Intellectual Property Theft

Intellectual Property (IP) represents the culmination of years of research and development for organizations. It is not a new concept. We used to call these “trade secrets.” At their core, they were essentially the same thing: the sweet fruit of innovation that gives organizations a tangible competitive advantage.

The “good old days” would be shocked by what IP theft looks like now. Not even 50 years ago, someone trying to spy on a competitor had to jump through all sorts of physical and mental hoops. Today, because of the digital landscape we live in, it’s much easier – and there are new players on the field. Recent high-profile cases involving brands like Nike and Under Armour demonstrate that IP theft is an evolving branch of cybercrime.

The Anatomy

There is a clear value proposition for cybercriminals who have shifted from traditional corporate espionage to IP theft. Stolen IP offers multiple revenue streams with far less hassle. Consider ransomware for a moment. There is encryption, ransom notes, follow‑ups, and sometimes even negotiations. And at the end of all that, the targeted organization might still refuse to pay and publicly position itself as “standing up to the bully.” That’s uncertainty that hackers don’t like.  Why deal with all that aggravation when there is a simpler route?

Unlike financial data, IP does not have a limited shelf life or the same immediate detection risks. Stolen IP retains value for years. It becomes a long-term asset for cybercriminals, and something they can monetize repeatedly. Consider items such as design documents, technical specifications, supply chain intelligence, strategic business plans, or sophisticated customer and market research. All of these feed directly into an organization’s big-picture goals. By stealing them, hackers shift all the emotional drama and operational pain back onto the organization.

Nike: Just Do It

They just did. In January, a cybercrime group called WorldLeaks stole¹ an astonishing 1.4TB of data from Nike and posted samples on its leak site on the dark web. Roughly 188,000 files were stolen, including sensitive intellectual property such as product designs, prototypes, schematics, technical packs, and bills of materials. Nike’s Jordan Brand SP27 collection was one of the names reported to be affected². WorldLeaks initially set a ransom deadline of January 25, 2026. When it passed, they claimed to have initiated a “full-on data dump”³.

And just like that, Nike’s competitors gained access to its retail pricing strategies, long‑term plans, operational margins, and troves of deeply technical information. And that doesn’t even account for Nike’s own customer data or the data of its third‑party partners. It is a perfect illustration of how today’s attackers see IP not as a single strike opportunity, but as a long‑term, high‑value asset that can be exploited repeatedly.

The security industry is still speculating about the root cause of the breach. Unpatched vulnerabilities, compromised credentials, and lateral movement are all being discussed. Adding another twist, WorldLeaks is believed to be a rebrand of Hunters International, a ransomware gang that publicly announced it was shutting down last year⁴. Apparently, you can take the shop out of the market, but you can’t take the market out of the shop. And Nike’s situation shows exactly why. IP theft is simply too profitable and too low‑risk for cybercriminals to walk away Organizations can no longer treat IP as a passive asset, as it is now one of the most targeted weapons in a criminal’s arsenal.

Under Armour: The Only Way Is Through

Indeed. The way through began with 343GB of data stolen by the Everest Ransomware Group⁵ in November 2025. The data was eventually leaked on January 18, 2026, via a cybercrime forum on the dark web, affecting 72.7 million Under Armour accounts⁶. A class‑action lawsuit from an Under Armour customer emerged soon after Everest posted the first details of the attack. The stolen data included IP as well – product catalog records, marketing campaign logs, analytics data, internal company documents, and employee/personnel files⁸.

This case emphasizes the value proposition and multiple revenue streams that make IP theft so attractive to cybercriminals. The Everest Group is a prime example, with three distinct income channels: double‑extortion ransomware, network access brokerage, and an insider recruitment program⁷. Their attack on Under Armour shows how IP theft now fits neatly into a broader business model, reinforcing the reality that cybercrime has evolved from one‑off heists into a diversified industry.

Revenue Streams

Cybercrime groups today operate less like small clusters of hackers and more like fully developed enterprises with diversified income models. Their business structures can be case studies in themselves. We are only scratching the surface here, but these are some of the most common revenue streams:

• Double Extortion Ransomware: The victim’s files aren’t just encrypted, but the data is also stolen and exfiltrated prior to encryption. If the victim refuses to pay, attackers can blackmail and threaten to leak the stolen data online, creating a second layer of pressure.
• Network Access Brokerage: Hackers sell confirmed backdoors and other forms of unauthorized access including VPN access, Remote Desktop, Active Directory domain access, and more.
• RaaS (Ransomware-as-a-Service): Groups such as  DragonForce run a cartel-style service model, offering everything an affiliate needs to launch an attack, including ransomware tools, decryption utilities, data leak sites, infrastructure, servers, and support.
• Data Brokerage: Instead of extorting victims, some groups function purely as data brokers who steal massive databases of sensitive information and sell them on dark web forums.
• Cybercrime Advertising: Criminal forums and leak sites rent advertising space to other criminals offering services such as “cryptomixers” that launder money, background‑check lookups, and more. It functions like a “Google Ads” for criminals.
• Money Laundering: Specialized groups operate Crypto Money Laundering Networks (CMLNs) that can “laundry wash” illicit money and make it legit.
• DDoS-as-a-Service: DDoSaaS providers will offer large botnets for hire that can then be used to perform distributed denial-of-service attacks on even the largest of companies.

Insider Recruitment Program

Given the current focus on IP theft, there is a particularly troubling revenue stream that was mentioned already mentioned when discussing the Under Armour data breach. It’s called the Insider Recruitment Program. In this model, cybercrime groups deliberately target employees around the world, offering them cash payments or profit‑sharing deals in exchange for becoming “insiders.” Their role is straightforward. Provide remote access to the company’s network or leak trade secrets.

To understand the severity of this, consider the internal structure of most organizations. Any ethical hacker knows that companies often rely heavily on their border firewalls while the internal environment is riddled with vulnerabilities. Unpatched software, weak access controls, you name it. Once an attacker is inside, lateral movement becomes remarkably easy. An insider program effectively bypasses the perimeter altogether for what cybercriminals would surely call a paltry amount of cash.

Everest’s “hiring” message (Image Source: The Register)

Out-Of-The-Box Protection

The standard cybersecurity protections that have been recommended ad-infinitum still matter. Audits, penetration tests, incident response plans, technical and operational safeguards, physical controls, awareness training — all of these form the essential baseline. If an organization does not already have these measures in place, it has more immediate issues to address.

But once this baseline is in place, it becomes necessary to think beyond the basics for outside-of-the-box protection measures. The people stealing IP are innovating constantly, and they are using the same AI technologies that everyone else is using. To keep pace, organizations must adopt protection measures that move outside conventional perimeter defenses.

Here are some out-of-the-box protection ideas that go beyond the usual perimeter defense strategies:

• Micro-Segmentation

Have your IP live on a completely separate and isolated Research and Development (R&D) network segment. Further still, have the employees in that segment and their access separated out from the rest of the organization as well. It’s not extreme. Think about it. With the threat of insider recruitment programs looming large, you’re minimizing your “risk set” to just those employees. In fact, when employees see you doing that, the chances of them making that leap into the dark side goes down as well.

• Honeymarks

You might have heard of honeypots and honeytokens that are meant to lure or trap hackers. Honeymarks work in a similar spirit but serve a different purpose.

They’re basically digital watermarks. Embed a piece of traceable code into design and IP related files such that once they’re stolen, they can be traced back to the hacker and the compromised account.

• Dark Web Monitoring

While not entirely out-of-the-box, dark‑web monitoring is still not widely adopted enough. At this point, ongoing monitoring of the dark web for stolen or leaked data related to your organization is not optional. It is essential. Modern AI capabilities turbo-charge this field, enabling near real‑time detection of suspicious activity or mentions of the organization on dark‑web forums.

The Auction You Didn’t Choose

Your blueprints for tomorrow are being auctioned off today. Does that hurt you? Yes, and on more levels than most organizations realize. The uncomfortable truth is that defenders have become predictable. Cybercriminals know what to expect from us because our safeguards, our playbooks, and even our thinking have barely changed while they evolve every day.

It is worth ending with a reminder from Sun Tzu in The Art of War:

“The ultimate in disposing one’s troops is to be without ascertainable shape. Then the most penetrating spies cannot pry in nor can the wise lay plans against you.”

That is as relevant now as it was centuries ago. The organizations that will survive this new era of IP theft are the ones that learn to reshape themselves, adapt unpredictably, and deny attackers the certainty they rely on.

References

1. https://www.theregister.com/2026/01/26/data_thieves_claim_nike_data_haul/  
2. https://www.heise.de/en/news/Nike-is-checking-for-a-possible-cyberattack-11154905.html  
3. https://www.darkreading.com/cyberattacks-data-breaches/worldeaks-extortion-group-stole-1-4tb-nike-data  
4. https://www.darkreading.com/threat-intelligence/hunters-international-raas-group-closes-doors
5. https://www.techradar.com/pro/security/hackers-claim-to-have-hit-under-armour-in-massive-data-breach
6.  https://www.theregister.com/2026/01/21/under_armour_everest/
7. https://www.halcyon.ai/threat-group/everest
8. https://darknetsearch.com/knowledge/news/en/under-armour-data-breach-7-key-facts-revealed-in-urgent-report/
9. https://www.theregister.com/2023/10/12/everest_courting_corporate_insiders/

About the Author

Akash Desai is a Director of Consulting for ERMProtect. For over 22 years, he has combined technical expertise with creativity and problem-solving acumen to create innovations and solutions that address challenging cybersecurity problems. His work at the prestigious CERT® Coordination Center and the innovative Carnegie Mellon CyLab tackled cybersecurity issues in insider threat, intrusion prevention, proactive and agile cyber-defense, and security awareness training. At ERMProtect, he leads complex cybersecurity projects and is the brain behind the innovative ERMProtect^TM cybersecurity awareness training.