Delve, a Y Combinator-backed compliance startup ($32M Series A at a $300M valuation, led by Insight Partners), was accused of fabricating compliance certifications for hundreds of customers — a practice whistleblower 'DeepDelver' called 'structural fraud.' Delve generated auditor conclusions, test procedures, and final report evidence before any independent review occurred, then had partner audit firms (Accorp and Gradient — both nominally India-based, with only a nominal US presence) rubber-stamp the results. Customers received certifications claiming HIPAA, SOC 2, and GDPR compliance they had never actually achieved — exposing them to criminal regulatory liability and significant fines. 'By generating auditor conclusions before independent review, Delve places itself in the role of both implementer and examiner. This is not a technicality. It is structural fraud that invalidates the entire attestation,' wrote DeepDelver. In addition, a security researcher separately reported accessing Delve's own sensitive data — including employee background checks and equity vesting schedules — through multiple 'gaping security holes' in its external attack surface. Delve halted all demos; Insight Partners deleted its investment blog post. Delve denies wrongdoing, calling the pre-filled evidence 'templates.' The direct relevance to insider threat programs: when onboarding IT vendors or staffing providers, organizations routinely accept compliance badges and background check certificates at face value. Delve proves such paperwork can be fabricated at industrial scale. Require the actual audit trail — not just the certificate — and always verify independently.

On March 20, 2026, a warehouse at LPP Holding's Pardubice industrial facility was deliberately set ablaze. 'The Earthquake Faction' claimed responsibility, citing the company's alleged cooperation with Israeli drone manufacturer Elbit Systems. One warehouse destroyed; second building damaged; no casualties. The Ministry of Interior classified the event as a probable terrorist attack; BIS (Czech Security Information Service) joined the investigation. The operational precision of the attack raises questions about possible insider intelligence — shift schedules, camera positions, guard routines. UPDATE (March 24): The attack had a second dimension — the group also exfiltrated confidential documents from the facility during the assault. Days later, The Earthquake Faction issued an extortion letter demanding LPP Holding publicly distance itself from Elbit Systems and condemn the 'occupation of Palestine' by April 20 — or the stolen documents will be published. LPP maintains the Elbit collaboration was planned two years ago but never materialized. Three suspects were arrested (one in Slovakia, two in Czech Republic; US and Czech nationals). Intelligence analysts warn the 'pro-Palestinian' framing may be a deliberate smokescreen: LPP Holding supplies drones to Ukraine, giving Russia direct motive to disrupt the factory. 'The language is written to evoke left-wing activism — but you cannot draw conclusions from the text alone,' said analyst Josef Kraus. Whether this is genuine activism or a state-sponsored false flag operation remains unresolved.

In March 2026, Czech insurance company Slavia Pojišťovna allegedly suffered a 150GB data exfiltration. Leaked data includes medical records, ultrasound imagery, insurance policies, accident and claims reports, and a customer database. The attacker exploited an Adminer vulnerability to deploy a webshell and reverse shell for persistent extraction. Critically, the threat actor claims active network access is still maintained at time of reporting. Investigation is ongoing — whether an insider facilitated initial access or lateral movement remains unconfirmed. This is a live case study in how external breach and insider threat converge.

In the early hours of January 4, 2026, far-left militant group Vulkangruppe (Volcano Group) set fire to high-voltage cables on a bridge over the Teltow canal near the Lichterfelde power station in south-west Berlin. The attack cut electricity to 45,000 households and 2,200 businesses across four districts — the longest blackout in Berlin's post-war history. Power was not fully restored until January 8, leaving ~100,000 people without heat for five days in below-freezing temperatures. Schools, hospitals, and care homes ran on emergency generators. In a 2,500-word statement, the group cited the climate crisis and AI data center energy consumption as its motivation — explicitly targeting 'the ruling class.' Initial authorities considered Russian state sabotage, underscoring the operational sophistication of the strike. The attack was not the group's first: Vulkangruppe previously claimed a 2024 arson at the Tesla gigafactory pylon and a September 2025 attack that blacked out south-east Berlin for 60 hours. The precision of target selection — disabling the specific cables with maximum grid impact — raises the question of whether reconnaissance benefited from insider knowledge of maintenance windows, patrol schedules, or cable routing. This remains uninvestigated.

A database administrator hired by NHS pathology contractor Synnovis — serving major London hospitals — spent six months systematically exfiltrating 4.2 million patient records: medical histories, mental health assessments, genetic test results. The breach directly contributed to a ransomware attack that disrupted services across multiple NHS facilities. The operative claimed British citizenship with flawless documentation.

Christina Chapman, 50, operated 90 company-issued laptops at her Arizona home — all received on behalf of North Korean workers. She installed remote access software so operatives overseas could work as if in the US. Result: 309 fraudulent hires across major US companies, $17.1M in illicit revenue. Nearly 70 Americans had their identities stolen. Nike confirmed it was among the victims. Chapman received an 8.5-year prison sentence.

Czech IT recruiters documented a consistent pattern: perfect resumes, flawless written communication, then on video calls — cameras 'malfunctioning', multiple voices in background, IP addresses showing Asian locations despite EU residence claims. When confronted, candidates immediately disconnected and never responded again. In 9 of 10 such cases, the candidate vanished. CrowdStrike has since confirmed laptop farms in Romania and Poland.

A major German energy operator (classified under EU CER Directive and KRITIS) discovered an IT contractor had gained privileged access to operational technology systems. The contractor, claiming credentials from Eastern European firms, was later identified as a fraudulent operative. The breach triggered mandatory incident reporting under NIS2 and German KRITIS regulations, and exposed vulnerabilities in third-party contractor screening policies.

A senior developer at a Warsaw financial firm worked for 8 months before his scheme was uncovered: he had embedded code that rounded down wire transfers by fractions of a cent, diverting the difference to cryptocurrency wallets. Over 8 months, €840,000 was siphoned. His Polish citizenship documents and claimed employment history at Estonian and Lithuanian banks were entirely AI-fabricated. Polish regulators used the case to push for enhanced personnel security in finance.

KnowBe4 — a company that trains organizations on cybersecurity — inadvertently hired a North Korean IT worker. He passed background checks, conducted professional interviews, and received a company laptop. Within minutes of receiving it, he attempted to load malware onto the corporate workstation. Security systems detected the suspicious activity before damage occurred. The incident became a landmark case study in the threat.

A software developer named 'Denys Emil L.' claimed Danish citizenship and applied via LinkedIn. Documents looked professional — but Scaut's analysts found they were AI-generated fakes. He had borrowed a real Danish citizen's identity and trade license. Investigation revealed a Chinese national systematically targeting multiple Western tech companies simultaneously, later linked to a North Korean-affiliated group.