Cybercriminals are actively recruiting company insiders on the dark web, aiming to target specific organizations.
Researchers at NordStellar said they've found 25 unique dark web posts from users who are searching for employees, mainly from social media or cryptocurrency platforms.
The posters are hoping to access critical data, such as personal customer information and confidential business agreements. This can allow them to carry out ransomware attacks, sell information on business agreements to competitors, or carry out sophisticated phishing scams.
"Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers," said Vakaris Noreika, cybersecurity expert at NordStellar
"Insiders are also familiar with the organization's internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion."
The posts are explicit about what they're after.
"I am looking for insiders/access at the following companies:
linkedin.com
Conbase.com Binance.us + Binance.com
Okx.com
- Serious individuals contact me
- Do not try to timewaste", reads one.
After contact is established, the conversation moves to another channel, such as WhatsApp.
The crypto industry has become a prime target for cyber criminals. According to the Kroll Cyber Threat Intelligence team, nearly $1.93 billion was stolen in crypto-related crimes in the first half of 2025 alone, more than during the whole of 2024.
And according to research late last year from Check Point Software, darknet ads are offering payouts from $3,000 to $15,000 for access or data from crypto exchanges, banks, and cloud providers.
Recent listings, the researchers said, sought insiders at Coinbase, Binance, Kraken, and Gemini, as well as consulting giants like Accenture and Genpact, and consumer platforms such as Spotify and Netflix.
Last year, in one significant attack, major cryptocurrency firm Coinbase was attacked by hackers who claimed to have gained access to customer information by recruiting call agents within the firm. The incident is believed to have cost the company up to $400 million.
The first sign of an insider attack is likely to be patterns of unusual behavior, said Noreika.
"Security teams should keep an eye out for employees who are frequently accessing sensitive information and make sure that they have the proper authorization," he said. "Data exfiltration to external parties or devices is another major red flag to look out for."
Organizations should use data loss prevention tools and implement proper network segmentation and strong access controls.
Meanwhile, they should have an effective incident recovery plan, covering incident detection and outlining the key steps needed to contain the threat and mitigate damage - for example, removing the malicious employee's access to sensitive data and ensuring that an external attacker who has been working with the insider connection to the network has been terminated.
Finally, Noreika advised, they should monitor the dark web for information leaks or posts looking for insiders at the company.
"It can be the first warning sign that a company might be at greater risk of being exposed," he said. "After flagging such activity, it's necessary to stay on high alert and ensure that all of the precautionary measures, as well as a recovery plan, are in place."
BenQ RD320U monitor review
Using LinkedIn to market yourself as an IT professional
