On April 15, 2026, the U.S. Department of Justice announced the sentencing of two New Jersey residents — Kejia Wang (42, Edison) and Zhenxing Wang (39, New Brunswick) — for operating the domestic infrastructure backbone of a multi-year North Korean IT worker infiltration scheme. Kejia Wang received 108 months in prison; Zhenxing Wang, 92 months. Between 2021 and October 2024, the two men ran and coordinated a network of 'laptop farms' — physical arrays of hundreds of company-issued computers — that allowed overseas North Korean IT workers to appear as if they were physically present in the United States. Using KVM (keyboard-video-mouse) switches for remote access, the fake workers secured employment at more than 100 U.S. companies, including Fortune 500 firms, by exploiting the stolen identities of at least 80 American citizens. Kejia Wang traveled to Shenyang and Dandong, China in 2023 to coordinate with overseas handlers — including a former classmate he knew to be North Korean. The two men created shell companies — Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC — to receive and launder scheme proceeds, channeling millions to overseas co-conspirators. For their facilitation, the six U.S.-based participants collectively received nearly $700,000. The broader scheme generated over $5 million for the DPRK regime and caused at least $3 million in legal, remediation, and network damage costs to victim companies. In one case, an overseas co-conspirator remotely accessed a California-based AI defense contractor and exfiltrated data explicitly controlled under ITAR (International Traffic in Arms Regulations). Eight co-conspirators named in the original June 2025 indictment remain at large; the U.S. State Department's Rewards for Justice program is offering up to $5 million for information on their whereabouts. This case is the clearest judicial confirmation yet that the DPRK IT worker program is not a theoretical risk — it is an active, coordinated, state-sponsored operation with domestic U.S. infrastructure, real victims, real financial damage, and now, real prison sentences for those who enable it. The fundamental attack vector is unchanged: trust. Trusted identities, trusted vendors, trusted hiring processes — all weaponized through a single layer of human facilitation. Source: U.S. Department of Justice press release, April 15, 2026.

In April 2026, Elastic Security Labs published an analysis of a supply chain attack targeting the axios npm package — one of the most widely used JavaScript libraries in the world, with over 100 million weekly downloads. An attacker compromised the credentials of a single package maintainer and published infected versions containing a cross-platform Remote Access Trojan (RAT) capable of running on Windows, macOS, and Linux. The entire attack window lasted just 39 minutes. To understand the blast radius: 100 million weekly downloads means 100 million environments — servers, CI/CD pipelines, developer workstations, production systems — that pulled the package in the affected window. Every one of those environments is a potentially compromised system. Not every download results in execution, but the attacker did not need to compromise all of them — only a fraction. At 100 million weekly downloads, even a 0.1% active exploitation rate represents 100,000 infected systems. The relevance to insider threat and personnel security programs extends far beyond software: the attacker did not need to bypass a firewall, exploit a zero-day, or breach a hardened perimeter. They needed the credentials of one trusted person — one link in the chain. A compromised maintainer, a breached vendor, an infiltrated contractor. The principle is the same: adversaries enter through the door you hold open because you trust what is on the other side. Organizations invest heavily in perimeter defenses while rarely asking the critical questions: Who is actually behind the supplier we trust? Who has access to systems we treat as inherently safe? What screening and due diligence was applied to the people working for us — directly or through a third party? This incident is a reminder that insider threat does not require a malicious employee. It requires only a trusted account in the wrong hands. One weak link is enough to break the entire chain. Source: Elastic Security Labs — 'Axios: One RAT to Rule Them All.'

Delve, a Y Combinator-backed compliance startup ($32M Series A at a $300M valuation, led by Insight Partners), was accused of fabricating compliance certifications for hundreds of customers — a practice whistleblower 'DeepDelver' called 'structural fraud.' Delve generated auditor conclusions, test procedures, and final report evidence before any independent review occurred, then had partner audit firms (Accorp and Gradient — both nominally India-based, with only a nominal US presence) rubber-stamp the results. Customers received certifications claiming HIPAA, SOC 2, and GDPR compliance they had never actually achieved — exposing them to criminal regulatory liability and significant fines. 'By generating auditor conclusions before independent review, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is structural fraud that invalidates the entire attestation,' wrote DeepDelver. In addition, a security researcher separately reported accessing Delve's own sensitive data — including employee background checks and equity vesting schedules — through multiple 'gaping security holes' in its external attack surface. Delve halted all demos; Insight Partners deleted its investment blog post. Delve denies wrongdoing, calling the pre-filled evidence 'templates.' The direct relevance to insider threat programs: when onboarding IT vendors or staffing providers, organizations routinely accept compliance badges and background check certificates at face value. Delve proves such paperwork can be fabricated at industrial scale. Require the actual audit trail — not just the certificate — and always verify independently.

On March 20, 2026, a warehouse at LPP Holding's Pardubice industrial facility was deliberately set ablaze. 'The Earthquake Faction' claimed responsibility, citing the company's alleged cooperation with Israeli drone manufacturer Elbit Systems. One warehouse destroyed; second building damaged; no casualties. The Ministry of Interior classified the event as a probable terrorist attack; BIS (Czech Security Information Service) joined the investigation. The operational precision of the attack raises questions about possible insider intelligence — shift schedules, camera positions, guard routines. UPDATE (March 24): The attack had a second dimension — the group also exfiltrated confidential documents from the facility during the assault. Days later, The Earthquake Faction issued an extortion letter demanding LPP Holding publicly distance itself from Elbit Systems and condemn the 'occupation of Palestine' by April 20 — or the stolen documents will be published. LPP maintains the Elbit collaboration was planned two years ago but never materialized. Three suspects were arrested (one in Slovakia, two in Czech Republic; US and Czech nationals). Intelligence analysts warn the 'pro-Palestinian' framing may be a deliberate smokescreen: LPP Holding supplies drones to Ukraine, giving Russia direct motive to disrupt the factory. 'The language is written to evoke left-wing activism — but you cannot draw conclusions from the text alone,' said analyst Josef Kraus. Whether this is genuine activism or a state-sponsored false flag operation remains unresolved.

In March 2026, Czech insurance company Slavia Pojišťovna allegedly suffered a 150GB data exfiltration. Leaked data includes medical records, ultrasound imagery, insurance policies, accident and claims reports, and a customer database. The attacker exploited an Adminer vulnerability to deploy a webshell and reverse shell for persistent extraction. Critically, the threat actor claims active network access is still maintained at time of reporting. Investigation is ongoing — whether an insider facilitated initial access or lateral movement remains unconfirmed. This is a live case study in how external breach and insider threat converge.

In the early hours of January 4, 2026, far-left militant group Vulkangruppe (Volcano Group) set fire to high-voltage cables on a bridge over the Teltow canal near the Lichterfelde power station in south-west Berlin. The attack cut electricity to 45,000 households and 2,200 businesses across four districts — the longest blackout in Berlin's post-war history. Power was not fully restored until January 8, leaving ~100,000 people without heat for five days in below-freezing temperatures. Schools, hospitals, and care homes ran on emergency generators. In a 2,500-word statement, the group cited the climate crisis and AI data center energy consumption as its motivation — explicitly targeting 'the ruling class.' Initial authorities considered Russian state sabotage, underscoring the operational sophistication of the strike. The attack was not the group's first: Vulkangruppe previously claimed a 2024 arson at the Tesla gigafactory pylon and a September 2025 attack that blacked out south-east Berlin for 60 hours. The precision of target selection — disabling the specific cables with maximum grid impact — raises the question of whether reconnaissance benefited from insider knowledge of maintenance windows, patrol schedules, or cable routing. This remains uninvestigated.

A database administrator hired by NHS pathology contractor Synnovis — serving major London hospitals — spent six months systematically exfiltrating 4.2 million patient records: medical histories, mental health assessments, genetic test results. The breach directly contributed to a ransomware attack that disrupted services across multiple NHS facilities. The operative claimed British citizenship with flawless documentation.

Christina Chapman, 50, operated 90 company-issued laptops at her Arizona home — all received on behalf of North Korean workers. She installed remote access software so operatives overseas could work as if in the US. Result: 309 fraudulent hires across major US companies, $17.1M in illicit revenue. Nearly 70 Americans had their identities stolen. Nike confirmed it was among the victims. Chapman received an 8.5-year prison sentence.

Czech IT recruiters documented a consistent pattern: perfect resumes, flawless written communication, then on video calls — cameras 'malfunctioning', multiple voices in background, IP addresses showing Asian locations despite EU residence claims. When confronted, candidates immediately disconnected and never responded again. In 9 of 10 such cases, the candidate vanished. CrowdStrike has since confirmed laptop farms in Romania and Poland.

A major German energy operator (classified under EU CER Directive and KRITIS) discovered an IT contractor had gained privileged access to operational technology systems. The contractor, claiming credentials from Eastern European firms, was later identified as a fraudulent operative. The breach triggered mandatory incident reporting under NIS2 and German KRITIS regulations, and exposed vulnerabilities in third-party contractor screening policies.

A senior developer at a Warsaw financial firm worked for 8 months before his scheme was uncovered: he had embedded code that rounded down wire transfers by fractions of a cent, diverting the difference to cryptocurrency wallets. Over 8 months, €840,000 was siphoned. His Polish citizenship documents and claimed employment history at Estonian and Lithuanian banks were entirely AI-fabricated. Polish regulators used the case to push for enhanced personnel security in finance.

KnowBe4 — a company that trains organizations on cybersecurity — inadvertently hired a North Korean IT worker. He passed background checks, conducted professional interviews, and received a company laptop. Within minutes of receiving it, he attempted to load malware onto the corporate workstation. Security systems detected the suspicious activity before damage occurred. The incident became a landmark case study in the threat.

A software developer named 'Denys Emil L.' claimed Danish citizenship and applied via LinkedIn. Documents looked professional — but Scaut's analysts found they were AI-generated fakes. He had borrowed a real Danish citizen's identity and trade license. Investigation revealed a Chinese national systematically targeting multiple Western tech companies simultaneously, later linked to a North Korean-affiliated group.