New data reveals 31% of malicious insiders collude – but not in the way you think.

Introduction: The Myth of Isolation

We are conditioned to hunt for the “Lone Wolf.”

When we design insider risk programs, we typically build profiles based on the solitary actor: the disgruntled employee stewing in silence, the isolated spy, or the lone leaver stealing IP on their way out the door.

This assumption drives our detection strategy. We monitor individual baselines. We look for solitary deviations.

But new research presented at Black Hat Europe (December 2025) suggests this singular focus is leaving us blind to nearly a third of the threat landscape.

The “Lone Wolf” is often part of a pack – but a very specific, temporary kind of pack.

The Data: Shattering the 31% Ceiling

Michael Robinson’s analysis of 1,002 insider threat cases provides a startling correction to conventional wisdom. Contrary to the belief that conspiracy is rare due to the high risk of detection, the data shows that 31% of cases involved internal collusion.

The depth of this collaboration is what is most concerning. Of the 313 cases involving collusion:

• Scale: Approximately 240 cases involved groups of 2 or 3 employees acting in concert.
• Methodology: 111 cases involved actors sharing the exact same Tactics, Techniques, and Procedures (TTPs).

This creates a significant challenge for security teams. If two employees are using the same TTPs simultaneously, our tools often flag them as separate, unrelated incidents – if they flag them at all.

The “Trust Paradox”

Why has the industry historically underestimated collusion? Because logically, it shouldn’t happen this often.

Finding a co-conspirator is an inherently dangerous activity. To execute a joint attack, an insider must identify a like-minded colleague, test their willingness to break the rules, and trust them not to report the approach.

This is the “Trust Paradox.”

If you misjudge a colleague, you don’t just fail the mission; you lose your career or face prosecution. Yet, 1 in 3 malicious insiders are successfully leaping this hurdle.

They are identifying each other – likely through non-monitored channels like social clubs, coffee culture, or social media – and building enough trust to operationalise their intent.

The “Heist Crew” Effect: Transactional vs. Relational

This is where the data reveals its most critical nuance – one that most risk managers might miss.

It is easy to assume that these co-conspirators are partners for life, perhaps friends or close colleagues planning to leave together to start a competitor. However, Robinson’s data on post-incident behaviour suggests otherwise.

Out of 372 cases where perpetrators left to join a competitor or start a business, 207 went it alone.

This indicates that the collusion is mostly transactional, not relational, making the role of the ‘trust paradox’ even more interesting.

Think of it less like a marriage and more like a “Heist Crew”:

Workers who form temporary alliances of convenience to overcome specific security controls (e.g., “I have the physical access, you have the system admin rights”). They take the risk of coming together to execute a specific plan for immediate benefit, but once the objective is achieved, they sever ties and go their separate ways.

Case Study: It Happens at the Highest Levels

This dynamic is not limited to corporate IP theft; it permeates the highest levels of national security.

Consider Britain’s 20-year ‘Operation Wedlock’ molehunt which broke in 2025. The investigation into an MI6 officer suspected of spying for Russia revealed that the subject was likely not acting alone, but rather working with two co-conspirators.

If intelligence officers can form these temporary cells, the barrier to entry for corporate employees is significantly lower.

The Strategic Pivot: From Individuals to Magnets

So, how do we adjust our defences?

If 31% of threats involve collusion, our detection logic must evolve from User-Centric to Relationship-Centric.

• Monitor for “Networks”: We need to look for common patterns. Are two employees accessing the same sensitive datasets at the same time? Are there inexplicable patterns of co-presence (digital or physical) between employees who have no business reason to collaborate?
• The “Magnet” Theory: Instead of just looking for the “needle” (the bad actor), we should look for the “magnets” that pull them together. This could be toxic sub-cultures within specific teams or external social factors that rally employees together against the organisation.
• Short-Term Signals: We must stop looking solely for long-standing friendships as a predictor of collusion. The data suggests we should be equally vigilant regarding short-term, opportunistic signals where employees with complementary objectives and access rights suddenly align.

Conclusion

The “Lone Wolf” will always exist. But ignoring the “Wolf Pack” – however temporary that pack may be – leaves a 31% gap in our defences.

By recognising the transactional nature of modern insider collusion, we can begin to spot the subtle signals of a “heist crew” forming before they execute their plan.

Further Reading

• Hopkins, N., and Isaac, A (2025). UK launched huge operation to find suspected Russian double agent in MI6, The Guardian, https://www.theguardian.com/uk-news/2025/jun/27/uk-spy-operation-wedlock-suspected-russian-double-agent-mi6?CMP=share_btn_url
• Robinson, M (2025). Understanding Trends & Patterns In Insider Threat: Analysis Of 1,000+ Cases, Blackhat Europe 2025, https://blackhat.com/eu-25/briefings/schedule/?#understanding-trends–patterns-in-insider-threat-analysis-of-1000-cases-49423

As published on LinkedIn.

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.