According to recent findings from Check Point Research, a disturbing trend is emerging where state-sponsored hackers and other threat actors are actively recruiting insider threats from major companies in sectors such as telecommunications, banking, and technology. These cybercriminals are offering substantial financial incentives, ranging from $3,000 to $15,000, depending on the sensitivity and value of the intelligence these insiders can provide.
The growing sophistication of these attacks is complicating efforts by security teams to detect and neutralize threats, as insiders—employees or contractors who have direct access to critical systems—are often the weak link. By offering monetary rewards and promises of cryptocurrency payments, these attackers exploit the trust and access granted to employees within the corporate environment. In return for their cooperation, insiders may provide hackers with vital credentials such as passwords, admin privileges, or access to cloud systems, user devices, and corporate networks.
The Evolving Role of Insiders in Cyberattacks
The involvement of insider threats adds a new layer of complexity to security protocols. Insiders are often positioned to bypass traditional defense systems, since they have legitimate access to the company’s internal networks. This makes it increasingly difficult for in-house incident response teams to pinpoint the source of an attack, especially when the perpetrators are working alongside trusted employees.
Another concerning aspect of this evolving threat is that, in the past few months, hackers have started to target specific companies whose data holds high value—organizations where the confidentiality of information is essential for their survival. Notable victims include cryptocurrency exchanges like Coinbase, Binance, Kraken, and Gemini. These platforms, which handle vast amounts of financial data and transactions, are high-value targets for cybercriminals. Additionally, tech giants such as Samsung, Xiaomi, and Apple have also been under fire, with hackers looking to extract sensitive intellectual property or user data.
Insider Payment Schemes: A Growing Threat
What sets this threat apart is the incentive structure. Criminal organizations are offering recurring payments to insiders—often in cryptocurrency like Bitcoin or Monero—on a weekly or monthly basis. Some insiders, particularly those working for tax offices in Russia, can receive up to $1,000 per week for their collaboration. This ongoing financial incentive creates a dangerous dynamic, where insiders may feel pressured or enticed to facilitate cybercrimes over extended periods.
If an insider hesitates or refuses to cooperate, the attackers are not discouraged. In fact, they often restart recruitment campaigns targeting other employees, using deceptive tactics to manipulate them into compromising their position. The goal is to gain access to systems or applications that hold valuable data, even if it means targeting a new recruit to replace one who has backed out.
The Dark Web: Recruitment and Payment Channels
Interestingly, much of this recruitment happens underground, primarily through darknet forums and encrypted Telegram channels. Hackers post job listings targeting employees in specific organizations, often providing detailed instructions on what they need from the recruited insider. These postings will typically specify the type of access required—whether it’s for network systems, corporate databases, or financial systems—and even the data they are interested in harvesting.
The recruiters often reassure insiders by guaranteeing a cryptocurrency-based payment system, ensuring that their actions remain untraceable and that payments are prompt. This secrecy, coupled with the lucrative rewards, makes the offer tempting for many who may already have access to critical systems.
A Long-Standing Threat: Insiders in Cybercrime
This is far from the first time that researchers have identified the growing use of insiders to aid cybercriminals. In the past, there have been numerous reports of insiders who have been recruited to disable endpoint security tools, provide VPN credentials, install malware, or even exfiltrate sensitive data to remote servers. In some cases, insiders have been instructed by North Korean hackers to steal financial assets and send them to hacker-controlled accounts. These covert operations are designed to bypass traditional security defenses by using trusted employees to carry out illicit activities from within.
The frequency and scale of such cyber espionage campaigns are alarming, as they often result in substantial financial losses, intellectual property theft, or the exposure of personal data for millions of users. The fact that attackers are willing to pay insiders to undermine the security of these high-profile companies shows how serious and far-reaching the problem has become.
The Future of Insider Threats
As the cybersecurity landscape evolves, companies must develop new strategies to detect and mitigate the risks associated with insider threats. Traditional methods of defending against external threats, such as firewalls and malware protection, are not enough on their own. Organizations must implement stronger access controls, employee training programs, and continuous monitoring to ensure that insiders are not being manipulated or coerced into aiding cybercriminals.
Additionally, greater emphasis must be placed on cryptocurrency monitoring to prevent these payments from being used to fund further attacks. As cryptocurrencies remain a popular payment method for cybercriminals, tracking these transactions becomes crucial in understanding the scale of the threat.
Conclusion
The rise of insider recruitment as part of larger cyberattack schemes highlights an unsettling trend in the world of cybercrime. As hackers become more adept at exploiting the vulnerabilities of trusted employees, the task of protecting sensitive data becomes even more complex. This issue requires collaboration between organizations, governments, and cybersecurity experts to build resilient defense mechanisms that can withstand the growing threat posed by insider threats and state-sponsored cyberattacks.
Join our LinkedIn group Information Security Community!
