LinkedIn began as a platform to connect professionals, share expertise, and generate job opportunities. However, its own success, with more than a billion users worldwide, has also made it a target of growing interest for cybercriminals and espionage groups, who exploit public information and the implicit trust of the professional environment to carry out fraud, phishing campaigns, and even intelligence operations.
A recent example are the Lazarus group campaigns identified by ESET, in which they posed as recruiters to install malware in aerospace sector companies, as well as operations in which fake IT professionals attempted to be hired by foreign companies. “This episode is not an isolated incident,” says Josep Albors, Director of Research and Awareness at ESET Spain. “Malicious actors have been using LinkedIn for years as a key tool to gather corporate intelligence and prepare targeted attacks against high-value companies and professionals.”
Why LinkedIn Is So Attractive to Cybercriminals
LinkedIn effectively functions as a massive public database of professional information. From profiles, attackers can identify titles, responsibilities, internal hierarchies, ongoing projects, and even relationships between employees and vendors. Moreover, the platform’s professional nature adds an extra layer of credibility. Users tend to be more willing to respond to direct messages or connection requests that, in other contexts, they would ignore via email.
Another key factor is that communications on LinkedIn fall outside the traditional corporate security perimeter. Messages do not pass through corporate email systems, which limits the visibility of security teams and makes it easier for malicious links, risky files, or fraud attempts to reach users directly.
Leading Threats Detected on LinkedIn
Researchers at ESET have documented several attack techniques that use LinkedIn as a primary or supporting vector. Among the most common are phishing and spear phishing, where attackers tailor messages based on the victim’s profile information; direct outreach with malicious links or fake job offers designed to steal credentials; and Business Email Compromise (BEC) scams, which rely on prior knowledge of the company’s internal structure.
There have also been cases of account takeovers, using fake login pages, infostealers, or reused leaked passwords, as well as supplier attacks where a business partner is compromised to reach the target company. Even videos published on the platform can be used to create deepfakes that reinforce subsequent social engineering campaigns.
