Why Break a System When You Can Buy an Admin? Hackers Have Opened Hunting Season on Corporate Employees
The scale of the problem became clear after analyzing the resources where others' loyalty is traded.There is a rapidly growing interest in recruiting corporate insiders within the cybercriminal community. Instead of complex external attacks, malicious actors are increasingly betting on internal sources—people willing to provide access to corporate systems or leak confidential information for money. This trend has already affected banks, cryptocurrency exchanges, telecommunications, and technology companies.
According to Check Point, advertisements offering collaboration regularly appear on shadow forums. Some are written in a neutral tone, while others attempt to appeal to emotions, promising escape from routine and high earnings. Rewards for assistance range from a few thousand dollars for a one-time service to six-figure sums for long-term cooperation. This involves access to internal systems, password resets, transferring databases, or other information useful for attacks.
The financial sector remains a key target of interest. Offers targeting employees of exchanges like Coinbase, Binance, Kraken, and Gemini, as well as workers at major banks and tax authorities, are found on the darknet. Criminals are willing to pay tens of thousands of dollars for providing transaction history or administrative access. Ready-made databases are also sold separately—one containing information on 37 million users was priced at $25,000.
Technology companies are also under fire. Particular interest is focused on information from cloud storage and customer data. Forum posts show requests targeting employees of Apple, Samsung, Xiaomi, as well as personnel at telecom operators, logistics firms, and IT consultants. A separate trend remains SIM-swapping attacks, which require assistance from mobile operator employees.
In some cases, ongoing remote work with fixed pay is offered instead of one-time collaboration. Such schemes can last for weeks and include tasks like transferring information, covering tracks, or disabling security systems. Sometimes, so-called access brokers operating via Telegram and other closed platforms are also involved. The same venues are used to recruit pentesters willing to use their skills in the interests of ransomware groups.
The situation is exacerbated by the anonymity of payments. Thanks to cryptocurrency, participants in such schemes can remain under the radar of regulators, and the transactions themselves are difficult to trace. For companies, this means not only direct financial losses but also risks to their reputation, disruptions to business processes, and compliance issues.
To defend against this threat, organizations need to combine technological measures with personnel management. This includes raising awareness of potential risks, regularly monitoring employee activity, restricting access to critical systems, and continuously analyzing shadow platforms for mentions of the company. Only constant vigilance and attention to detail can minimize the risks associated with insider threats.
