RedditCorporate Intelligence

The Insider Threat We Caught on Reddit: An Employee Selling Proprietary Data on a Burner Account

September 28, 2025
Outcome

Insider threat identified; employee terminated; criminal referral made; data exposure contained.

Background

TraxinteL's continuous dark web and forum monitoring service flagged a Reddit post in a data trading subreddit offering "premium access to [Client Company] internal databases" for cryptocurrency payment.

Investigation Methodology

  1. Post Analysis: The Reddit post was archived and analyzed for specificity — did the poster actually have access, or were they bluffing?
  2. Account Attribution: The Reddit account's entire post history was analyzed for personal details, timezone indicators, technical knowledge patterns, and language markers.
  3. Access Log Correlation: Working with the client's IT team, we correlated the types of data described in the post with database access logs to narrow the suspect pool.

Key Findings

  • The Reddit account's post history contained references to a specific programming language and framework used exclusively by the client company's engineering team.
  • Timezone analysis placed the poster in the same region as the company's primary engineering office.
  • A casual comment in an unrelated subreddit referenced a local restaurant near the office.
  • Database access logs showed that one employee had recently run unusual bulk data export queries matching the data types advertised.

Outcome

The employee was identified, their access was immediately revoked, and a forensic analysis of their workstation confirmed data exfiltration. Criminal referral was made to the FBI. Total investigation time: 5 days.

Facing a similar situation?

Our analysts handle cases like this daily. Start your investigation now.

Start Investigation