Please fill in the form below to subscribe to our blog

6 Ways Malicious Insiders Can Do Damage Fast & How to Uncover Them

December 31, 2021

Watch Out for These 5 Red Flags That Indicate That You Could Be in for Trouble!

A disgruntled employee can wreak havoc fast. Beware of employees taking data with them when they leave or selling their still functional access credentials on the dark web. Malicious actors can also directly unleash a cyberattack by deploying malware themselves. Malicious insider actions are responsible for an estimated 25% of confirmed data breaches. Determining their motivations can shed light on why an employee might become a malicious insider. 

 Excerpted in part from our NEW eBook The Guide to Reducing Insider RiskDOWNLOAD IT NOW>>

Start the new year off on the right foot with this checklist of smart cybersecurity practices. GET IT>>

Malicious Insider Incidents Are Hard to Spot 

The Ponemon Institute report claims that it takes on average 77 days to detect and contain an insider attack. On a more granular level, a recent survey of IT professionals found that they believed their companies could detect an insider attack within much shorter timeframes – 16% said within a month, 20% said within a week, 20% said within a day, 16% said within an hour and 16% said they’d detect an insider attack within minutes. 

Analysts noted the fastest growth in insider threats in the Retail (38% two-year increase) and Financial Services (20% two-year increase) sectors. With booming dark web data markets and big unemployment numbers worldwide, many workers are looking to make a quick buck any way they can and that can cost your business dearly – the cost of a malicious insider incident has surged 31% as well.  

The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>

6 Ways That Malicious Insiders Can Do Massive Damage Fast 

Employees who are hungry for extra income or revenge can manipulate their company’s IT environment in a number of dangerous ways. Former employees are also dangerous – over 90% of malicious insider incidents are preceded by employee termination or layoff.

Selling Their Credentials 

Legitimate credentials for even a small company can sell for a pretty penny. For a legitimate stolen corporate network credential, you’re looking at around over $3,000. But that is far from the top price a really useful password can fetch in the booming dark web data markets. Among the most valuable leaked credentials are those magic keys that unlock privileged access to corporate networks. Those types of credentials can go for as much as $120,000. That’s a price some cybercrime gangs will gladly pay to enable them to launch ransomware attacks that can fetch them millions in ransom money. Malicious insiders can quickly sell legitimate credentials to Initial Access Brokers (IAB), cybercriminals who specialize in peddling access to secure networks. More than 300 IABs are in business on the dark web.     


The recently released 2021 Cisco Cyber Security Threat Trends report pointed to cryptomining as a top overlooked risk for businesses, and that’s dangerous. Cryptomining is almost inevitably tied to cybercrime. It’s also an intrusion in your company’s IT environment. That creates a vulnerability that can be exploited by other cybercriminals as well. The problem is much more widespread than many business owners and IT leaders may think. Almost 70% of organizations worldwide experienced some level of unsolicited cryptomining.  

Moonlighting on the Dark Web 

Demand for all kinds of skilled cybercrime work is high in the flourishing cybercrime-as-a-service economy on the dark web – experts estimate that 90% of posts on popular dark web forums are from buyers looking to contract someone for hacking services. While for the most part dark web forum hiring posts are for hackers- An estimated 69% of dark web forum hiring posts were looking for cybercriminals to do some website hacking – another 21% were looking for malicious insiders or corporate saboteurs who could obtain specifically targeted user or client databases.  

Database Hacking 

Buyers are hungry for databases, and your database can be a valuable resource for a malicious insider to exploit. A freshly unlocked database can go for $20,000 ($50 per 1,000 entry). Entries that include some personally identifying information (PII) like username, email address, full name, phone number, home address, date of birth and occasionally social security and identification numbers sell fast. Boutique database hacking frequently involves a helping hand from malicious insiders and it pays a premium price: between $100 and $20,000, or between $5 and $50 per 1,000 entries. 

Customer Data Theft 

Even low-level malicious insiders can do damage fast, as seen in the Shopify breach in Q4 2020. In this incident, two support team employees hatched a scheme to steal customer transaction records from specific merchants. While only about 20 shops were affected, several high-profile merchants were targeted, including influencer Kylie Jenner’s high-profile line Kylie Cosmetics. The data exposed included client details like email, name, and street address, as well as order details, but did not involve complete payment card numbers or financial information. 

Espionage or Theft of Corporate Secrets & Proprietary Information

Dark web markets aren’t just focused on selling data, passwords, and hacking services. There is a thriving market for corporate secrets. That trade boomed during the initial global pandemic as nation-state actors, cybercriminals and malicious insiders peddled research data, treatment records and other COVID-19 related data. A company’s proprietary data like formulas, blueprints, source code, playbooks, budgets, job bids and other corporate secrets can do a lot of damage in the wrong hands, and it can also sell for a lot of money on the dark web. An estimated 45% of employees download, save or send work-related files before they leave their job.  

Can you spot a phishing email? This infographic shows you how to detect one! DOWNLOAD IT>>

What Motivates a Malicious Insider?

The Top Motivations for Malicious Insiders  

  • An estimated 70% of malicious insider breaches are financially motivated, chiefly through employees selling credentials or access to systems and data on the dark web.  
  • A scary 25% of malicious insider incidents are motivated by espionage or theft of intellectual property, like selling formulas, stealing sensitive data or disclosing company secrets.   
  • Around 4% of malicious insider incidents are caused by angry employees who want to damage the company. They sometimes choose to do that by deploying ransomware or deleting data.  

Source: 2021 Verizon Data Breach Investigations Report  

The Top Departments for Malicious Insiders to Target  

  • Finance (41%),   
  • Customer Success (35%)   
  • Research and Development (33%)  

Source: Swiss Cybersecurity Forum  

The Top Malicious Insider Actions  

  • 62% exfiltrating data  
  • 19% privilege misuse  
  • 9.5% data aggregation/snooping  
  • 5.1% infrastructure sabotage 
  • 3.8% circumvention of IT controls  
  • 0.6% account sharing  

Source: Statista  

Is someone’s behavior suspicious? Learn to spot trouble fast with 5 Red Flags That Point to a Malicious Insider at Work.  DOWNLOAD IT>>

How Do Malicious Insiders Make Money? 

Money makes the world go round, and it is always the top reason that motivates a malicious insider. Here are some of the ways that employee bad actors can profit from a company’s misfortune. 

Misusing their credentials. A malicious actor might use their credentials (or someone else’s to access sensitive information or give someone access to systems and data who shouldn’t have it. More than 80% of malicious insider breach incidents are caused by privilege misuse.   

Selling their credentials. Money-motivated malicious insiders can make a tidy sum by selling their credentials on the dark web.  An average legitimate corporate network credential goes for around $3,000. But selling a privileged credential is much more lucrative; desirable privileged credentials can go for upward of $120,000. 

Peddling data on the dark web. Data is currency on the dark web. Personal data reigns as the hottest type of data on the dark web, followed by medical data in second place. Employees can also profit from selling proprietary data like formulas, research (especially medical research), and corporate secrets. 

Cybercrime-as-a-Service. Cybercrime is a $6 trillion industry, and there are plenty of “jobs” available. Major cybercrime gangs hire specialists to take care of aspects of their operations all the time, like an employee with access to a company’s systems who can deploy ransomware.  

While every malicious insider has unique motivations, some factors can act as red flags that point to the possibility of a malicious insider at work in an organization. 

Are any employees… 

  • Downloading or accessing large amounts of data? 
  • Stealing privileged passwords? 
  • Adding improper privileges to their user account? 
  • Sending proprietary information to their private email accounts? 
  • Engaging in cryptomining?
  • Installing malware like ransomware? 
  • Disgruntled by layoffs or terminations? 
  • Under undue stress and feeling unappreciated? 
  • Having serious financial problems? 
  • Angry about being passed over for a promotion? 
  • Isolating themselves or otherwise acting suspiciously? 


Insider risk is up by more than 40% in 2021, and it’s not expected to go down in 2022. But with the right solutions in place, companies can mitigate a substantial portion of their accidental insider risk. These two ID Agent solutions are perfect for the job.    

Dark Web ID – Don’t let cybercriminals sneak into your network to snatch your data with a compromised credential. Get the power of 24/7/365 human and machine-powered on your side monitoring employee passwords, business and personal credentials, domains, IP addresses and email addresses.     

BullPhish ID – Organizations that regularly conduct security awareness training have up to 70% fewer cybersecurity incidents. Educate staffers on how to spot and stop the latest threats including phishing, ransomware, compliance, password safety and more using done-for-you kits or customized lessons.  

Ready to get started? Contact one of our solutions experts and book a demo today.   

ransomware defense can be complicated by cryptocurrency risk

See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!