Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies Ltd., warns that it is not only hacking tools and threats or weapons, drugs and stolen personal information and login credentials that are traded in the dark corners of the internet but also where various insiders and hacker groups are continuously offering their services and cybercriminals looking for collaborators to help them attack organisations from the inside.

The Darknet is attractive to cybercriminals because of its near-perfect anonymity, making it an ideal space for finding collaborators and offering illegal employment opportunities. Many offers are targeted at insiders, those with knowledge of and access to sensitive systems who can help cybercriminals penetrate protected networks. While we can imagine that with the advancement of cyber tools, insider business will diminish – we observe that during the last two years, it has continued to flourish in the darknet.

Job offers on the darknet
“Cybercriminals often use specialised forums and marketplaces on the darknet to post job offers. These can attract tech-savvy users who are disenchanted with the traditional job market or are willing to go beyond the law for financial reward. Offers can range from hacking and data theft to malware deployment and ransomware campaigns. Hacker groups expect insiders to provide access to target systems, assist in overcoming security measures, and provide useful information for a successful attack. Or even attempt physical sabotage,” says Sergey Shykevich, Threat Intelligence Group Manager, Check Point Research.

Finding insiders
Insiders are valuable to cybercriminals because they have access to critical information and can weaken security measures from the inside. Cybercriminals often offer high financial rewards for cooperation and may even provide special training to maximize damage. For example, how to install malware or otherwise sabotage employers’ security systems. There are dozens of similar ads on the darknet. Often these are advertisements from Russia or the Commonwealth of Independent States (CIS).

Hiring an insider is expensive and dangerous, which is why cybercriminals target lucrative industries and large companies in these cases. For example, the financial, telecommunications or technology sectors are popular targets.

But it’s not just cybercriminals looking for collaborators on the darknet, insiders are also proactively offering their services. For example, an employee of a major mobile operator in Russia offered SIM card swapping and other illegal services. There are many similar advertisements also for the US telecommunication operators.

Insider service offers from the financial sector and the world of cryptocurrencies are also popular.

And the technology sector has traditionally faced the threat of insiders.

But no sector is exempt from risk, as the advert relating to the shoe and fashion trade shows.

There are cybercrime organisations in Russia and Eastern Europe that monitor insider networks in various organisations. But some of them also offer their insiders who provide illegal or at least dubious services in other countries. One such insider is a hacker with the nickname Videntis.

Videntis has a catalogue of over 11 pages offering insider-related services. Some of the services are very common, such as finding a mobile number for 2,500 rubles within 48 hours, listing all calls and SMS within 72 hours for 25,000 rubles, or forwarding all calls from a specific number for 19,000 rubles.

Other services involve specific Russian banks. For 8,000 rubles it is possible to find out a secret word within 72 hours or get a statement from any account for 9,000 rubles. For $900, a hacker promises to use his contacts to block any user’s WhatsApp, block a SIM card with any operator, or for $850, block any personal Instagram or TikTok account within 7-30 days. Some services are more versatile, such as confirming vaccinations abroad or creating health documents for travel.

A profitable deal for both parties
For insiders, working with cybercriminals is high risk; they can face criminal prosecution and loss of professional reputation. And there are rewards to match. However, for some, the main motivation may be revenge. The reward may be in the form of a direct payment or a share of the profits from the stolen data. In some cases, rewards may be contingent on the success of the attack or the amount of data recovered.

The infamous hacker group LAPSUS$, for example, sought an insider inside telco companies and offered a reward and low risk for both the insider and the hackers. Another group, in turn, offered $2,000-$5,000 to employees who had access to drivers at various food delivery services. But higher amounts, such as up to $100,000 to insiders at technology companies, are no exception. The impact of attacks involving insiders can be devastating. The Ponemon Institute’s “Cost of Insider Threats Global Report” reports that in 2021, the average cost per incident associated with insider activity will climb to $15.38 million.

Insiders can be employees, suppliers or employees of partner companies. In addition, their motives can vary from financial gain to revenge to political or ideological reasons. Collaboration between cybercriminals and insiders on the darknet poses a serious threat to companies’ data security and infrastructure.

This phenomenon requires the utmost attention and a proactive approach to security, including employee training, implementation of appropriate security policies, detection of suspicious behaviour, monitoring of the entire environment and regular audits. It is important to understand that prevention is key in the fight against cybercrime.