For telecom executives, protecting assets from threat actors is a critical battle to preserve operational resilience and maintain customer trust.
Despite multi-million-dollar security stacks intended to stop external attackers, 2025 data shows the most effective exploit remains the human element. Flashpoint recorded 91,321 instances of insider recruitment, advertising, and illicit discussions last year, demonstrating that criminals often find it easier to buy access than to engineer complex technical bypasses.
The telecom industry was at the center of this activity in 2025, accounting for 42 percent of all observed insider-related posts. This concentration reflects the sector’s central role in identity verification and its control over subscriber credentials.
By recruiting carrier employees, attackers enable SIM swapping—a technique in which a victim’s phone number is ported to a SIM card under the attacker’s control. Once that link is established, attackers receive the victim’s calls and messages, allowing them to bypass SMS-based two-factor authentication and gain access to corporate and financial accounts.
In terms of supply—employees openly advertising their services—telecoms leads other sectors. However, when considering demand from threat actors seeking access, the technology and financial sectors rank higher. This indicates that while carrier employees are the most frequent “sellers” on illicit forums, they are often used as a stepping stone to infiltrate higher-value industries through identity theft.
Throughout 2025, Flashpoint monitored 10,475 channels and 17,612 unique authors involved in these transactions. Telegram remains a primary hub for these collaborations, though recent platform bans on illicit groups may push activity toward more private encrypted services like Signal in 2026. That shift underscores that visibility into dark web marketplaces is now essential for proactive risk management.
Identifying internal threat actors targeting telecoms and beyond
Insiders—people with authorised access—can bypass traditional security controls in ways external actors cannot. Motivations vary, including financial gain, ideological grievances, coercion, or simple human error.
In one malicious incident in 2025, nine employees accessed personal data for more than 94,000 individuals to facilitate illegal purchases. In another case, a third-party contractor for a cryptocurrency firm compromised 69,000 customers, triggering the dismissal of around 300 staff. Detecting these threats requires monitoring both technical signals and behavioural indicators.
Non-technical signs often emerge as deviations from established baselines: impulsive behaviour, social withdrawal, or uncharacteristic non-compliance with policies. Financial changes are also telling—sudden debt, unexplained income, or a sudden change in lifestyle may indicate an employee is selling access on illicit forums.
Common red flags include:
- Atypical working hours: Working late or at unusual times can indicate attempts to act when oversight is reduced.
- Unusual overseas travel: Undeclared travel or trips inconsistent with job duties can suggest recruitment by foreign or state-sponsored actors.
- Access resistance: Employees who hoard privileges, resist oversight, or request data beyond their role may have malicious intent.
- Separation terms: Staff leaving under acrimonious circumstances or facing termination are at higher risk of misusing remaining access to retaliate or profit.
Technical safeguards and data handling
From a technical standpoint, unauthorised devices and shadow IT remain major vulnerabilities. Devices and tools outside corporate control often store sensitive data or credentials and evade established operational security controls.
Analysts also watch for irregular access patterns—employees probing systems or accessing information unrelated to their job functions—which may indicate mapping of exfiltration paths.
Network traffic monitoring adds another defensive layer. Unexplained increases in traffic volume, use of uncommon ports or protocols, large-scale downloads, unusual encryption routines, or transfers to unauthorised destinations are high-priority indicators that data may be staged for removal.
As AI tools evolve, both defenders and attackers will gain more sophisticated capabilities. Organisations can use AI to detect anomalies faster, while threat actors will increasingly apply automation to discover vulnerabilities and identify valuable datasets.
Ransomware groups are expected to continue recruiting insiders aggressively, especially within telecoms, exploiting human vulnerabilities through social engineering to bypass technical controls.
To maintain compliance and protect trade secrets, enterprise leaders should adopt a model of continuous verification. By tracking the scale of recruitment activity and understanding tactics such as SIM swapping and data exfiltration, telecom providers can better protect customers and their financial interests from the “threat within.”
See also: Average cyberattack cost hits $2.5M as recovery lags
Interested in learning more about cybersecurity from industry leaders? Consider events such as Cyber Security & Cloud Expo, which take place in Amsterdam, California, and London. These gatherings form part of broader technology conferences and bring together experts across cybersecurity, cloud, AI, and data disciplines.
Telecoms content is produced by TechForge Media. Explore other upcoming enterprise technology events and webinars through TechForge’s events listings.