The LinkedIn trap: is your professional network a gateway for spies and hackers?

In November 2025, British counter-intelligence warned MPs that they had been targeted by Chinese intelligence services. The battlefield of choice for these agents? LinkedIn.

A fortune for a report

It turns out that LinkedIn has become a convenient platform for foreign services to identify and recruit spies — sometimes individuals who are completely unaware they are handing over priceless information to a foreign power. Using skillfully crafted fake identities, agents establish contact with decision-makers and their associates. Under the guise of networking, they gain the victims' trust and lull them into a false sense of security to extract confidential data regarding organizational structures, projects, and trade secrets.

MI5 revealed that it is not only high-profile individuals who find themselves on the radar of foreign agents. Fake recruiter profiles were created on a massive scale. Between 2020 and 2021 alone, Chinese agents made over 10,000 contact attempts with British citizens, seeking to acquire political, industrial, and military secrets. They hunted for victims across various social media platforms, but LinkedIn — perceived as a safe space for professional growth — was a primary target. The MO (method of operation) was simple: a victim would receive a message from a "recruitment consultant" offering high fees (up to £20,000) for writing reports containing "non-public" data or "confidential" corporate strategies — all wrapped in a thick layer of social engineering designed to stroke the victim's ego.

Fake profiles, real danger

The scale of foreign intelligence operations is staggering. British MI5 estimates that Chinese intelligence alone employs approximately 300,000 people. While there is no definitive data on the staffing levels of Russian or North Korean "troll farms," it is clear that the number of attacks is increasing every year.

Social media is also increasingly becoming a playground for criminal groups. In 2022, LinkedIn administrators removed over 80 million fake profiles — a 152% increase from the previous year. In the first half of 2024 alone, another 70.1 million fake accounts were identified during the registration phase before they could even be activated. For banks and financial institutions, this means one thing: every online interaction could be the preamble to a major security incident.

One of the most sophisticated methods involves "fake recruiters." Criminal groups, such as Golden Chickens, target professionals by sending job offers perfectly tailored to the experience described in their profiles. This type of attack is particularly dangerous for the financial sector, as Golden Chickens provides services to organizations like FIN6 (known for attacking payment systems) and the Cobalt Group (which targets banks).

An unwanted surprise

The scenario is often predictable: the victim receives a message about an attractive position, followed by a ZIP file supposedly containing the job description. In reality, the file installs Trojan viruses (such as more_eggs), providing criminals with a "backdoor" into the banking or financial institution's system. Even more advanced techniques are used by the North Korean-linked Lazarus Group. They create fake job openings in the crypto and finance sectors, enticing candidates with high salaries and remote work. During the "recruitment process," the candidate is asked to download a code repository, allegedly to solve a technical task. This code installs malware that steals credentials and enables further infiltration of the corporate network.

The use of personal devices for professional purposes means that IT departments often lose visibility into potential threats coming from social media. Even if a company employs rigorous email filters, they have no control over what an employee receives in a private LinkedIn message. Users, trusting the platform's reputation, are much more likely to click links or download files. Connecting to a corporate network using an infected private device poses a significant risk — warns Kamil Sadkowski, a cybersecurity analyst at ESET, in a report for Dagma.

IT spies

A phenomenon that became a particularly pressing issue in 2024 is the hiring of IT workers from North Korea using stolen or fake identities. Mandiant (Google Cloud) identified such workers within the financial services sector, where they often obtained high-level administrative privileges.

These individuals utilize "laptop farms" located in the US or Europe to mask their true location and pretend to work from a region acceptable to the employer. While their primary goal is to generate foreign currency for the regime in Pyongyang, the risk to the employer is immense. There have been cases where, upon being fired or detected, these employees stole sensitive corporate data and demanded a ransom to keep it private.

Corporate hijackers

For criminal groups, LinkedIn has become a tool for free corporate mapping. Analyzing job descriptions and project histories allows attackers to identify decision-makers and new hires — the foundation for Business Email Compromise (BEC) attacks. Notably, 16% of all breaches in 2024 began with stolen credentials, and LinkedIn has become their primary incubator. The platform represents a "security gray zone" because we log in from private devices, bypassing corporate email filters and protection systems.

Attackers exploit our trust in the "professional" environment using sophisticated techniques, such as:

• recruitment deepfakes: using AI to impersonate recruiters and extort "recruitment fees",
• supply chain attacks: mapping business partners to strike a smaller supplier as a way to gain access to the main target,
• account hijacking: taking over the profile of a real industry thought leader to spread misinformation or authorize fraudulent wire transfers.

Executive impersonation is also a growing threat. Criminals or agents create convincing "C-level" profiles to gain the trust of employees and partners, eventually manipulating invoices or ordering CEOs to transfer funds directly into criminal accounts.

How companies lose money

The actions of both lone hackers and organized groups result in painful financial and reputational losses. According to the Mandiant M-Trends 2025 Report, over one-third of corporate attacks in 2024 were financially motivated, and every fifth attack involved ransomware. Companies typically have only five days to detect such an intrusion before the damage is done. In nearly 40% of cases, criminals steal data, often using a "double extortion" trap: first demanding a ransom to return the files, then a second payment to prevent the data from being leaked online.

Data loss is often just the beginning — companies may face massive regulatory fines for failing to provide adequate security. In extreme cases, the resulting loss of liquidity can lead to the downsizing or closure of the business.

How to protect yourself

Are there ways to defend against online spies and criminals? Experts emphasize that the most important elements of digital defence are:

• verification: always verify contacts and scrutinize the profiles of those sending connection requests,
• vigilance: be wary of new accounts with no activity history or offers of high pay without specific conditions,
• MFA: implement multif-factor authentication for all logins,
• privacy settings: limit profile visibility and review privacy settings, especially for those in key organizational roles,
• device security: ensure that any device used to access LinkedIn or other social media has adequate security measures if it also has access to corporate data.

In an age where information is a priceless resource and criminal ingenuity knows no bounds, adopting a policy of "limited trust" is essential to ensuring you don't accidentally open the doors to both your personal and professional vault.