Insider threats arise when current or former employees exploit access to their organization’s systems or data for financial, political, or personal gain. Since most enterprise security teams typically focus on mitigating external attacks, many organizations lack visibility into threats posed by malicious insiders.

Flashpoint combines extensive knowledge of malicious insiders’ techniques, tactics, and procedures (TTPs) with targeted monitoring of illicit online communities to help organizations proactively detect and mitigate a broad spectrum of insider threats, some of which include:


Companies that maintain proprietary access to intellectual property (IP) may be particularly susceptible to insider threats. The high black-market value and ample demand for IP on illicit online communities means that for malicious insiders with access to valuable company information, selling such access can provide a quick and profitable return. But, as most companies lack visibility into the forums and marketplaces where IP is bought and sold, insider threats often go undetected until the damage has occurred.

Flashpoint’s comprehensive access to illicit communities facilitates quick detection of IP theft. In one instance, Flashpoint identified a post on an elite cybercrime forum

offering the sale of source code from unreleased software owned by a multinational tech company. Flashpoint’s analysis subsequently determined the actor was a company employee. This intelligence enabled the company to safeguard the

source code and terminate the rogue employee.


As organizations across all sectors continue to implement stricter security measures, more threat actors are recognizing that some criminal schemes may only be possible with the cooperation of insiders. In order to recruit insiders, threat actors typically post advertisements to various Deep & Dark Web forums. Flashpoint’s visibility into these forums enables organizations to proactively detect and address threats posed by insider recruitment.

Flashpoint detected early-stage plans for an account takeover operation (ATO) after a threat actor’s post to a Dark Web forum revealed efforts to recruit an insider from a large bank. The actor claimed to have access to a high-balance account holder’s credit report, which contained information that would enable an insider to change the

account holder’s listed address to that of a drop address and subsequently cash-out the account. Flashpoint immediately notified the bank so they could safeguard the compromised account, strengthen user-access controls, and monitor employee activity to prevent an insider threat from arising.


While most organizations conduct background checks on prospective employees, many high-risk indicators are not visible via traditional pre-screening procedures. Indeed, more threat actors operating on the Deep & Dark Web are seeking employment as a means of accessing sensitive corporate data and deploying malicious schemes targeting their employers. Flashpoint’s expertise on high-risk

indicators and the Deep & Dark Web helps organizations confirm the integrity of prospective employees to proactively combat insider threats.

In one situation, Flashpoint’s intelligence revealed previously-unknown ties between a Fortune 500 retailer’s prospective employee and a threat actor known for recruiting

insiders on the Deep & Dark Web to steal corporate data for use in extortion schemes. Flashpoint quickly alerted the retailer of these ties, which prompted them to deny the

individual’s employment application and implement intelligence-led measures to reinforce the security of their sensitive data.


Threat actors interested in insider trading often seek access to confidential information pertaining to, for example, market insights, M&A activity, product launches, or corporate restructuring. In addition to leveraging this information to engage in insider trading schemes directly, some insiders may simply opt to sell it on the Deep & Dark Web to others interested in such schemes. Flashpoint’s intimate familiarity with the insider trading threat landscape enables organizations to proactively mitigate these threats.

Flashpoint analysts monitoring a Dark Web marketplace recently observed a threat actor seeking “financial industry staff” to supply “non-public investment information” in support of insider trading. Shortly thereafter, the actor’s request elicited an affirmative response from an individual who claimed to be employed by a U.S. investment bank. Flashpoint’s extensive analysis of the suspected insider confirmed the validity of their claims and subsequently identified both the U.S. investment bank and the individual in question. This intelligence enabled the bank to safeguard their corporate data and terminate the employee.

Did this answer your question?