This month’s edition includes insider risk cases from four different continents, yet the script is often similar. Increasingly, external actors hijack access granted to insiders in a way that many organisations are not effectively monitoring through traditional security controls. While insider risk has always taken place, arguably showing up with different faces as time went by, the current threat landscape and technological innovation amplify its effects. Therefore, new challenges require new solutions.
In particular, the Norwegian and Polish cases also reflect a current geopolitical reality. A new nature of conflict has emerged, defined hybrid warfare, in which countries attempt to inflict harm to their adversaries not on the frontline, but seeking to undermine them from within their national perimeter. This can happen in several different ways.
However, other times insiders are self-motivated and act on their own interests and grievances, or even out of simple negligence. We are going to see some of these facets in the next paragraphs. Let’s get into it!
On May 27th, a 60-year-old subcontractor employee attacked two LG Electronics staff members with a camping knife at the company's Magok Business Center in Seoul, causing serious but non-life-threatening injuries to both. The suspect was arrested and charged with attempted murder and aggravated assault. At a pre-trial hearing, he stated he could not suppress his anger following what he described as a dismissal notice, and alleged workplace harassment. LG Electronics denied both claims, stating the suspect had not received a direct dismissal notice from the company and that its investigation found no evidence of harassment. LG added that it would review its contractor-related processes for potential shortcomings.
This incident raises questions that go beyond the incident itself. The 60-year-old man had worked on LG development projects for two years through a partner company, enjoying sustained physical access to the office environment alongside LG Electronics employees right up to the moment of the attack. Many outsourcing and contractor configurations rely on a model in which the employment relationship and the access relationship exist in different organisations. However, the mechanisms for identifying deteriorating situations and acting on them may fall into a gap between the two. The principal employer may have limited visibility of how a contractor is being managed, communicated with, or supported through a difficult transition, while the contractor's own employer may lack the context of the workplace environment in which their staff is embedded. Neither may feel clearly responsible for the early intervention that could prevent escalation. Regardless of how the factual dispute over the dismissal notice is eventually resolved, the structural question that remains is whether whose responsibility is it to notice and escalate through proper pathways when a contractor embedded in a client's environment is in distress.
On 30 May, Polish authorities announced the detention of an employee of Polska Grupa Zbrojeniowa (PGZ), Poland's largest state-owned defence conglomerate, on suspicion of providing information to a foreign intelligence service.
PGZ encompasses dozens of companies producing artillery systems, armoured vehicles, small arms, and ammunition, many of which have significantly expanded their production capacity since Russia's invasion of Ukraine in 2022, as Poland pursues one of Europe's most ambitious military modernisation programmes. An employee with legitimate access to technical specifications, production schedules, or procurement plans at any of those subsidiaries represents a high-value target for a foreign intelligence service. Consequently, the impact of insider risk increases exponentially. Poland has announced a string of espionage-related arrests since 2022, and its security services have consistently identified Russia as the primary actor seeking to exploit Poland's role as a logistics hub for Western military assistance to Ukraine. What this case illustrates more broadly is that in organisations operating at the intersection of national security and industrial production, employees with access to sensitive production or procurement data need to understand that they are likely to be targeted, what targeting looks like, and what to do when it happens.
On 20 May, the US Department of Justice unsealed charges against two Florida-based defence contractors accused of bribing a US Army employee and inflating government contract costs to corrupt procurement for the Hawaii-Pacific Innovation Campus, a technology testing facility for the Department of War. The indictment alleges the bribery ran from January 2021 to October 2022 and totalled approximately $1.25 million. One od the indicted additionally inflated contract costs by a further $680,000 to route payments to his own consulting business.
The mechanism here is one of the oldest in the insider risk catalogue: an external party seeking to circumvent a competitive process identifies the individual within the institution who controls access to what it wants and converts that person into a conduit.
The Army employee's role in the procurement process became the point of failure while it should have been the safeguard against exactly this kind of outcome. What is worth noting for (insider) risk programmes is the duration. A bribery arrangement of this kind running for nearly two years across a major defence acquisition programme suggests either an absence of second-line oversight on procurement decisions, insufficient segregation of duties, or a lack of controls to detect anomalies in contracting costs. While detection controls in procurement environments tend to focus on external vendors, this case illustrates that the insider with authority to award contracts is as significant a risk surface as the vendor itself.
In the final week of May, Mumbai's Chhatrapati Shivaji Maharaj International Airport saw two separate arrests of airside food outlet staff alleged to be functioning as the last-mile link in an organised gold smuggling syndicate. On May 25th, a 23-year-old coffee shop employee was intercepted by Airport Customs as he was about to hand a gold consignment to a contact outside the perimeter. The following day, a 24-year-old food store employee was arrested having concealed capsules of gold dust on his person; he admitted to receiving the gold from a transit passenger in exchange for Rs 8,000. Indian customs officials noted that if left unchecked, this modus operandi could be exploited at a scale detrimental to national security.
Food, retail, and maintenance employees working in airports are often targeted for recruitment in smuggling networks. In this case, the insider risk resides more in where they can access rather than on what they know. Airside access that is routine and unremarkable in a legitimate professional context is extremely valuable to a criminal network precisely because it attracts less scrutiny than the movement of passengers or cargo. While the motivations behind insider acts can be multiple, insiders in these instances are sometimes used as disposable agents, not ideologically motivated or even fully aware of the network they are serving; financial pressure and a small one-time payment are frequently sufficient for recruitment. That makes detection harder, because the profile of the person involved may not match the behavioural indicators designed to identify a malicious actor with a sustained intent to harm. Organisations operating within airport environments, such as cleaning contractors or food providers, should consider whether their background screening and ongoing monitoring standards match the risks that come with the access they grant.
On 4 May, the now-former Secretary-Treasurer of American Postal Workers Union Local 1676 in Marietta, Georgia, pleaded guilty to one count of failure to maintain union records under and was sentenced to one year of probation and a $25 assessment.
While the outcome of this case is rather modest, the risk pattern it showcases can have a much more impactful ripple effect. Roles such as the Secretary-Treasurer’s carry statutory obligations to maintain accurate financial records on behalf of their organisation, as their position confers them direct control over accounts and disbursements. Failure to maintain records is frequently the only charge that is provable when the nature of underlying conduct is harder to demonstrate. Namely, the absence of proper documentation may reflect simple administrative carelessness, but it also removes the audit trail that would expose more deliberate misconduct. For insider risk purposes, the case is a reminder that fiduciary roles in smaller organisations carry the same structural risk as equivalent roles in larger ones, but with significantly fewer compensating controls. Segregation of duties and independent financial oversight are as necessary at the local level as at the institutional one and are often less present.
On 7 May, Norway's Police Security Service (PST) arrested a Chinese woman at a residential property in Andøya, an Arctic island hosting both a spaceport and a weapons testing site, on suspicion of attempting to engage in aggravated intelligence activities targeting state secrets. The residential property is linked to a Norway-registered company owned by a Singaporean national. The man told Norwegian media he had been deceived as a Chinese acquaintance introduced him in December 2025 to someone seeking to establish a business presence in Norway, and he purchased the property on their behalf after conducting all transactions remotely. He also claims a shipment of equipment arrived under his company's name without his knowledge. The PST described the operation as an attempt by a Chinese state actor to use a Norway-registered company as cover to establish a receiving station to download data from satellites in polar orbit.
The structure of this operation closely reproduces a pattern of insider risk, in which state actors leverage seemingly legitimate business entities for access they could have not achieved on their own. The Singaporean man's business history in Norway provided exactly the kind of credible cover that reduces friction with authorities and local counterparts. Where the recruited or deceived insider is a legitimate businessperson rather than an employee detection can be harder, as there is no employer to notice behavioural change and no access logs to review. This case is a reminder that insider risk does not necessarily require an employment relationship, but rather it requires access, which can be constructed through business structures as easily as through job titles.
This month's cases consistently highlight how risk runs through legitimate structures, rather than around them. The risks involved are not invisible by nature, but they cannot be spotted by frameworks not designed to look for them. Traditional security perimeters detect threats approaching from outside, but a dedicated insider risk programme fills the gap by monitoring the behavioural and organisational signals that precede harm from within.
Third-party and contractor relationships emerge as a blind spot. When the employment relationship and the access rights sit in different organisations, accountability for intervention tends to fall between the two. Clarifying that responsibility is one of the more actionable lessons from this edition.
The Polish case warns of the need for continued supply chain vigilance. Poland has been especially targeted by Russian intelligence since 2022 due to its logistical centrality in Western aid to Ukraine. Organisations similarly positioned by geography, supply chain exposure, or political alignment should heed the warning to revisit their due diligence and employee screening practices.
Insider risk should not be treated as an edge case, but rather as a structural feature of any environment where access has value, and it demands a programme built accordingly.
Disclaimer: The cases discussed in this publication are based solely on publicly available information at the time of writing. They are intended for educational and illustrative purposes and should not be interpreted as definitive investigative findings. In some instances, official investigations may still be ongoing, and information may emerge that could alter the understanding of the events described. Signpost Six makes no claims regarding the actions, intentions, or liability of any individuals or organisations mentioned. While every effort has been made to ensure accuracy, Signpost Six accepts no responsibility for any errors, omissions, or misinterpretations arising from the use of publicly sourced information.