Insider Risk Revisited: Espionage, Encryption & Economics

In recent months, two high-profile incidents—one in the private sector and one within the U.S. government—have challenged long-standing assumptions about trust, access, and oversight.

The Rippling-Deel espionage case and the U.S. government’s “Signalgate” leak highlight how encrypted tools, remote work, and economic stressors have resurfaced longstanding vulnerabilities to insider activity. These incidents did not rely on malware or zero-days. Instead, they leveraged trust, limited visibility, and governance gaps. Together, they underscore that insider risk—whether malicious or inadvertent—remains a central threat vector for both commercial and government organizations.

Case Overview | Rippling-Deel Corporate Espionage

In March 2025, HR technology firm Rippling filed suit against its competitor Deel, alleging that Deel recruited a Rippling employee, Keith O’Brien, to act as a paid insider. According to a sworn affidavit, O’Brien admitted to sharing confidential Rippling materials over several months, including customer strategy documents, sales pipeline details, internal Slack messages, and competitive intelligence on Deel prospects.

O’Brien used encrypted messaging apps (Telegram, WhatsApp) to communicate with Deel’s executives, recorded his screen while searching internal systems, and exfiltrated files using disappearing messages. He was reportedly paid €5,000 per month via a combination of Revolut (a digital finance app known for international transfers and crypto support) payments and cryptocurrency routed through third parties. Deel executives allegedly coordinated the operation, according to filings, and instructed O’Brien to avoid leaving evidence of their communications.

The breach was eventually discovered not through pre-existing detection methods but via a honeypot Slack channel labeled #d-defectors, which was planted by Rippling’s security team to identify suspicious behavior. O’Brien accessed the decoy, triggering an investigation.

Case Overview | Signalgate & the Federal Messaging Breakdown

Around the same time, U.S. officials were using Signal—a consumer encrypted messaging app—to coordinate discussions related to military operations in the Middle East. During the exchange, journalist Jeffrey Goldberg, editor-in-chief of The Atlantic, was inadvertently added to the group chat. The incident, now referred to as “Signalgate,” resulted in the unintentional disclosure of sensitive operational details, including strike timing and internal deliberations.

Signal was used for its encrypted, cross-platform functionality. However, the group lacked formal controls around participant verification and message governance. The presence of an unauthorized participant went unnoticed until portions of the conversation were publicly reported. The situation prompted internal reviews and broader discussion about secure communications protocols for sensitive government coordination.

Encrypted Comms, Out-of-Band Channels & the Governance Gap

Both incidents share a core issue: reliance on encrypted and out-of-band communication tools without corresponding governance. Signal, Telegram, WhatsApp, and similar platforms provide legitimate security benefits—end-to-end encryption, ephemeral messages, and rapid coordination. These are commonly used by organizations across the globe for official and unofficial business, but in enterprise or mission-critical settings, they create blind spots.

Ironically, U.S. agencies that once pushed for backdoors into encrypted apps have seemingly reversed their position. In late 2024, following the Salt Typhoon telecom intrusions, federal agencies began advising staff to adopt Signal-like tools to protect against foreign surveillance. This marked a sharp departure from prior FBI and DOJ stances that emphasized lawful access and metadata visibility.

Encryption now protects against external threats, but simultaneously limits internal oversight. When messaging moves off-platform and out of view, traditional controls—logging, monitoring, policy enforcement—are no longer effective.

Common Insider TTPs in Modern Enterprise Environments

Across recent incidents involving insider risk—whether intentional or inadvertent—a familiar set of tactics, techniques, and procedures (TTPs) continue to surface. These behaviors often bypass traditional security controls, not through advanced exploits, but by leveraging legitimate access and widely used technologies:

  • Encrypted Messaging Apps: Common platforms like Signal, Telegram, and WhatsApp provide secure, out-of-band communication channels that often fall outside enterprise monitoring scope.
  • Ephemeral Messages: Disappearing message features reduce the likelihood of post-incident discovery or audit.
  • Cryptocurrency: Digital payments, including crypto and apps like Revolut, can obscure the source, timing, and recipients of financial transactions.
  • Use of Personal Devices and Accounts: Data can be exfiltrated via screenshots, recordings, or uploads to personal accounts, often evading DLP tools that focus on file-level movement.
  • Shell Companies: Informal contracting or external “consulting” arrangements may provide plausible deniability for corporate espionage and complicate attribution.
  • Routine Access Misuse: These TTPs typically do not require elevated privileges. Instead, they rely on standard user access within cloud apps and collaboration platforms, where segmentation and behavioral monitoring may be insufficient or inconsistently applied.

These patterns reflect the growing sophistication of low-complexity, high-impact insider activity. Organizations should assume these techniques are already in use within their threat landscape and adjust detection strategies accordingly.

Insider Risk in a Shifting Economic Landscape

Economic uncertainty continues to shape the risk environment for organizations. Supply chain disruptions, regional instability, and inflationary pressures are contributing to financial stress across multiple sectors. This strain is particularly acute for contractors, gig workers, and employees in regions facing heightened economic volatility.

These conditions increase the likelihood of financially motivated insider activity—whether driven by personal need, coercion, or opportunism. A third-party developer in Southeast Asia or a QA analyst in Eastern Europe may be more susceptible to outside inducement, especially if they have consistent access to sensitive systems and limited oversight.

In remote or distributed work models, individuals often operate with elevated trust and autonomy. Insider risk in these environments doesn’t always stem from malice—it can arise from rationalization, desperation, or subtle manipulation. Organizations must adapt their risk models to reflect this reality.

What Organizations Can Do

Organizations can’t fully eliminate insider risk, but they can reduce exposure and improve early detection. Key principles include:

  • Acknowledge the Threat Model: Treat insider threats as a first-class risk—not just disgruntled employees, but incentivized insiders operating in financial or geopolitical pressure environments.
  • Govern Encrypted Communications: Define approved apps for sensitive communication. Establish policies for ephemeral messaging and out-of-band coordination. Enforce usage with mobile device management and endpoint controls.
  • Enhance Detection and Logging: Deploy honeypots, deceptive content, and behavioral anomaly detection to flag unusual access patterns. Monitor for screen recording, file transfer, and anomalous access across time zones and device types.
  • Model for Economic and Geographic Stress: Identify high-access roles in high-risk geographies or vulnerable industries. Adjust access, segmentation, and review cycles accordingly.
  • Revisit Remote Work Assumptions: Implement context-aware access policies for remote staff and third parties. Restrict access based on device hygiene, location, and time of day. Consider your gaps – you can’t monitor for a physical camera pointed at an employee’s computer screen.

Closing Thoughts

The Rippling-Deel case and Signalgate are not isolated. They are indicators of a broader shift: insiders with routine access and unsupervised tools can now cause outsized damage, often without breaking any technical barriers.

Organizations should assume insider risk is not only possible, but increasingly likely—and design their controls, culture, and strategy accordingly.