Flash Report: Campaign to Recruit Cryptocurrency Insiders

Key Findings

• A newly registered and untested threat actor known as “LocalVulture” posted on popular dark web forum Exploit seeking potential partners to recruit insiders within large cryptocurrency exchanges—preferably those from “third-world” countries.
• Notably, the actor provided a guidance manual and numerous specific suggestions on how to approach and profile prospective insiders. ZeroFox assesses this is a change in previously observed tactics that is likely to reinvigorate long-standing efforts among financially motivated threat actors to infiltrate and target major cryptocurrency exchanges.
• In the post, LocalVulture shared three categories of insider individuals recruitment partners should target. It is likely that the actor has identified these categories in order to exploit financially motivated and inexperienced crypto exchange employees that may be more easily swayed to provide insider knowledge.
• LocalVulture specifies that, after identifying suitable insider targets for recruitment, partners are expected to rely on social engineering techniques to establish and maintain effective communication. ZeroFox assesses this indicates the actor is interested in conducting more sophisticated operations beyond financial fraud, such as ransomware deployment, data extortion, and cyber espionage.

Details

On January 20, 2026, newly registered and untested threat actor LocalVulture posted on popular dark web forum Exploit seeking potential partners to recruit insiders within large cryptocurrency exchanges—preferably those from “third-world” countries. Notably, the actor provided a guidance manual and numerous specific suggestions on how to approach and profile prospective insiders. ZeroFox assesses this is a change in previously observed tactics that is likely to reinvigorate long-standing efforts among financially motivated threat actors to infiltrate and target major cryptocurrency exchanges.

The actor explicitly mentioned interest in approaching individuals working for the following platforms:

• CoinTracker
• ZenLedger
• Binance
• CoinStats
• CoinMarketCap
• Robinhood

In the post, LocalVulture shared three categories of insiders potential partners should target for recruitment. It is likely that the actor identified these categories in order to exploit financially motivated and inexperienced crypto exchange employees that may be more easily swayed to provide insider knowledge. These categories are:

• Individuals from third-world countries
• Support agents or employees in low-level positions
• Individuals with a low follower count and little to no online engagement

LocalVulture specifies that, after identifying suitable targets for insider recruitment, the partners are expected to rely on social engineering techniques to establish and maintain effective communication. The actor suggests approaching potential insiders with a friendly employment proposal, which would theoretically allow them to earn significantly more than their standard salary from the cryptocurrency company. 

• LocalVulture recommended that their partners use open-source intelligence (OSINT) tools (such as csint[.]tools, search[.]api-dev, rocketreach[.]co, and LinkedIn) to identify and profile potential insiders.
• The actor promised potential partners a reward of USD 5,000 per recruited insider, along with 15 percent of all profits generated via each insider. This payment would be issued once the insider’s recruitment is confirmed and their details—likely meaning name, company, and country of employment—are successfully forwarded to LocalVulture.
• LocalVulture joined Exploit on January 8, 2026, and has yet to garner a significant reputation on the forum. As of writing, ZeroFox cannot confirm the actor’s credibility.

The importance of utilizing insiders in large-scale cybercrime campaigns has often been underestimated. In this case, LocalVulture (or group of actors) is motivated to conduct financial fraud; however, they are also seeking to leverage insiders—likely in order to conduct more sophisticated operations, such as ransomware deployment, data extortion, and cyber espionage. It is very likely that this proposed campaign will receive significant traction among financially motivated threat actors, as the majority of the risk lies with the recruited insider rather than the threat actor.

Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.

• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web (DDW) forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 7:00 AM (EST) on February 6, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.