The evolving threat from within

A recent briefing, “The Threat from Within: A Growing Concern,”¹ jointly published by ACAMS and Cifas,² offered a framework for understanding the shifting landscape of risks posed by insiders operating within both public and private sector organizations.

Once narrowly defined as rogue traders or disgruntled employees, insider threats now encompass a broader range of risks. These include collusion with external threat actors, such as organized crime gangs, malicious insiders embedded for long-term exploitation (sometimes placed by state actors) and internal complacency leading to critical financial crime or cybersecurity control failures. This article unpacks this concerning phenomenon through the lens of several recent case studies that expose the breadth, complexity and cross-sectoral nature of insider-enabled fraud, money laundering, cybercrime and other malicious schemes.

ACAMS and Cifas highlighted a critical evolution: Insider threats are no longer confined to isolated incidents but are increasingly part of complex fraud and geopolitical money laundering schemes. Insiders may act as facilitators, enablers or gatekeepers―knowingly or through negligence―making internal oversight essential but difficult. In all the cases reviewed, insiders were pivotal to both the successful execution of the crime and the circumvention of existing controls.

All these cases involve a variety of environmental factors and should be considered based on their unique characteristics, such as predicate crime, organizational features and control frameworks.

Case studies:

1. A recent case emanating from Kenya demonstrates the potential scale of the risk insiders can present to a single financial institution (FI).³ An Equity Bank audit uncovered a $11.6 million (KSh 1.5 billion) insider fraud spanning a 90-day period. Stolen IT credentials from a senior payroll manager enabled over 40 unauthorized transfers to external accounts via payroll and mobile wallets. Staff across all levels and departments, including senior managers and junior clerks, were implicated―some due to direct collusion, others for failing to report suspicious activity. Ultimately, over 1,200 employees were sacked or laid off as part of an internal purge.

The fraud involved multiple methods: misdirection of mobile payments, unauthorized interbank transfers (including offshore) and the acceptance of customer “tips” or bribes. The scale of the purge exposed systemic governance weaknesses in internal controls and culture, anti-fraud personnel and routine forensic audits. The case illustrates how insider risk can permeate seemingly routine transactions, highlighting the need for proactive monitoring of employee behavior.

2. In May 2024, a former U.S. State Department budget analyst pleaded guilty to embezzling over $650,000 from her employer.⁴ She manipulated vendor records and submitted false payment authorizations, exploiting internal trust in her role as a financial officer. This typifies the “privileged position risk,” where access to systems, combined with insufficient segregation of duties and a lack of transactional oversight, enabled sustained fraud. This case illustrates how internal process gaps can amplify critical vulnerabilities across institutions. Enhanced due diligence and anomaly detection in procurement and vendor payments are as vital as customer-level monitoring.

3. In June 2025, a case was highlighted where a senior executive at the CFA Institute, a financial education group based in the U.S., misappropriated millions through fake expense reimbursements and phony vendor payments.⁵

The fraud extended over several years, involving the abuse of forged documentation and oversight failures.

This case demonstrates several consistent “insider” red flags:

• Unexplained lifestyle changes
• Pushback against audits
• Lack of vacation time or delegation (classic “key person risk”)

This case underscores the need for behavioral analytics―regular lifestyle checks, whistleblower empowerment and anomaly detection tools (e.g., for duplicate invoices or round-amount payments) are also indispensable.

4. In another disturbing example of collusion, four men―including an insider―were jailed for manipulating NHS Scotland procurement through bribery.⁶ The insider received kickbacks in exchange for awarding contracts to specific firms, sometimes for inflated or unnecessary services. Procurement fraud, especially in publicly funded sectors, has knock-on money laundering effects, including the creation of shell suppliers, inflated invoicing and fund integration via legitimate payment rails.

Control recommendations include:

• Segregation of procurement authority
• Regular vendor audits
• Pattern analysis for contract irregularities

5. In May 2025, it was revealed that hackers bribed and recruited rogue call agents to gain access to Coinbase’s internal systems.⁷ The insiders, approached online, provided credentials or facilitated backdoor access in exchange for cash. This case merges aspects of cybersecurity and insider threat in a hybrid typology―externally recruited insiders. It reflects warnings that external actors (e.g., cybercrime and organized crime groups) are increasingly targeting insiders at FIs and tech platforms.

Where digital asset firms are used as entry points to the financial system, the actions of a single employee can lead to systemic anti-money laundering (AML) and sanctions evasion failures, potentially including, but not limited to, the transfer of crypto tied to sanctioned regimes or weapons of mass destruction proliferation financing.

6. A U.S. Department of Justice civil forfeiture details how North Korean-linked actors laundered over $7.74 million through a network of shell companies, compromised exchanges and fake identities.⁸ Notably, some of the laundering relied on insiders in digital exchanges or facilitators within regional banks. Insiders are now crucial to geopolitical laundering efforts―whether recruited voluntarily or under duress. The use of remote work, spoofed job roles or compromised vendor identities allows sanctioned actors to embed themselves within financial workflows.

A recent Wall Street Journal article⁹ similarly exposed how thousands of North Korean IT workers are infiltrating Western firms via remote work―often with fake identities or through collusion with recruiters. These workers earn foreign currency for the regime and gain access to sensitive systems. The risk extends beyond payment fraud to malign access―where insiders can manipulate code, create backdoors or exfiltrate data. AML and internal fraud teams should consider recruitment due diligence and vendor management as part of their control frameworks.

Cross-cutting trends and actionable takeaways

1.  Insider collusion with external threats

All these cases involve some form of personal motivating dynamic which makes individuals susceptible to perceived grievances, nation-state actors, criminal networks or corrupt vendors. AML, anti-cybercrime and anti-fraud professionals must broaden the definition of customer due diligence to include employee and third-partner due diligence.

2. Control failures enable longevity

Insider activity can take place over several years. Weak audit functions, override-prone cultures and insufficient data analytics enable the intrusion. Institutions should deploy:

• Behavioral biometrics
• Vacation and rotation policies
• Real-time monitoring of employee financials and access behavior

3. Interconnected risk domains

Insider threats no longer stand alone. They interact with cyber risk, geopolitical risk, sanctions evasion, procurement fraud and crypto-enabled money laundering schemes.

Recommendations for anti-financial crime professionals

1. Develop insider threat typology libraries: Tailor detection models to reflect internal role-specific risks―e.g., procurement officers vs. IT administrators vs. HR professionals.
2. Red team exercises: Test systems with simulated internal breaches to identify the weakest access points.
3. Collaborate across departments: Insider threats sit at the intersection of HR, cybersecurity, AML and compliance. Interdisciplinary detection teams can be critical.
4. Integrate employee risk scoring: Use risk scoring for staff based on access levels, financial pressures and behavioral anomalies―like customer risk scoring in AML.
5. Strengthen whistleblower protections: Insider threats are often uncovered internally. Safe and anonymous reporting channels can hasten reporting.

Conclusion

Insider threats now occupy a central place in the fraud and financial crime threat landscape. Addressing them requires systemic shifts in how institutions monitor, detect and respond to internal risk. These recent case studies―from government departments to fintech firms―are not outliers; they are warning signs of a broader vulnerability. For AML, cybersecurity or anti-fraud professionals, the path forward lies in reframing insider threats not solely as a personnel issue, but as a core component of financial crime risk management.

Joby Carpenter, SME, Emerging Threats and Illicit Finance, ACAMS, jcarpenter@acams.org,

1. “The Threat from Within: A Growing Concern,” ACAMS, Cifas, May 2025, https://www.acams.org/en/media/document/39113
2. Cifas is a U.K.-based nonprofit fraud prevention service which enables data and intelligence sharing across members in the banking, retail, insurance and telecoms sectors.
3. Adonijah Ndege, “Kenya’s Equity Group fires 1,200 staff after internal $15.4 million fraud probe,” TechCabal, May 30, 2025, https://techcabal.com/2025/05/30/ equity-group-ceo-fires-1200-fraud/
4. “Former State Department Budget Analyst Pleads Guilty to Embezzling More than $650,000,” U.S. Attorney’s Office, April 30, 2025, https://www.justice.gov/usao-dc/pr/former-state-department-budget-analyst-pleads-guilty-embezzling-more-650000
5. Anika Arora Seth, “Ex-CFA Institute Executive Charged With Embezzling Millions,” Bloomberg, June 23, 2025, https://www.bloomberg.com/news/articles/2025-06-23/ex-cfa-institute-executive-charged-with-embezzling-millions
6. “Four men jailed for £6m bribery and corruption against NHS Scotland,” NHS Counter Fraud Authority, June 5, 2025, https://cfa.nhs.uk/about-nhscfa/latest-news/four-men-jailed-for-bribery-against-NHS-scotland
7. Tom Gerken, “Leading crypto firm Coinbase faces up to $400m hit from cyber attack,” BBC, May 15, 2025, https://www.bbc.co.uk/news/articles/c80k5plpx8do
8. “Department Files Civil Forfeiture Complaint Against Over $7.74M Laundered on Behalf of the North Korean Government,” U.S. Department of Justice, June 5, 2025, https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean
9. Robert McMillan and Dustin Volz, “North Korea Infiltrates U.S. Remote Jobs―With the Help of Everyday Americans,” The Wall Street Journal, May 27, 2025, https://www.wsj.com/business/north-korea-remote-jobs-e4daa727