Cyber criminals are changing their tactics by recruiting insiders within organizations instead of relying on traditional attack methods like brute force or social engineering.
Recent findings show that employees in banks, telecom companies, and technology firms are being approached through darknet forums to sell access to corporate networks, user devices, and cloud systems.
The payouts for these operations range from $3,000 to $15,000, depending on the type of access or information provided.
This growing trend creates a major security challenge for organizations, as internal staff can disable defenses, leak credentials, or provide sensitive information that makes preventing attacks much harder.
The recruitment campaigns target specific industries with high-value data. Cryptocurrency exchanges like Coinbase, Binance, Kraken, and Gemini are heavily targeted, along with major banks and tech companies, including Apple, Samsung, and Xiaomi.
One darknet listing even offered payment for access to systems at the U.S. Federal Reserve or its partner banks.
Another post sought full transaction histories from a major European bank. The financial sector remains a prime target because of the direct access to funds and customer data.
Some schemes even propose long-term arrangements, with weekly payments of $1,000 offered to insiders at Russian tax offices.
Telecommunications employees face particular attention due to their ability to enable SIM-swapping operations.
These attacks allow criminals to intercept SMS messages and bypass two-factor authentication systems.
Check Point researchers identified that rewards for telecom cooperation have reached $10,000 to $15,000.
The darknet posts often use emotional manipulation, with some ads urging employees to “escape the endless work cycle” by collaborating with attackers, promising five to six-figure payouts.
.webp "Threat Actors are Hiring Insiders in Banks, Telecoms, and Tech from $3,000 to $15,000 for Access or Data 3")
Other messages target long-term staff with established network access, presenting insider cooperation as a quick path to financial freedom.
Technical Breakdown of Recruitment Operations
The insider recruitment operations follow a structured approach across multiple darknet platforms and encrypted channels.
Threat actors post detailed job requirements specifying the type of access needed, target organizations, and payment terms.
Most recruitment posts appear on Russian-language darknet forums, though some ransomware groups use Telegram channels with hundreds of members to advertise opportunities.
.webp "Threat Actors are Hiring Insiders in Banks, Telecoms, and Tech from $3,000 to $15,000 for Access or Data 4")
In July, researchers discovered a Telegram group with 400 members that promoted access to a ransomware portal and encouraged insiders, pentesters, and access brokers to join and profit from encrypted systems.
The payment method exclusively uses cryptocurrency to maintain anonymity, with Bitcoin and Monero being the preferred options.
Attackers typically request specific actions such as disabling endpoint protection software, providing VPN credentials, installing remote access tools, or exfiltrating databases containing customer records.
One advertisement offered a dataset of 37 million cryptocurrency exchange user records for $25,000, showing how stolen information gets monetized for targeted attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
