Marketing Research

The Insider Threat Digital Recruitment Marketplace

by | Jan 14, 2025 | Blog, Research

Executive Summary

Nisos routinely monitors mainstream and alternative social media platforms, as well as cloud-based messaging applications and dark web forums to identify individuals and networks advertising insider access or recruiting insiders at companies. This effort revealed a rapid increase in the number of insider threat activities from 2019 to 2024.

Our findings in Q4 2024 illuminated an insider threat digital recruitment marketplace available across multiple digital realms (cloud-based messaging apps, dark web forums) in which threat actors seek insiders and offer their services for targeting companies in the telecommunications, sales and e-commerce industries.

Identifying insider threat activities prior to a leak of sensitive information is an important part of a security team’s ability to mitigate risk and is something many security teams are not staffed or equipped to handle on their own for a number of reasons. Our clients are better equipped to reduce their risk of insider threats when they are aware that threat actors are targeting them.

Insider Threat Risks and Recruitment

Nisos and other companies specializing in human risk intelligence and security research have noted a steady rise in the number of insider threat attacks over the last five years. Employees with authorized access to an organization’s systems or data perpetrate these attacks, often causing serious financial and reputational harm to their organizations. According to data from PwC, 57% of fraud is committed by company insiders or a combination of insiders and outsiders. Moreover, according to Cybersecurity Insiders’ 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year – which was an increase of five times over the amount in 2023. Insider threats pose unique challenges for organizations, as they can emerge from trusted individuals with legitimate access to sensitive systems and data. From 2019 to 2024, the number of organizations reporting insider attacks increased from 66% to 76%.

Nisos saw an equally rapid increase in the number of insider threat intelligence investigations we conducted to help protect organizations and safeguard against financial losses, reputational damage, and operational risks. As part of our investigations, Nisos frequently monitors mainstream and alternative social media platforms, as well as cloud-based messaging applications and dark web forums to identify individuals and networks advertising insider access or recruiting insiders at companies. A review of posts on cloud-based messaging applications and on dark web forums revealed numerous newly posted advertisements for insider access and recruitment pitches for insiders during Q4 of 2024 alone.

Cloud-Based Messaging Applications

Using appropriate tradecraft and following legal guidance, Nisos monitored private discussion groups and channels on cloud-based messaging applications where threat actors discussed insider threat activities. Nisos found that the discussions over the last three months focused on general insider services, recruitments for insiders at specific companies, and the ability to offer refunds at companies via insiders.

General Insider Services

Nisos identified threat actors advertising their services to connect buyers with insiders. They used the same advertisements to recruit insiders as well. These actors frequently direct users to connect on other platforms or connect via trusted middle men.

Example of an insider recruitment and services post on Telegram.
Graphic 1: Example of an insider recruitment and services post on Telegram.
Example of an insider threat advertisement on Telegram.
Graphic 2: Example of an insider threat advertisement on Telegram.

Insider Recruitment

Nisos identified threat actors requesting insider services at phone companies and at Amazon. These messages typically promise large payouts for insider access and list the types of services the threat actors are looking to access.

Example of a Telegram post requesting insider access at French mobile carriers.
Graphic 3: Example of a Telegram post requesting insider access at French mobile carriers.
Examples of Telegram posts requesting insider access at Amazon
Examples of Telegram posts requesting insider access at Amazon.
Examples of Telegram posts requesting insider access at Amazon.
Graphic 4-6: Examples of Telegram posts requesting insider access at Amazon.

Insiders for Refund Services

Nisos identified threat actors advertising insider services at companies to process refunds. These posts typically list the capabilities of the insiders and their fees for insider services.

Examples of Telegram posts advertising insider services to process refunds.
Examples of Telegram posts advertising insider services to process refunds.
Graphic 7-9: Examples of Telegram posts advertising insider services to process refunds.
To obtain the complete marketing research report, including endnotes, please click the button below.

About Nisos®

Nisos is the Managed Intelligence Company. We are a trusted digital investigations partner, specializing in unmasking threats to protect people, organizations, and their digital ecosystems in the commercial and public sectors. Our open source intelligence services help security, intelligence, legal, and trust and safety teams make critical decisions, impose real world consequences, and increase adversary costs. For more information, visit: https://nisos.com.