in Russia, Ukraine, Kazakhstan, Belarus, and Uzbekistan. Folowed by an actor that seeks a Claro Colombia employee to answer some questions.\n\nSometimes we find insiders reaching out. For example, this self-described \u201cdisgruntled telecom employee\u201d is offering to sell information regarding eSIMs, which will enable porting numbers with nothing more than running \u201ca script in the cloud.\u201d\n\nInsider Threats: Retail Sector\n\nUnderground threat actors typically seek retail insiders to receive goods for free. One common scheme in which they can involve insiders is refund fraud, also known as refunding, in which an actor claims undeserved refunds for a product.\n\nThere are many techniques to carry out this type of attack, including reporting that an empty box or damaged item arrived or returning an empty box. However, most methods require convincing an employee to accept the story; it is easier to carry out a fake return if they are already a willing accomplice.\n\nSome threat actors state quite plainly that they are seeking insiders for refund scams. In the examples below, one actor offers $5,000 for an insider responsible for returns at Walmart or any other retailer, while another offers an undisclosed sum to insiders who work with them.\n\nOther actors are not as explicit about wanting an insider to assist with refund scams. For example, the actor in the post below sought an Amazon insider, preferably a customer support supervisor. Someone in this role would be able to authorize returns.\n\nThreat actors also recruit insiders in e-commerce. For example, this actor seeks eBay insiders who can unblock suspended accounts.\n\nAnother actor persistently sought insiders at lego.com to provide information about orders, posting eight times in two months.\n\nHowever, in many postings, there are few, if any, clues about why an insider is requested, though we may presume that they are related to theft. One actor seeks an Amazon warehouse worker; another seeks an Amazon India employee who can assist with bulk orders, and another seeks associates at a long and varied list of companies to help with \u201ccustomer lookups,\u201d to provide sensitive and confidential customer data.\n\nInsider Threats: Shipping and logistics\n\nUnderground threat actors recruit insiders in shipping and logistics primarily to execute fraudulent tracking scans. Just like in the example below where an actor seeks an insider at UPS and other couriers to perform scans.\n\nInsider scans are another technique in refund scams. In this scheme, an actor requests to return an item to an e-commerce store. An accomplice in the shipping company scans the shipping label, confirming to the retailer that the item is in transit. The retailer issues a refund but never receives the package. Fraudsters can also use insider scans and courier insiders to simply \u201cship\u201d a package that disappears, allowing them to claim insurance for their losses.\n\nThe examples below show how malicious actors go about performing these scams. In one image an actor seeking insider scans at UPS, DHL, and other carriers to assist with refund scams and in the following an actor looking for employees at UPS, FedEx, USPS or other couriers.\n\nMany posts recruiting courier insiders, such as the example below, offer \u201cbig money\u201d to malicious employees.\n\nOthers offer insider scans as a service such as the post below, requesting $60 per scan at FedEx, UPS, Royal Mail, and other couriers.\n\nInsider Threats: Social media\n\nThreat actors target insiders at social media companies to ban, un-ban and access customer data. The examples below show how one actor on Telegram claimed to be \u201cpaying good\u201d for someone at Instagram or X (formerly Twitter), and another offered \u201c$$$$$$\u201d for someone at Snapchat.\n\nIf the post specifies the function of the desired insider, it generally has to do with banning, unbanning, or verifying accounts. In addition to this, actors also seek social media employees to provide a user\u2019s personal information.\n\nInsider Threats: Financial services\n\nAn insider at a bank or other financial services company might be the necessary link to execute a large, fraudulent scheme. Underground actors use insiders at banks to approve payments and money transfers, enabling fraudsters to move and launder money. In the next example, an actor claims to have an insider at Metro, Santander, and Barclays that can approve payments of up to \u00a390,000-\u00a3200,000 (depending on the bank). The actor notes that these payments appear legitimate and do not burn the account.\n\nIn this next example, an actor claims to have a Bank of America insider onboard. The actor is seeking account and routing information, as well as mobile phone numbers, in order to carry out their scheme.\n\nInsiders also allegedly assist with \u201cloading,\u201d an activity involving moving money to an account in the actor\u2019s control.\n\nSimilarly, actors seek to use insiders for money conversions. The example below is from an actor expecting to receive $10,000-$30,000 each day from a \u201cproject\u201d and seeks a PayPal employee to convert it into cryptocurrency.\n\nActors also seek bank insiders with access to the SWITCH application server.\n\nIn this next post, the actor even notes that they seek to deploy the FASTCASH malware. FASTCASH malware can be used to cause ATMs to eject their cash, and it was originally identified with Hidden Cobra, a North Korean advanced persistent threat (APT). Whether these posts\u2019 authors have any connection to the group is uncertain, however, if they succeed in gaining access to the SWITCH application server, they stand to generate very significant cash payouts.\n\nInsider Threats: Government and military\n\nTranscending from cybercrime to espionage, we discovered several posts in which actors solicited governmental or government-affiliated insiders to provide information. This includes individuals, like in the image below, who can provide national citizen databases to assist in doxing. An actor seeking an insider in the French government to provide citizen data.\n\nOther posts seek individuals who can provide classified information. For example, this next post appeared several times across several forums and Telegram from a self-described \u201cintelligence analysis corporation\u201d offering $1,000-$2,000 as a finders fee for someone that can connect them with an insider at a US military contractor.\n\nFinally, we also discovered the below post in which an individual purported to sell sixteen sets of classified government data, including proprietary data belonging to defense manufacturers such as Raytheon and Elbit. The post also lists a secret document about a confidential Five Eyes military exercise for $300, noting that it was obtained by an insider.\n\nWe must emphasize that posts soliciting insiders to provide classified information are rare. The penalties for such activities are severe, and most of the dark web\u2019s users are financially motivated. Even so, it is not unheard of for an insider to leak classified information on the deep and dark web; most recently, a Massachusetts National Guardsman has been charged with posting classified documents on a Discord server.\n\nDefending Against Insider Threats\n\nEmployees can pose a unique type of threat to an organization. Most employees are not malicious, and they ought to be trusted with access to the data and systems needed for performing their tasks. However, those who are lured by a variety of methods to use their positions to assist in criminal enterprises can cause significant financial and reputational damage to their employers.\n\nAccording to the 2023 Verizon Data Breach Investigations Report, malicious insiders perpetrate about 19% of known data breaches. While there is no way of knowing for sure how many of these attacks originated from a partnership forged on the deep and dark web, there are several practices that companies can take to protect themselves.\n\nA rogue employee can severely impact a business\u2019s operations, finances, network security, and brand. They are far more than just an \u201cIT problem\u201d or even a \u201csecurity team problem.\u201d A proper organizational defense requires coordination between technical and non-technical players, from the SOC to HR, in order to keep the company secure.\n\nOrganizations must identify which of their employees are in roles that might be targeted for recruitment by cybercriminals, and enforce stringent monitoring and controls to neutralize any threats from inside the building.