Recent research from Check Point Research (CPR) shows that cyber criminals are changing how they break into companies. Instead of just trying to guess passwords or find computer glitches, they are now paying employees to help them from the inside.
According to the report, these groups are specifically recruiting “insiders” at banks, telecom, and tech firms to get direct access to private networks and customer information.
High Payouts for Sensitive Data
CPR researchers note that the rewards for these employees can be quite high; payouts for one-time access or specific files generally range between $3,000 and $15,000. However, some data is worth even more, such as a collection of 37 million records from a cryptocurrency exchange that was seen on the dark web for $25,000.
Digging deeper, researchers found that criminals are using emotional tactics to lure staff. In July, one advertisement encouraged workers to “escape the endless work cycle” by collaborating with hackers for five- or six-figure rewards. While some ads are short and factual, others frame this betrayal as a path to financial freedom.
Major Brands and Industries Targeted
It is worth noting that no sector seems to be safe, as recruitment ads have specifically named large firms like Coinbase, Binance, Kraken, and Gemini. Even major consulting companies like Accenture and Genpact, and consumer brands like Spotify and Netflix, have been mentioned.
The threat extends to physical goods and infrastructure as well. For example, insiders are being sought at Apple, Samsung, and Xiaomi, while cloud service employees are being offered up to $10,000 for access.
In the US, staff at Cox Communications have been asked to help with SIM-swapping, a trick used to bypass security codes. Even the US Federal Reserve and major European banks have been targeted by those looking for transaction histories.
The Role of Ransomware Groups
These activities are not just happening on hidden websites because ransomware groups are now using Telegram to find helpers. One group with approx. 400 members recently advertised a “ransomware portal,” inviting insiders and “access brokers” to help lock down company systems for a share of the profit.
CrowdStrike’s Insider Incident: A Prime Example of Hiring Insider Threat
A recent internal security incident at CrowdStrike backs CPR’s findings and how real the insider threat has become. In November 2025, the cybersecurity firm confirmed it had terminated an employee after detecting an unauthorised leak of internal information to an external party linked to the Scattered Lapsus Hunters network.
Stopping these attacks is difficult because, as researchers explained in the blog post, “when internal staff disable defences,” standard security is often bypassed entirely. To stay safe, experts say companies must monitor the dark web for mentions of their brand and keep a much closer eye on who has access to their most sensitive data.