Merger and acquisition (M&A) engagements can give rise to certain cyber threats and business risks for all parties involved. For the acquirer, extensive due diligence remains the most essential component of any M&A transaction--especially when it comes to assessing the target company’s IT security posture and the extent to which it contributes to overall risk. Both buyers and sellers alike may face additional risks during M&A engagements due to an increased attack surface upon which proprietary information may be more susceptible to compromise.

Flashpoint recognizes the complex challenges companies may face during M&A engagements, which is why we’re honored to have helped many leading organizations proactively mitigate these risks. Our visibility into online illicit communities and expertise on the threat landscape enables us to help organizations foster M&A integrity by addressing the following challenges:


Information pertaining to M&A engagements has long appealed to cybercriminals interested in insider trading. Previously, cybercriminals in search of this information would directly target suspected buyers or sellers involved in M&A engagements. But, as security measures across many sectors increased, cybercriminals quickly identified another target through which they could obtain this valuable information: M&A law firms. Flashpoint’s visibility into illicit communities helps law firms and their clients alike proactively address these threats.

In one situation, Flashpoint observed an actor on an elite Russian underground forum seeking “hackers-for-hire” to harvest corporate information. Flashpoint continued to track this actor, who soon revealed complex phishing, insider trading, and money-laundering schemes targeting proprietary M&A information from 48 top-tier U.S. law firms. Flashpoint immediately notified the authorities and named law firms, which enabled them to safeguard their clients’ information and uphold the integrity of their M&A engagements


Given the increasing number of companies opting to outsource their supply chains, supply chain security has become an integral component of the M&A due diligence process. While outsourcing can increase efficiency and lower costs, it often prevents companies from having visibility into the production of their goods. As such, companies may not be aware of flawed manufacturing practices, insufficient quality controls, or other errors that could lead to security vulnerabilities within these goods.

In one instance, Flashpoint identified a serious security vulnerability present within millions of Internet of Things (IoT) devices that rendered them susceptible to exploitation by the Mirai botnet and subsequent DDoS attacks. Flashpoint traced the vulnerability to one upstream supplier contracted by many leading retailers to manufacture components of certain electronics goods they sell. Upon this discovery, Flashpoint notified retailers and manufacturers so they could address and patch the vulnerability, issue product recalls as necessary, and work with upstream suppliers to enforce stricter quality controls and security measures to help prevent future issues from arising.


While high-value intellectual property (IP) is an integral facet of many M&A engagements, IP can be particularly susceptible to insider threats. The high black-market value and ample demand for IP on illicit communities means that for malicious insiders with access to valuable company information, selling such access can provide a quick and profitable return. But, unless a company has visibility into the forums and marketplaces where IP is bought and sold, insider threats may go undetected until the damage has occurred. Flashpoint’s comprehensive access to illicit communities facilitates quick detection of insider threats.

In one instance, Flashpoint identified a post on an elite cybercrime forum oering the sale of source code from unreleased, enterprise-level software owned by a Fortune 100 company consumer technology company. Flashpoint conducted extensive analysis on the threat actor, which identified them as a company employee. This intelligence enabled the company to prevent the sale of the source code and take action against the rogue employee.


Ransomware attacks can cause significant financial and reputational damages across the enterprise. As such, buyers involved in M&A engagements should seek to identify any security vulnerabilities or other risk factors that could exacerbate a target company’s susceptibility to such an attack. Given the rapid increase in sophisticated, highly-targeted campaigns and “ransomware-for-hire” services emerging from illicit communities, it is crucial to gain as much visibility as possible into these threats.

In one instance, Flashpoint analysts monitoring Locky ransomware actors within illicit communities identified an active campaign developed to target retailers during the holiday season. The strain of ransomware, which was distributed via phishing emails disguised as payment invoices, was previously linked to infections causing massive economic and reputation damages at numerous organizations. In response, Flashpoint immediately notified retailers of the ongoing campaign and relevant indicators of compromise (IOCs) so they could appropriately bolster security measures, implement robust user-access controls, and work with employees to uphold good security hygiene and phishing awareness to help prevent future infections.


Companies targeted by fraud can incur substantial financial and reputational damages that may require consideration during an M&A engagement. While fraudsters once relied on lower-level tactics such as carding and ATM skimming, the implementation of stricter anti-fraud measures has ultimately yielded larger-scale schemes, more damaging fraudulent schemes. Since most of these schemes develop within illicit communities, combating fraud proactively requires comprehensiveness without visibility into these closed-access regions of the internet.

In one scenario, Flashpoint uncovered a plot to exploit the upcoming U.S. implementation of Europay MasterCard Visa (EMV). Intelligence from illicit communities revealed that threat actors had developed specific EMV-chip recording software and manufacturing techniques to fabricate chip-enabled credit cards capable of bypassing even the most robust anti-fraud measures. In addition to reporting these findings to financial institutions involved in the upcoming EMV launch, Flashpoint notified retailers so they could adjust their anti-fraud measures accordingly and proactively address the threat of large-scale fraudulent purchases and potential for economic and reputational damages.


Since many retail companies store large volumes of customer’s personally identifiable information (PII), they can be desirable targets for cybercriminals seeking to steal and monetize PII. But without ample visibility into illicit marketplaces and forums where criminal schemes are hatched and proprietary information is bought and sold, companies involved in an M&A transaction may struggle to detect and verify cyber indicators of compromise accurately and effectively.

Flashpoint’s extensive lingual, social, and cultural expertise, as well as comprehensive access to illicit communities, helps organizations proactively identify and investigate breaches. In one situation, Flashpoint observed a highly-reputable threat actor on an underground marketplace offer to sell access to a global IT company’s internal network. After verifying the breach’s validity, Flashpoint conducted a technical analysis of the threat actor to identify the source of the compromise and help the company mitigate any additional exposure.

Did this answer your question?