Accenture warns malicious insider activity is escalating as dark web recruitment surges

Layoffs and the cost-of-living crisis are fueling insider threats, with “droves” of employees seeking to sell knowledge and company logins on the dark web.

While companies focus their cyberdefences on external threats like hackers, new research from Accenture’s Cyber Intelligence team shows the danger is increasingly coming from within.

The consulting firm’s cyber experts warned that malicious insider activity facilitated through dark-web ecosystems is escalating, with a multitude of industries targeted.

In 2025, there was a 69% increase in insiders offering their access to hackers compared to 2024, and a 127% surge in hackers recruiting insiders compared with 2022, Accenture’s data shows.

Many insiders offer hackers exactly what they want most: initial access and credentials, which account for up to 30% of all cases.

“The numbers are alarming,” said Accenture’s Global Head of Cyber Intelligence Ryan Whelan, who also shared the findings in a LinkedIn post.

According to cybersecurity experts, insider activity facilitated through the dark web has not only increased, but "escalated across the board.”

While the issue was once mainly a concern for sectors like finance and crypto, as well as government agencies, it is now affecting industries including manufacturing, logistics, and pharmaceuticals.

According to Whelan, this range signals a normalization of insider interaction with cybercrime ecosystems, as well as “a deepening alignment” between criminals and insiders.

“To make matters worse, there is a perfect storm of factors right now that is growing the insider threat pool. Whether due to industry layoffs or the cost-of-living crisis, insiders are going to the dark web in droves to sell knowledge and company logins,” he said.

What is an insider threat?

An insider threat is a cybersecurity risk posed by someone within an organization, such as an employee, contractor, or business partner – anyone with access to its systems and knowledge of its inner workings.

Inside jobs can be categorized into two main types: revenge-driven – often triggered by layoffs or perceived unfair treatment – and financially-driven, where insiders sell access to company systems or data.

Insider threats can also be state-sponsored, with documented cases of companies unknowingly hiring North Korean agents for remote IT roles.

According to Accenture’s analysis of dark-web activity, the insider economy is now principally designed to support early-stage intrusions, with criminal gangs increasingly relying on insiders to bypass cyber defences.

Insider threat prevention

Accenture says it has “strong evidence” that insider threat is escalating, raising the threat level from low-frequency, high-impact events to medium-frequency, high-impact strategic risk that requires board-level attention.

According to Whelan, it’s important that organizations have an insider risk strategy across the entire employee lifecycle.

“This means robust recruitment controls, safeguards during any person’s employment, and an off-boarding process that instantly revokes access, monitors for pre-departure data theft, and reinforces legal obligations,” Whelan said.

This may include enhanced identity verification during a hiring process, role separation during employment, and immediate access revocation during offboarding. Risk from third-party insiders may be mitigated through minimizing reliance on SMS and voice multi-factor authentication (MFA) and enforcing phishing-resistant authentication.

“It’s also critical to understand that this spike isn't random. It's a strategic pivot for threat actors, who view insiders as the easiest route to initial access,” he warned, adding that companies must communicate and build trust among their employees.

---

Unlock more exclusive Cybernews content on YouTube.