A wave of high-profile insider incidents has sent a shockwave through the security industry — and signaled a dangerous new reality for every security leader.

Over the past several weeks, multiple insider-driven events have rocked some of the most security-mature organizations in the world. CrowdStrike fired an employee for leaking internal screenshots to a ransomware-linked group. Two DigitalMint employees were indicted for participating in BlackCat ransomware operations on their own time. Tesla’s string of insider incidents — including nation-state recruitment attempts, data leaks, and post-termination access misuse — resurfaced as early warning signs. And U.S. law enforcement cracked open a sprawling North Korean “remote worker” scheme that successfully embedded operatives inside American tech companies.

“If this can happen to security companies, what does that mean for employees at IT companies, MSPs, or your organization?” said Sherri Davidoff, Founder of LMG Security, in a recent Cyberside Chats episode.

It’s a question every security leader should be asking.

This article breaks down what happened, why insider threats are surging, and the steps every organization must take now to strengthen their defense from the inside out.

CrowdStrike: A $25,000 Screenshot Leak

In late 2025, CrowdStrike discovered that an employee had been quietly taking screenshots of internal dashboards — including an Okta-based access portal — and leaking them to a group known as Scattered Lapsus$ Hunters. The insider reportedly received $25,000 for the data. Attackers falsely claimed they hacked CrowdStrike through Gainsight, but that story quickly fell apart under scrutiny, as covered in a TechCrunch report on the CrowdStrike insider leak.

Why lie?

As Matt Durrin explained on the podcast, the attackers “wanted to protect their source… and it makes them look cooler” than admitting they paid someone for screenshots.

This tactic aligns directly with the Lapsus$ insider-recruitment model:

1. Buy insider access
2. Claim a sophisticated breach
3. Protect the mole
4. Inflate the threat actor brand

Even a single screenshot can reveal sensitive paths, internal system names, MFA flows, and administrative tools. Organizations often underestimate the value of “just a screenshot” — but attackers don’t.

DigitalMint: When Cybersecurity Employees Go Rogue

DigitalMint’s situation was different — and in some ways more alarming. In October 2025, two DigitalMint employees were indicted for conspiring with BlackCat/ALPHV ransomware actors. Unlike CrowdStrike, the employees did not abuse company systems. They allegedly ran ransomware operations on their own time, using their professional knowledge and negotiation expertise to optimize ransom negotiations, as detailed in a Reuters report on the DigitalMint indictment.

According to the indictment, the insiders helped compromise at least five companies, including a medical device firm, a pharmaceutical company, and a drone manufacturer. One victim paid $1.27 million to the attackers.

This case highlights a new class of insider threat: the cyber expert who goes rogue off-hours. Not a compromised employee — not someone abusing their employer’s network — but someone applying their professional cybersecurity skills to criminal activity elsewhere.

It also underscores the need for strong ethical training, clear expectations, and continuous messaging about legal consequences. As Sherri shared from her conversation with DigitalMint’s CEO, ethics training and explicit deterrence are essential — especially for staff with privileged insight into incident response and ransomware operations.

Tesla: Three Insider Incidents, Three Different Threat Profiles

Tesla’s insider history illustrates just how varied insider threats can be:

1. ** Nation-State Recruitment Attempt (2020)**

A Russian agent attempted to bribe a Tesla employee with $1 million to plant malware. The actor flew to the U.S., wined and dined the employee, and coached them on the operation. Fortunately, the employee reported the activity to the FBI — but not every organization will get that lucky.

1. ** Insider Data Leak (2018/2021)**

A disgruntled employee with legitimate access created fake accounts, altered manufacturing software, and stole several gigabytes of sensitive data, later leaked to the press. This case highlighted the damage a technically skilled, ideology-driven insider can do.

1. ** Post-Termination Access Misuse (2023)**

A former employee retained credentials after leaving the company and used them to steal data from more than 70,000 employees. Post-offboarding access failures remain one of the most common — yet preventable — insider risk gaps.

These three events show that insider threats span greed, retaliation, personal beliefs, coercion, and negligence — and they can manifest at any point in the employee lifecycle.

North Korean “Remote Workers”: When the Employee Isn’t Who They Say They Are

In mid-2025, DOJ and FBI announcements revealed a large North Korean remote-worker scheme using stolen identities, deepfaked interviews, and “laptop farms” to place operatives inside U.S. companies.

Some operatives gained access to:

• Source code repositories
• CI/CD systems
• Sensitive corporate data
• Defense-related or export-controlled information

The “employee” was performing the job — sometimes well — while secretly exfiltrating data and funneling money back to North Korea. Companies discovered the truth only after EDR alerts lit up or suspicious data transfers triggered investigation.

This is not a disgruntled insider — it’s an embedded adversary.

And in remote-first organizations, they can be extremely difficult to detect.

For additional defensive guidance, LMG has published practical advice in How Not to Hire a Deepfake Employee.

Five Immediate Actions to Reduce Insider Risk

1. ** Build a strong ethics culture and make legal consequences explicit.**

Regularly reinforce expectations, especially for IT admins, security teams, and anyone with sensitive access. Ethics training combined with clear deterrence messaging reduces the temptation to “go to the dark side.”

1. ** Enforce least privilege and conduct quarterly access reviews.**

Access sprawl is real. Review permissions, remove what’s unnecessary, and require justification for higher-level access — even for executives and long-term staff.

1. ** Deploy screenshot-prevention and data-leak controls.**

Use screenshot watermarking, VDI/browser isolation, CASB monitoring, and DLP policies to prevent sensitive data capture and detect exfiltration attempts.

1. ** Strengthen identity verification for remote and distributed workers.**

Perform periodic identity rechecks, require company-managed devices, and use secure onboarding workflows with endpoint attestation.

1. ** Monitor high-risk users and require similar protections from vendors.**

Leverage behavioral analytics to spot unusual activity, dual employment, off-hours access, or anomalous code repository pulls. And don’t forget: your vendors’ insiders are effectively your insiders. For more guidance, see LMG’s article: Third Party Risk Management: Lessons from the Crowdstrike Outage.

Conclusion: Don’t Wait for an Insider Incident

Insider threats are no longer rare outliers — they are routine, damaging, and evolving faster than many organizations’ defenses. Attackers aren’t always breaking in. Increasingly, they’re logging in, being hired, bribing employees, or going rogue from within.

The good news: with the right strategy, controls, and culture, insider threats become far more manageable.

At LMG Security, we help organizations strengthen their insider-threat defenses through tabletop exercises, risk assessments, and program reviews that identify gaps before attackers (or employees) exploit them. If you want to understand your true exposure — and build practical defenses that work — reach out to LMG Security. It’s time to get ahead of insider threats, not react to them.

About the Author