The Insider Marketplace Has Arrived
In this series, we examine recent insider incidents and identify the patterns that matter for insider risk, security, fraud, legal, HR, and business leaders.
The goal is not to retell every case. The goal is to understand what these incidents are telling us. And the message from May is hard to ignore: insider risk is no longer just an employee problem. It is becoming a marketplace problem.
Today, trusted credentials, database access, internal configurations, and administrative controls are no longer just business parameters. In the modern adversary ecosystem, **they are highly liquid assets with immediate market value:**
!The Insider Threat Has Become Transactional
For years, organizations framed insider threat around a singular, isolated individual: the disgruntled employee stealing files, the administrator seeking revenge, or the worker heading to a competitor. Those risks remain real. But May’s incidents point to something far more **transactional, marketplace-driven, and commercialized:**
- •**Credential Brokerage**: Workers sell login credentials to ransomware syndicates.
- •**Logistics Leaks**: Employees leak cargo routing, timing, and shipping records.
- •**Check Harvesting Networks**: Postal employees steal Treasury checks to sell in illicit networks.
- •**Cyber Security Collusion**: Tech support agents actively assist external hackers.
- •**Credential Harvesting Spyware**: Hospital employees install keyloggers to spy on coworkers.
- •**Insider Financial Steering**: Executives turn nonpublic information into market opportunities.
This is no longer about simple disloyalty. It is about **monetization**. The adversary does not view your employee as an employee; they view them as a route around multi-million dollar security defenses.
Why This Matters: Controls Built for the Wrong Mental Model
Most insider risk systems are designed around individual indicators—scanning for massive out-of-hours USB downloads or behavioral grievances. But if the insider threat is transactionally driven, our detection must expand. The employee might not download anything; they may simply share a credential, approve a duplicate payment, or leak a shipment detail.
Rather than waiting for a data transfer alert, shift your security posture by asking:
Five Critical Threat Patterns Identified in May 2026
Credential Selling Is a Workforce Risk, Not Just an IAM Risk
Credential selling is too often relegated to technical mitigation (MFA, impossible travel checks, conditional access). But when employees are actively approached with cash offers to compromise corporate entry points, **it is a human risk problem.**
Organizations must train employees to recognize recruitment attempts and report them safely.
Equip your teams with clear guidance on what to do if approached. Ensure they know:
- **How Approaches Occur**: Through encrypted chat apps, personal emails, professional networking sites (LinkedIn), or dark-web forums.
- **The Solicitations**: Small requests at first (screenshots, system architectures, internal org charts) escalating to credentials.
- **Non-Punitive Reporting**: Create a clear, trusted, non-punitive path for reporting approaches early. Safeguard the employee.
Social Engineering Has Moved Deeper Into Professional Life
May's reports highlight patient, professional-pretext approaches (fake recruiters, consulting opportunities, conference exchanges) targeting key roles in aviation, energy, technology, and government.
Attackers bypass standard phishing filters by starting legitimate professional conversations to subtly extract operational intelligence, a tactic known as **elicitation**.
Financial Authority Is Privileged Access
Organizations limit "privileged access" strictly to IT administrators. This is a critical blind spot. The payroll clerk, procurement officer, expense approver, or refund manager has massive, high-impact business privileges.
May's cases demonstrate that employee-perpetrated fraud, duplicate invoices, fake vendor creation, and master banking modifications represent severe insider threats hiding in plain sight.
Technical Privilege Turns Emotion Into Immediate Impact
When a technically privileged user—an IT admin, cloud engineer, systems contractor, or developer—becomes angry, demoted, terminated, or compromised, their capabilities translate to near-instantaneous impact.
Rather than static annual reviews, automate privilege auditing and telemetry collection immediately upon any of these events:
Workplace Violence Is an Insider Risk Issue
May's extreme cases—including a disgruntled former employee driving an explosives-packed vehicle into an athletic club, and an explosive device placed under a supervisor’s vehicle—highlight that insider risk cannot ignore physical security.
A grievance may lead one employee to delete databases, another to embezzle, and another to commit physical violence. The pathway is different, but **the underlying escalation pattern overlaps.**
Establish a Threat Management Team (HR, Cyber, Physical Security, Legal).
Train supervisors to identify grievances turning into fixation, planning, or threats.
Standardize documented behavioral threat assessment practices.
Co-join badge collection, session lockouts, and transition escorts.
The Program Shift: Build Around Value, Not Just Violations
Traditional programs scan for policy violations. This is too generic. The next-generation insider risk program **maps the organization from the adversary’s perspective**, auditing which roles, systems, and processes hold the highest concentration of marketable assets.
What Organizations Should Do Now
- 1Update the Insider Threat ModelStop limiting your model to simple file exfiltration and sabotage. Include credential selling, social engineering pretexts, professional elicitation, business process fraud, and employee-criminal collusion.
- 2Identify Your Most Marketable AccessAudit systems and configurations from an adversary's standpoint: What credentials, intellectual property, or financial authority would someone be willing to pay for? Focus mitigation there.
- 3Treat Financial Authority as PrivilegeApply the exact same rigor, logging, and multi-factor authorization to vendor creation, payment approvals, payroll modifications, and expense steering that you apply to technical root access.
- 4Establish a Recruitment Reporting PathwayDeploy clear, non-punitive channels for employees to immediately report approaches, coercion, bribe offers, or consulting requests from suspicious external contacts.
- 5Teach Elicitation and Social PretextingExpand employee security training beyond generic email phishing. Teach teams how targeting works in professional spaces (LinkedIn, conferences, industry consultation groups).
- 6Unify Cyber and Physical ManagementEnsure that cyber telemetry, HR disciplinary events, badge access logs, and security reports are assessed in a joint framework. A behavioral grievance can manifest across any of these pillars.
- 7Strengthen Transition Phase ControlsEnsure termination planning, suspensions, poor reviews, contract completions, and role transfers automatically trigger immediate account, session, and privilege reviews.
- 8Bridge Departmental SilosBring fraud, legal, HR, cyber, physical security, and procurement together into the same room. A fragmented organization creates space for modern insiders to operate.
The insider threat is changing because **the value of access is changing**. Employee credentials, finance approvals, shipping manifests, or legal strategies are liquid commodities in an active marketplace.
Modern programs cannot sit quietly waiting for file-movement alerts. They must understand markets, motivations, business logic, recruitment, and human behavior.
Because in today’s threat environment, the most important question may not be whether an outsider can break in. It may be whether someone on the inside has something an outsider is willing to buy.