For telecom boardrooms, the protection of assets against threat actors is a high-stakes battle for operational resilience and brand trust.
While multi-million dollar security stacks are designed to keep external adversaries at bay, 2025 data suggests that the most effective exploit remains the human element. Flashpoint recorded 91,321 instances of insider recruitment, advertising, and illicit discussions last year, proving that it is often more efficient for a criminal to buy access than to build a complex technical bypass.
The telecoms industry sat at the very epicentre of this activity in 2025, accounting for 42 percent of all observed insider-related posts. This concentration stems from the sector’s gatekeeper status in identity verification.
By recruiting carrier employees, attackers facilitate SIM swapping (a technique where a victim’s phone number is ported to a card under the attacker’s control.) Once the link is established, the criminal receives the victim’s calls and messages, allowing them to bypass SMS-based two-factor authentication and gain entry to sensitive corporate or financial accounts.
In terms of supply (i.e employees actively advertising their services), telecoms leads all other sectors. However, when looking at demand from threat actors soliciting access, the technology and financial sectors rank higher. This suggests that while carrier employees are the most frequent “sellers” on illicit forums, they are often used as a stepping stone to infiltrate other high-value industries through identity theft.
Throughout 2025, Flashpoint monitored 10,475 channels and 17,612 unique authors involved in these transactions. Telegram remains a primary hub for these collaborations, though recent platform bans on illicit groups may drive activity toward encrypted services like Signal in 2026. This evolution means that visibility into these dark web marketplaces is now a prerequisite for proactive risk management.
Identifying internal threat actors targeting telecoms and beyond
Insiders, defined as any individual with authorised access, possess a unique ability to bypass traditional security gates. Their motivations vary from financial gain and ideological grievances to simple human error.
In one malicious case from 2025, nine employees accessed the personal data of over 94,000 individuals to facilitate illegal purchases. In another, a third-party contractor for a cryptocurrency firm compromised 69,000 customers, leading to the dismissal of 300 staff members. Spotting these threats requires monitoring both technical and behavioural markers.
Non-technical indicators often involve deviations from a known baseline, such as impulsive behaviour, social withdrawal, or uncharacteristic non-compliance with company policies. Financial changes are equally telling; an employee facing sudden debt or displaying unexplained wealth may be creating additional funding streams by selling their insider access to threat actors via illicit forums.
Other red flags include:
- Atypical working hours: Actors may use after-hours work to pursue illicit activity when there is less oversight.
- Unusual overseas travel: Undocumented travel can indicate recruitment by foreign state-sponsored actors.
- Access resistance: An employee who is overprotective of access privileges or requests sensitive data beyond their role may have malicious intent.
- Separation terms: Staff leaving under unfavourable circumstances are at an increased risk of seeking revenge through remaining access.
Technical safeguards and data handling
From a technical perspective, the use of unauthorised devices remains a primary vulnerability. These tools fall outside the scope of corporate operational security but often carry sensitive data and configurations.
Analysts also point to irregular access patterns – where an employee maps the limits of their privileges in areas of information unrelated to their job function – as a sign that they are evaluating exfiltration capabilities.
Network traffic monitoring provides another layer of defence. An unexplained increase in traffic, or the use of uncommon ports and protocols, can indicate that data is being prepared for removal. Large-scale downloads, unusual encryption, or data being sent to unauthorised destinations serve as high-priority warnings.
As AI technologies advance, the tools available to both defenders and attackers will grow in sophistication. While AI will help organisations identify anomalies more quickly, threat actors will also use these tools to automate the search for vulnerabilities and sensitive datasets.
Ransomware threat actors are expected to continue their aggressive recruitment of insiders, especially in telecoms, exploiting human vulnerabilities through social engineering to bypass technical barriers.
To maintain compliance and protect proprietary trade secrets, enterprise leaders must move to a model of continuous verification. By understanding the volume of recruitment activity and the specific tactics used in SIM swapping and data exfiltration, telecoms providers can better shield their customers and their bottom lines from the “threat within”.
See also: Average cyberattack cost hits $2.5M as recovery lags
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the AI & Big Data Expo. Click here for more information.
Telecoms is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
