In November 2025, cybersecurity giant CrowdStrike faced an uncomfortable reality. Not a zero‑day exploit, not a sophisticated nation state intrusion, but something far more human. An insider within the company was caught leaking internal screenshots to hackers. The incident was quickly contained, but it sent shockwaves through the industry and reignited the conversation about insider threats: the risk that comes not from outside attackers but from the people already inside the walls.
What Happened Inside CrowdStrike
CrowdStrike disclosed that one of its employees had shared pictures of his computer screen externally. These screenshots later surfaced on Telegram, posted by the hacker collective known as Scattered Lapsus Hunters. The images included an Okta single sign on dashboard, a tool used by employees to access internal applications.
The company stressed that this was not a technical breach. No systems were penetrated, no customer data was stolen. Instead, it was a case of deliberate insider misconduct. CrowdStrike terminated the employee’s access immediately, referred the case to law enforcement, and reassured customers that its infrastructure remained secure.
The Hackers’ Side of the Story
Hackers from ShinyHunters, part of the Scattered Lapsus Hunters collective, claimed they paid the insider $25,000 for access. They alleged that the insider provided authentication cookies that could have allowed them to impersonate employees.
They also claimed they attempted to purchase internal CrowdStrike reports about ShinyHunters and Scattered Spider, though those efforts failed. This detail suggests the insider was not only leaking screenshots but was allegedly negotiating with attackers for more sensitive data.
CrowdStrike’s quick detection prevented deeper compromise, but the hackers’ claims highlight how attackers are increasingly willing to recruit insiders directly rather than relying solely on technical exploits.
Who Are Scattered Lapsus Hunters?
The group behind the leak is not new. Scattered Lapsus Hunters is a supergroup made up of ShinyHunters, Scattered Spider, and Lapsus. They are infamous for social engineering and insider recruitment tactics, often tricking employees or paying them to hand over access.
Earlier in 2025, they launched a massive campaign targeting Salesforce customers via Gainsight, breaching companies such as Google, Cisco, Allianz Life, Qantas, Adidas, Workday, and luxury brands under LVMH like Dior and Louis Vuitton. They even claimed responsibility for a breach at Jaguar Land Rover that caused damages of more than $220 million.
This pattern shows that insider recruitment is not a one‑off tactic. It is part of a broader strategy to bypass perimeter defenses and exploit trust.
Why This Case Matters
The CrowdStrike insider incident is significant for several reasons:
- Insider threats bypass defenses. Unlike malware or brute force attacks, insiders already have legitimate access. Even screenshots of dashboards can reveal sensitive workflows.
- Financial motivation is real. The $25,000 payment demonstrates how attackers are willing to invest in insiders.
- Rapid detection is critical. CrowdStrike’s ability to detect and terminate the insider before deeper compromise prevented customer impact.
- Broader campaign context. This incident was part of a larger wave of attacks exploiting Salesforce and third‑party vendors, showing how attackers combine insider recruitment with supply chain compromises.
Lessons for the Industry
The CrowdStrike case underscores that cybersecurity is as much about people as it is about technology. Even the most advanced firms can be undermined when insiders choose to leak information.
Organizations must take insider threats seriously by:
- Implementing continuous monitoring of employee activity.
- Enforcing least privilege access controls.
- Conducting regular vetting and awareness training.
- Building a culture where employees understand the risks of collusion and the consequences of misconduct.
CrowdStrike’s swift response contained the damage, but prevention remains the ultimate goal. As attackers adapt, insider threat programs are no longer optional—they are essential.
Final Thoughts
The CrowdStrike insider incident is not just a story about one employee. It is a reminder that trust is both the foundation and the vulnerability of modern cybersecurity. Hackers know this, and they are exploiting it. For defenders, the challenge is clear: protect systems, but also protect against the human element.
CrowdStrike’s case will likely be studied for years as an example of how insider threats manifest and how rapid detection can prevent disaster. But it also raises a sobering question: how many other insiders are out there, waiting for the right offer?
Sources
- TechCrunch: CrowdStrike fires ‘suspicious insider’ who passed information to hackers
- BleepingComputer: CrowdStrike catches insider feeding information to hackers
- Cryptopolitan: CrowdStrike fires insider working with hackers
- Cybersecurity News: CrowdStrike Fires Insider for Sharing Internal System Details with Hackers
Leave a Reply