HomeLearnBoKEvents & Case StudiesCollusion and External Recruitment of Insiders
Back to Hub
Last Reviewed: 2026-06-24
Reviewer: ITMG® Security Advisory
BoK Reference Sheet
Reference Case study

Collusion and External Recruitment of Insiders

Collusion occurs when an insider coordinates with an external party to misuse access, share information, commit fraud, enable espionage, or harm the organization.

Based on real event: EV battery-manufacturing trade-secret conspiracy.

Incident Case Analysis & Real-World Context

Case basis: Based on real event. A resident of China pleaded guilty to conspiring to send trade secrets belonging to a leading U.S.-based electric-vehicle company. DOJ stated that former employees took trade secrets from their employer and later used them to build a business marketed as a replacement for the victim company�s products. The case shows how insider access, post-employment opportunity, and external commercialization can converge.

Why This Event Pattern Matters

Collusion cases are difficult because the event is not confined to one user or one system. The insider�s activity may connect to outside businesses, competitors, vendors, handlers, customers, or personal associates.

Common Event Scenarios & Progression Path

Sensitive access by current or former employee.

External business or competitor beneficiary.

Use of protected information in a new product, service, or commercial offering.

Potential communication, payment, travel, or relationship evidence outside core security logs.

IRCF™ Capability Alignment

Lessons from this event pattern directly map to the following canonical Insider Risk Capability Framework™ (IRCF™) components for organizational capability improvement:

Personnel AssuranceGovernanceIAMMonitoringAnalysisInvestigationData ProtectionThird-Party RiskOversight and Compliance

Insider Threat Matrix Alignment

Matrix mapping includes motive, means, preparation, infringement, and anti-forensics when supported by facts. Collusion mapping should include external direction, relationship, communication, and data movement.

*The Insider Threat Matrix™ is an open framework maintained by Forscie Limited for computer-enabled insider threat investigations.

Controls & Safeguards to Leverage

Conflict-of-interest and outside-activity disclosure processes.
Sensitive-role reviews for competitors, vendors, and startup activity.
Monitoring for targeted collection and external sharing.
Trade-secret and confidentiality controls during onboarding, role change, and offboarding.
Legal escalation for suspected conspiracy, espionage, sanctions, or export-control concerns.

Relevant Program Metrics & KPIs

Metric
Collusion referrals.
Metric
Sensitive-domain external sharing events.
Metric
Conflict-disclosure gaps.
Metric
Sensitive-role training completion.
Metric
Time to legal escalation for suspected external coordination.

Legal, Privacy, and Ethical Cautions

Collusion may implicate trade-secret law, employment law, privacy, criminal law, anti-bribery, sanctions, export controls, procurement, and law-enforcement referral. Avoid alleging conspiracy unless the source and legal review support the term.

Source References & Investigation Fact-Verification

DOJ, Eastern District of New York, Resident of China Pleads Guilty to Conspiracy to Send Leading Electric Vehicle Company�s Trade Secrets, June 13, 2024. DOJ, Eastern District of New York, Resident of China Sentenced to 24 Months in Prison for Conspiring to Send Trade Secrets Belonging to Leading U.S.-Based Electric Vehicle Company, Dec. 16, 2024.

Operationalize This Learning

Need to evaluate whether this scenario is covered in your environment? Use RiskTKO® or request a Guided Exposure Assessment to evaluate your current control coverage, capability maturity, and exposure trends.