CRIMINAL CAPITALI$M

Considerable amounts of dark web material originate from business insiders

By Dr. Tim Sandle

SCIENCE EDITOR

DIGITAL JOURNAL

December 16, 2025


A trove of documents from I-Soon, a private contractor that competed for Chinese government contracts, shows that its hackers compromised more than a dozen governments, according to cybersecurity firms SentinelLabs and Malwarebytes - Copyright AFP/File Daniel LEAL

Bad actors claim to be collaborating with insiders from companies that are household names, such as Facebook, Instagram, and Amazon, to unban accounts or leak confidential information about specific users, including their names, IP addresses, physical locations, emails, and phone numbers, for as little as $500.

This is according to findings from NordStellar, a threat exposure management platform, which reveal that cybercriminals are selling insider data-backed services on the dark web.

One source of this information is from malicious employees, also known as insider threats. Such individuals can cause significant harm to businesses by leaking or selling sensitive data, altering systems, or collaborating with cybercriminals to launch large-scale cyberattacks.

Loss of sensitive user information

The research has found 35 dark web posts claiming to sell services based on insider data so far this year. Some of the services for sale on the dark web claim to have direct connections to insiders from such well-known companies as Facebook, Instagram, and Amazon.

“The majority of the posts offer various look-up services, exposing sensitive user information, such as IP addresses, full names, email addresses, phone numbers, and even physical addresses,” says Vakaris Noreika, a cybersecurity expert at NordStellar to Digital Journal. “Aside from violating the user’s privacy, this information can be used to launch highly targeted phishing scams or to commit fraud — or even identity theft.”

The posts reveal that look-up services can start at $500, offering the user’s phone number and linked email address. Advanced packages, which contain even more sensitive user information, such as IP addresses, physical addresses, date of birth, and other confidential details, can be purchased for $1,000 or more.

“Other popular services include account recovery and unbanning. The former can be especially damaging to the brand because users are often banned for violating the company’s policies or engaging in fraudulent activity,” adds Noreika. “As a result, individuals who have been using the company’s services for scams can continue to do so, acquiring more victims and damaging the brand’s reputation in the process.”

Sounding the alert about malicious activity

Noreika explains that insider threats are complex, and to safeguard against malicious employees, companies must have a comprehensive cybersecurity strategy in place. He emphasizes high observability and behavioural analysis as the two main pillars for resilience.

“The first key step is to ensure high observability into user actions — once security teams achieve visibility, they can look for anomalies in employee behaviour, triggering the first alarms about potential malicious activity,” Noreika clarifies. “Security teams should assess whether there’s any potentially dangerous patterns in activity, for example, if a user is accessing sensitive information without justification or if there are any signs of them exfiltrating that information to external sources, like their own personal devices, accounts, or third parties.”

He underscores the importance of proper network segmentation and the principle of least privilege in general to prevent users from accessing sensitive information that isn’t necessary for their work. According to Noreika, to prevent employees from sharing and downloading unauthorized files, data loss prevention tools are also required.

Monitoring the dark web for posts mentioning the company, especially those claiming to sell services fuelled by insider data, should be prioritised. To effectively mitigate the damage inflicted by malicious insiders, Noreika advises companies to prepare an incident response plan in advance. The plan should outline the detection and investigation process, as well as the steps for containing the threat, eradicating the user’s access to company data and recovering systems if attackers compromise them in the process.