The Unnerving Trend of Rogue Insiders in the Dark Web

Security analysts and researchers who operate undercover in the dark web are finding an alarming number of employees selling stolen company information. In some cases, researchers claim that such employees openly tout their organizations. The growing activity among rogue employees selling stolen classified information from their companies and access points such as credentials, login and passwords are seen doing so for profit. Most information sold on the dark web is usually from financial and telecommunication companies.

This growing phenomenon on the dark web is usually done in tandem with underground brokers. Some researchers mention how specific sellers, particularly within Russian-speaking forums, openly discuss how they can provide services for profit from their employers, in the form of stolen information.

In one particular observation, security experts observed two telecommunication employees selling geo-location data and text message logs from phone SIM cards. Researchers warn of the massive potential for damage if such information is used to target government employees or high-profile individuals.

On the other hand, financial firm employees who have gone rogue usually get paid more. Underground brokers offer more than ten times the money for data received on banks and inside information. Since bank insiders typically have the keys to customer information and accounts, such data can be used for insider trading, siphoning funds and causing hurdles in financial deals.


According to reports published by IntSights and RedOwl, the rogue insider trend in the dark web has been persistent for the past four years. The report, ‘Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web’, reveals information on how insiders are selected on dark web forums. Between the years 2015 and 2016, observers noted a twofold increase in insider discussions through outreach and forum messages.

Trainees are hired after a complicated selection and authentication process, including verifying how the insider has access to the company and how quickly they can grab sensitive information and release it. The study also revealed that once these recruits become part of the dark web, they are secured with a cloak of anonymity.

Not too long ago, a highly interactive forum known as Dark Money revealed how it buys and sells stolen bank information. Various other underground markets such as cc, exploit.IN, Genesis Market, Joker’s Stash, and Bitify have also been revealed as high-octane auction sites that sell stolen bank information such as credit cards anywhere from $30-$50 apiece. In some cases, ‘new’ credit cards are sold for $95 apiece.

This study, however, does not reveal how employees go rogue, can access the data they steal and monetize it. Researchers opine that such insiders have privileged access to sensitive information in their roles and could have admin access in areas they are not supposed to have.

The report further concludes that there is no way to ascertain how these insiders obtained the access, but given that the information stolen in the underground market is authentic, such insiders do not make any attempt in hiding the company they work for.

In some of the latest Dark Web Findings at Black Hat Europe in early 2019, it was seen that researchers and law enforcement agencies are now infiltrating illegal forums and spaces on the dark web. In that regard, English-speaking forums were more wary and skeptical of buyers and queries. Given that law enforcement agencies have been shutting down some areas, it is now becoming harder to track the path of rogue insiders and where they go next.

However, discerning the dark web participants, such as the people behind the stolen data and how they have come about, is not precisely always cut and dried. Numerous hackers and cyber criminals selling stolen information have usually gathered this from unsuspecting victims. There are a multitude of participants on the dark web, and the economy of scale does not always comprise full-time hackers.

Security experts and researchers who operate undercover are usually hired by organizations to understand how their stolen data ended up in the dark web. Such organizations do not have the visibility that the information has leaked out of the system. Although they may be aware of internal networks, they don’t have a good understanding of what has been exposed and is being sold in the underground market.

Since companies are inundated with data security incidents almost every day, and usually have to battle them with an understaffed team, they prioritize important threats. These companies begin with the nearest targets and the most relevant data threats. Hence, it’s typically data loss and malware, and by the time the company grows to a point where it can afford an IT department, they are quickly overwhelmed once they enter the insider threat domain.

And while rogue insiders may not be the most common form of data threats, human error is much more rampant. For instance, an unknowing click on a phishing document could result in the loss of millions. To avoid privileged users from accessing data continuously, it is crucial to install a proactive data or document security tool like digital rights management (DRM). Using DRM you can prevent users from accessing documents and data, control what authorized users can do with the information they have been allowed to access, and revoke document access instantly regardless of where the information is stored.

You can even apply expiry dates to ensure documents expire automatically after a period of time. Rogue individuals with malicious intent can destroy intellectual property, trade information and valuable, sensitive documents and data in a matter of seconds. A strong governance strategy replete with DRM can be the answer in protecting documents from rogue insiders and human errors.

Leave a Comment