The Enemy Within: Why Hackers are Paying Your Employees $100K to Betray You

Within cybercriminal circles, interest in recruiting insiders from within companies is surging. Rather than mounting complex external intrusions, attackers are increasingly betting on internal sources—employees willing, for a price, to grant access to corporate systems or leak sensitive information. This trend has already reached banks, cryptocurrency exchanges, telecommunications providers, and technology firms.

According to Check Point, underground forums regularly feature advertisements seeking collaboration. Some are phrased in a neutral, transactional tone; others appeal to emotion, promising escape from routine work and unusually high earnings. Compensation ranges from a few thousand dollars for a one-off favor to six-figure sums for long-term cooperation. The requests typically involve access to internal systems, password resets, database exfiltration, or other intelligence useful for launching attacks.

The financial sector remains a prime target. Dark web listings increasingly focus on employees of exchanges such as Coinbase, Binance, Kraken, and Gemini, as well as staff at major banks and tax authorities. Criminals are prepared to pay tens of thousands of dollars for transaction histories or administrative access. Precompiled datasets are also traded openly—one database containing records on 37 million users was reportedly priced at $25,000.

Technology companies are likewise under pressure. Particular value is placed on data from cloud storage platforms and customer records. Forum activity points to active solicitation of insiders at Apple, Samsung, and Xiaomi, alongside employees of telecom operators, logistics firms, and IT consultancies. A separate but persistent avenue involves SIM-swapping attacks, which depend on the cooperation of mobile carrier staff.

In some cases, the offer extends beyond a single task to ongoing remote “employment” with fixed pay. These arrangements can last weeks and involve repeated duties such as data handovers, erasing traces, or disabling security controls. Access brokers—often operating via Telegram and other closed channels—frequently mediate such deals. The same spaces are used to recruit penetration testers willing to redirect their expertise in service of ransomware groups.

Anonymity of payment further compounds the problem. Cryptocurrency allows participants to remain largely invisible to regulators, while transactions are difficult to trace. For companies, the consequences extend beyond direct financial loss to include reputational damage, disrupted operations, and heightened compliance risks.

To counter this threat, organizations must pair technical safeguards with sustained engagement of their workforce. This means raising awareness of insider risks, continuously monitoring employee activity, tightly restricting access to critical systems, and tracking underground forums for mentions of the company. Only constant vigilance and attention to detail can meaningfully reduce the dangers posed by insider-driven attacks.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy