Account Contact Build your IT department

Learn / deep

The hidden risk of offshore IT support

A single sold Microsoft 365 admin credential goes for $500 to over $50,000 on the dark web. The offshore IT worker holding that credential earns roughly $200 to $580 a month. The economic temptation is not theoretical. The legal recourse, when temptation wins, very often is.

This is not a piece about people. It is a piece about structure.

The structure is this: the people who staff your IT support — wherever they sit — have privileged access to your identity systems, your email, your file shares, your customer records, and (in many cases) your administrative consoles. The data behind that access is worth a great deal of money on a market they can reach from any internet connection. The wage they earn for legitimate work, in many offshore arrangements, is a small fraction of what a single act of betrayal would pay them. And the legal system that would otherwise deter them — the one your contract relies on for recourse — has very limited reach across borders.

None of that is a moral judgment about anyone. It is the geometry of the situation. The same person, holding the same credentials, faces a very different incentive landscape depending on which jurisdiction’s labor and criminal law actually reaches them. Customers buying IT support deserve to understand that landscape before they sign.

This piece walks the geometry, with the data behind it, and ends with what we think the structural answer is. We are biased — goCloudOffice staffs every customer-facing and customer-data-handling role with US citizens working in the United States, and we will explain why we made that choice. But the data underneath the choice is not ours, and you should be able to evaluate any IT provider’s staffing model against the same data.

What a single sold credential set is worth

Start with the price of betrayal, because the price drives everything else.

A stolen set of corporate network credentials sold on the dark web by an Initial Access Broker (IAB) — the cybercrime intermediaries who specialize in selling network access to ransomware crews — moves at predictable, well-documented prices.

  • Average sale price for hacked-system access in 2024: $2,047, with 86% of listings under $3,000 (Source: Cyberint, Initial Access Brokers Report, 2025).
  • Average base price across three monitored cybercrime forums in H2 2024: just over $2,700 (Source: Cyberint, 2025).
  • Range by access privilege: $500 for small-business basic access, up to $50,000+ for Fortune 500 access with domain administrator rights (Source: Saptang Labs, From $500 to $50K: How Dark Web Brokers Sell Enterprise Access, 2024).
  • Microsoft 365 administrator account listings: sold individually, with executive-tier accounts and admin-tier accounts both regularly trafficked on the major underground forums (Source: Microsoft, RaccoonO365 takedown announcement, September 2025; multiple cybersecurity reporting outlets).

For specific data types, the Privacy Affairs Dark Web Price Index provides reference pricing that has held in roughly the same band for several years:

  • Online banking login with at least $100 in the account: ~$150
  • A complete identity-theft package (banking + driver’s license + Facebook): ~$1,000
  • A US driver’s license: ~$500
  • Verified Coinbase account: $610
  • Verified Kraken account: $810

(Source: Privacy Affairs, Dark Web Price Index, 2022–2023 series.)

Stolen healthcare records command notably more, because the data does not expire the way a credit card does and supports a wider range of secondary fraud:

  • A single stolen medical record: $250 to $1,000, depending on completeness (Source: Capsule Blog and ABC10 News reporting on healthcare-record dark-web pricing, 2024).
  • 276 million patient records compromised in 2024, a 64% increase year-over-year (Source: Patient Protect / industry breach statistics, 2024).

The summary is uncomfortable but precise. A single act of selling one set of credentials, by one IT-support employee, can pay between several hundred dollars and tens of thousands of dollars, depending on what the credentials unlock. A repeat seller — someone who has worked their way into a position of broad administrative access across a customer base — can produce far more.

This is the demand side of the temptation. Now the supply side.

The wage-arbitrage gap that creates the temptation

We are going to use published wage data, and we are going to be precise about what it does and does not say. The point is not that any individual will betray you; the point is the size of the temptation gap.

In India, an IT support technician earns in the range of ₹17,000 to ₹30,000 per month, which translates to roughly $200 to $360 USD per month at 2024–2026 exchange rates, with experienced helpdesk technicians clustering near the upper end (Sources: Indeed.in IT support salary data, 2024; SalaryExpert Help Desk Technician Salary in India, 2025; Salary Explorer Help Desk Support Average Salary).

In the Philippines, an IT support technician earns roughly ₱20,000 to ₱34,000 per month, or approximately $340 to $580 USD per month at current rates, with experienced technicians at the upper end (Sources: Indeed.ph IT support salary data; ph.jobstreet.com career data, 2026; Manila Recruitment IT Salary Guide 2024).

For comparison, a US-based IT support technician earns roughly $45,000 to $75,000 per year, or $3,750 to $6,250 USD per month. The wage delta between a US-based technician and an offshore technician of comparable function is roughly 10x to 20x.

That delta is exactly why offshore arrangements exist. It is also exactly why the temptation gap is the size it is. The dollar value of selling one Microsoft 365 admin account on the dark web is, in many cases, equal to or greater than an offshore IT worker’s annual legitimate wage. A single $5,000 access-broker sale represents 9 to 15 months of wages for a Filipino helpdesk worker, or 14 to 25 months for an Indian helpdesk worker.

Restate that: in many offshore IT arrangements, one act of betrayal pays more than a year of honest work. We do not need to assume bad character to see why such an arrangement creates predictable risk. Risk is what you call the product of opportunity and incentive, and the incentive is a multiple of annual income.

This does not mean offshore workers steal data. The vast majority do not. It means the structure makes the base rate of insider incidents materially higher than it would be if the same role were filled by someone whose wage approaches the dark-web value of the access — which is true for US-based US-citizen technicians and is structurally not true for technicians whose monthly wage is two-figure dollars.

What the insider-threat data actually shows

Insider risk is the security category most affected by this geometry, because insiders bypass the defenses that would stop external attackers. The data is sobering even before you stratify by jurisdiction.

  • The Verizon 2024 Data Breach Investigations Report analyzed 30,458 real-world security incidents and 10,626 confirmed breaches across 94 countries. The human element was involved in 68% of all breaches — including non-malicious error, but with malicious insider misuse remaining a top cause category. In healthcare specifically, internal actors were responsible for 70% of breaches (Source: Verizon 2024 DBIR; HIPAA Journal coverage of 2024 DBIR, 2024).
  • The IBM Cost of a Data Breach Report 2024 found that malicious insider attacks carried the highest average cost of any breach vector at $4.99 million, against an overall global average of $4.88 million per breach (Source: IBM Security and Ponemon Institute, Cost of a Data Breach Report 2024).
  • The Ponemon Institute 2023 Cost of Insider Risks Global Report found that the average organization now spends $16.2 million per year on insider-risk incidents (up from $15.4M in 2022), with 86 days the average time to contain an insider incident and 71% of organizations experiencing 21 to 40+ insider incidents per year (Source: Ponemon Institute / DTEX Systems, 2023).
  • Stolen or compromised credentials remained the most common single attack vector at 16% of breaches in the 2024 IBM report, and the breaches that begin with stolen credentials take the longest to contain — almost 10 months on average.

These numbers are aggregate. They are not jurisdiction-stratified. We are not aware of a public dataset that cleanly compares insider-incident rates by support-staff geography, and we will not invent one. What we know structurally is that insider risk is already the highest-cost single attack vector in the data, and that the financial incentive to commit it is dramatically larger relative to wages in offshore arrangements than in onshore ones.

Real cases — where this has happened

It is worth grounding the structural argument in cases that actually occurred. None of these cases prove that offshore staffing is uniquely dangerous; they illustrate the failure modes that the geometry predicts.

The Saudi-recruited Twitter insiders (2014–2015, prosecuted 2019–2022). Two employees of Twitter — Ahmad Abouammo (a US-based media-partnerships manager) and Ali Alzabarah (a Saudi-citizen site reliability engineer working at Twitter) — were charged with using their employee credentials to access nonpublic data on more than 6,000 Twitter accounts and pass that data to officials of the Kingdom of Saudi Arabia. They were paid in cash routed through secret bank accounts and a designer watch. Abouammo was convicted in 2022 and sentenced to 3.5 years; Alzabarah fled to Saudi Arabia and remains on the FBI’s wanted list, beyond the reach of US prosecution (Sources: US Department of Justice press release, November 2019; CBS News and TechCrunch coverage of the 2022 conviction; FBI Most Wanted listings). The lesson: even an onshore US-based engineer with foreign-state ties created a recruitment vector — and once a co-conspirator crossed a border, the US criminal system lost its reach entirely.

The Wipro intrusion (2019). Indian IT outsourcing giant Wipro was breached in a sustained, multi-month intrusion in which Wipro’s own systems were used as a launchpad for phishing attacks against at least a dozen of Wipro’s customers. The intrusion was attributed to a sophisticated, possibly state-aligned actor (Source: Krebs on Security, Experts: Breach at IT Outsourcing Giant Wipro, April 2019). The lesson: when you outsource to a major offshore provider, you inherit the security posture and the threat surface of that provider. A breach at the provider becomes a breach in your environment.

The North Korean remote-IT-worker scheme (multi-year, prosecuted 2024–2025). The US Department of Justice prosecuted a multi-year conspiracy in which North Korean IT workers, using stolen identities of at least 80 US persons, obtained remote IT employment at more than 100 US companies. The scheme generated more than $5 million in revenue for the North Korean government and gave the North Korean operatives access to source code and ITAR-regulated data at multiple US employers. Two US-based facilitators were sentenced (one to 108 months in federal prison); the actual North Korean workers, sitting in North Korea, are beyond US criminal reach (Source: US Department of Justice press release, Two U.S. Nationals Sentenced for Facilitating Fraudulent Remote Information Technology Worker Scheme, 2025). The lesson: remote-work arrangements that do not verify worker identity and physical location can put adversary nationals into US production systems for years before detection. The legal recovery against the actual perpetrators was zero.

The Capital One / Paige Thompson breach (2019). A former AWS engineer exploited a misconfigured WAF to exfiltrate the personal data of approximately 106 million Capital One customers, costing Capital One more than $270 million in fines and remediation (Sources: US Department of Justice; CNBC; multiple court filings). Thompson was US-based and was prosecuted in US federal court — and that prosecutability is the point. Capital One had a defendant they could sue and a jurisdiction that could enforce judgment. In the offshore variant of the same story, neither would be true.

India-based call-center scams (multiple cases, 2013–2025). A long line of US Department of Justice prosecutions has targeted multimillion-dollar fraud schemes operated from Indian call centers, in which call-center operators used data acquired from data brokers (and, in some variants, from compromised offshore-handled customer records) to impersonate IRS officials and US Citizenship and Immigration Services officials and extract money from US victims. Combined losses across the prosecuted cases exceed $100 million (Sources: US Department of Justice, ICE, and FBI press releases on the 2016, 2018, and 2025 takedowns). Note who was prosecuted: predominantly the US-based facilitators. The Indian operators were prosecuted only when Indian authorities chose to act and the cases survived extradition processes — which they often did not.

The pattern across the cases is consistent. When the perpetrator is in the United States, US plaintiffs and US prosecutors recover something. When the perpetrator is overseas, recovery is rare, slow, and partial. That asymmetry is not about anyone’s character; it is about the geographic limits of the US judicial system.

The jurisdictional reality — what actually happens when an offshore worker exfiltrates data

The contractual remedies a US customer holds against an offshore IT provider — confidentiality clauses, indemnification, criminal-conduct prosecution rights — assume a functioning legal mechanism for cross-border enforcement. That mechanism exists, on paper. In practice it works far less well than most contracts assume.

The primary mechanism is the Mutual Legal Assistance Treaty (MLAT). The United States has MLATs with more than 60 foreign nations (Source: US Department of Justice, Mutual Legal Assistance Treaties of the United States, April 2022). In principle, an MLAT lets US prosecutors request evidence and cooperation from a treaty partner’s authorities to investigate and prosecute crimes that cross borders.

In practice:

  • MLAT requests routinely take a year or more to process (Source: K&L Gates, Lifting the Veil on the MLAT Process; multiple academic surveys of the MLAT process). The DOJ’s own budget documents describe the workflow as backlogged and resource-constrained.
  • Many MLATs allow the requested country to refuse cooperation for reasons including political considerations, dual-criminality (the offense must be a crime in both countries), or sovereign-interest grounds.
  • Statistical success-rate data is largely not public. The opacity itself is the point — a US plaintiff cannot model their probability of recovery, because the system does not publish the data that would let them.
  • Letters rogatory — the alternative to MLATs in countries without a treaty — are slower, more discretionary, and dependent on comity between courts rather than treaty obligation.
  • Civil recovery is even harder. A US civil judgment against a non-US defendant generally requires a separate proceeding to be domesticated in the defendant’s country before any of the defendant’s local assets can be reached. That process is slow, expensive, and often unsuccessful.

The real-world outcome of all of this: when an offshore IT contractor exfiltrates data and sells it, the US customer’s contractual remedies against the individual perpetrator are usually theoretical. The customer may recover from the offshore provider’s insurance (if the provider carries any), from the provider’s US-based parent (if there is one), or — most commonly — from no one. The losses sit on the customer’s balance sheet.

This is the part of the offshore-staffing argument that does not get said out loud during the procurement conversation. It should.

The compliance constraint — which regulated industries effectively cannot use offshore IT

For a meaningful slice of the US economy, the offshore-IT question is not a risk analysis at all. It is foreclosed by regulation.

HIPAA. HIPAA does not categorically prohibit offshore handling of Protected Health Information (PHI), but it requires the covered entity to ensure that any business associate (and subcontractor) handling PHI complies fully with HIPAA, including the Security Rule’s administrative, physical, and technical safeguards. Multiple state Medicaid programs and several private payers contractually require US-based-only PHI handling, and the federal Affordable Care Act prohibits state Medicaid payments to entities located outside the United States for healthcare items or services (Source: Holland & Knight, U.S. Health Data Affected by New National Security Restrictions on International Data Transfers, 2025; Paubox, Can PHI be transferred outside of the United States?; CMS guidance on offshore subcontractors). In addition, the 2024 federal rule on bulk sensitive personal data restrictions imposed new constraints on transfers of US health data to certain countries of concern. The cumulative practical effect: most healthcare-adjacent organizations of any size find offshore IT handling of PHI to be operationally untenable, even where it is technically permissible.

ITAR (International Traffic in Arms Regulations). ITAR governs defense-related articles, services, and technology. Access to ITAR-regulated technical data by a non-US-person — defined narrowly as US citizens, US lawful permanent residents (green-card holders), and certain protected persons — constitutes a regulated export, even if the access happens on US soil and at a US-owned company. An IT contractor who is not a US person and who has technical access to ITAR-controlled systems is, by the act of having that access, an ITAR violation. Penalties are substantial — civil fines up to $500,000+ per violation, criminal fines up to $1,000,000 per violation, and prison terms up to 20 years (Source: Sharetru, ITAR Requirements for Your Employees; US State Department ITAR enforcement guidance). Any company in the defense supply chain — including dual-use technology suppliers, certain manufacturing companies, and many engineering services firms — must staff IT roles that touch ITAR data with US persons. The North Korean IT-worker scheme described above included exposure of ITAR data through this exact mechanism.

CJIS (Criminal Justice Information Services). The FBI’s CJIS Security Policy governs access to criminal justice information. Personnel screening requirements include fingerprint-based background checks, citizenship verification, and continuous evaluation. Offshore personnel cannot be screened to the standard CJIS requires, which makes offshore IT handling of CJIS data effectively forbidden for any organization operating under CJIS rules — primarily law enforcement and the public-safety supply chain (Source: NuHarbor Security, CJIS Compliance Requirements: The 2026 CJIS Checklist; FBI CJIS Security Policy).

PCI DSS. PCI DSS is a global standard, so offshore handling of cardholder data is not categorically prohibited. But the standard’s requirements for personnel screening, role-based access, audit, and incident response are difficult to enforce across an offshore arrangement without significant additional control overhead — which most SMBs cannot afford to staff. In practice many PCI-in-scope SMBs default to onshore processing.

State-level financial and insurance regulations. Multiple states impose data-handling and personnel requirements on insurance, financial-services, and broker-dealer firms that effectively constrain offshore IT involvement in customer-data systems.

FedRAMP and US-government work. US-government work generally requires US persons, US-based facilities, and (for higher impact levels) cleared personnel. Offshore IT support is structurally incompatible with most government engagements.

The summary: across healthcare, defense, public-safety, government-adjacent, and a meaningful share of financial-services work, offshore IT support is either prohibited outright, prohibited as a practical matter, or requires control overhead that erases the cost advantage that motivated the offshore choice in the first place.

If your organization touches any of those domains, the offshore conversation is over before it starts. Your IT provider’s staffing model has to be onshore.

What real US-citizen, US-based staffing looks like — vetting, accountability, recourse

The structural advantage of US-based US-citizen staffing for IT support is not patriotism. It is verifiability and reach.

What is verifiable about a US citizen IT-support employee:

  • Identity. Social Security Number, federal tax records, US-issued government ID. Identity-verification services can confirm these to a high degree of confidence.
  • Criminal background. Federal and state criminal record checks (FBI Identity History Summary, state-level records, county-level records) cover the working life of the candidate within the United States.
  • Citizenship status. I-9 and E-Verify confirm right-to-work and citizenship status to the standard the federal government uses for its own hiring.
  • Credit and financial history. Credit-history checks (where job-related and locally legal) give signal on financial stress — a known input to insider-threat risk.
  • Employment history. Verifiable through prior employers in the US labor market.
  • Continuous evaluation. For roles with sensitive access, ongoing monitoring (court-records subscriptions, credit re-pulls, behavioral monitoring) is operationally feasible and routinely done.

What is verifiable about an offshore contractor:

  • Identity confirmed by the offshore provider’s own HR processes, with no independent US-side verification mechanism.
  • Background checks performed under the local jurisdiction’s standards, which vary widely and are often not equivalent to US standards.
  • Citizenship and right-to-work confirmed under the local jurisdiction’s law — which says nothing about whether US data should be handled by the worker.
  • Credit history and continuous evaluation generally not performed.
  • Employment history confirmed only to the offshore provider’s satisfaction.

What is enforceable against a US-based US-citizen IT worker who exfiltrates data:

  • US federal criminal prosecution under the Computer Fraud and Abuse Act, Economic Espionage Act, and various state computer-crime statutes. Felony exposure with substantial prison terms.
  • Civil lawsuit for breach of contract, breach of fiduciary duty, conversion, and tort claims. Judgment enforceable against the worker’s US assets, US wages, and US bank accounts.
  • Regulatory enforcement (HIPAA, GLBA, state privacy law) directly against the individual where the statute permits.
  • Industry consequences — license revocations, employer references, professional debarment.

What is enforceable against an offshore IT worker who exfiltrates data:

  • US criminal prosecution requires the worker to be present in the US or to be extradited. Extradition for non-violent computer crime is rare and slow.
  • Civil judgment in US court is largely uncollectable absent a separate domestication action in the worker’s home country.
  • Local prosecution depends entirely on the willingness and capability of the worker’s home jurisdiction.
  • Industry consequences are bounded by the home jurisdiction’s labor market and regulatory framework.

The asymmetry is large, persistent, and structural. Hiring a US-based US-citizen IT worker buys your organization meaningful legal recourse if something goes wrong. Hiring an offshore contractor very often does not. Whether you ever need that recourse is a probability question. Whether you have it at all is a structure question.

How goCloudOffice is staffed — and why

We staff every customer-facing role and every role with access to customer data with US citizens working in the United States, end to end. No offshore subcontractors, no offshore tier-one helpdesk, no offshore after-hours queue. The 24-hour coverage we provide is delivered by US-based US-citizen staff on a follow-the-sun rotation across US time zones.

We made this choice for three reasons, in this order:

  1. Customer-data risk reduction. The wage-arbitrage gap and the dark-web economics described in this piece make offshore staffing of IT support a structural insider-threat exposure for our customers. Eliminating the structure eliminates the exposure.
  2. Legal recourse for the customer. If, despite our screening, a goCloudOffice employee ever exfiltrates customer data, US courts can reach that person. The customer’s contract with us is enforceable. The customer’s breach-notification, indemnification, and recovery rights have somewhere to land.
  3. Compliance fit for regulated customers. A meaningful share of our customer base is in healthcare, financial services, professional services, and the defense supply chain. Onshore-only staffing is the only way to serve those customers without forcing them into structural compliance violations.

The cost of this choice is real. Onshore-only staffing is more expensive than the offshore-tier-one model that dominates much of the SMB MSP market. We absorb that cost into our productized pricing and we believe — with the data in this piece behind us — that customers who understand the geometry choose this model on the merits.

You should not take our word for it. You should test our claim. Every customer-facing employee who answers your tickets is identifiable by name in our portal. We will tell you, in writing, where every person who has access to your environment is physically located and what their citizenship status is. If we ever change that policy we will tell you in advance, in writing.

How to verify any IT provider’s actual staffing — concrete questions to ask

If you take nothing else from this piece, take this question set. Ask any IT provider — current or prospective — these questions in writing and require written answers. The provider’s willingness or unwillingness to answer is itself one of the most informative signals you will receive.

1. “Where are the people who answer my tickets physically located, and what are their citizenship and work-authorization statuses?”

The answer should be specific to physical city or country, not “our global delivery network.” If the provider cannot or will not produce names, locations, and authorization statuses for every person with access to your environment, that is the answer.

2. “Do you use any offshore subcontractors, BPO providers, or remote workers operating from outside the United States — for any function, including tier-one support, monitoring, after-hours coverage, or back-office work?”

The honest answer is often yes, even from providers who market as US-based. The differentiator is disclosure. Get it in writing.

3. “What is the background-check standard for personnel with access to my environment, and what jurisdiction’s standard is it?”

A US-standard background check (FBI fingerprint check, state criminal records, E-Verify, credit history) is verifiable. A check performed under another jurisdiction’s standards is not equivalent.

4. “If an employee of yours exfiltrates my data, what is your contractual liability and what is your insurance coverage?”

Cyber liability insurance, errors-and-omissions coverage, and a named indemnification clause should all be specific. “We carry comprehensive insurance” is not an answer.

5. “Are you compliant with HIPAA / PCI / CJIS / ITAR / FedRAMP [whichever applies]? Show me your most recent assessment.”

For regulated customers this is not optional. Most offshore-inclusive arrangements cannot meet these standards.

6. “If I file a claim against you for data exfiltration by your personnel, where is the dispute adjudicated, and what jurisdiction’s law applies?”

A contract with a US choice-of-law clause and a US dispute-resolution forum is enforceable in US courts. A contract with foreign choice-of-law, foreign forum, or arbitration in a foreign jurisdiction is materially weaker.

7. “Will you allow me to audit, in person or remotely, the physical sites where my data is handled?”

A US-based provider will say yes. A provider with offshore handling may say yes in theory but in practice has never accommodated such an audit.

A provider who answers all seven questions clearly, in writing, with verifiable specifics, has earned the right to be considered. A provider who deflects, generalizes, or refuses to put answers in writing has told you what you needed to know.

What this means for the buyer

Offshore IT support is not categorically wrong, and we are not arguing that it is. There are large mature US enterprises with sophisticated security, audit, and incident-response capabilities that successfully manage offshore arrangements at scale, with full visibility into their own risk posture. They make the trade-off knowingly.

For a small or mid-sized business — the 5-to-50-employee company without a dedicated security team, without a legal department capable of pursuing cross-border recovery, without the audit infrastructure to monitor offshore subcontractors — the trade-off rarely pencils out. The wage-arbitrage gap is exactly as wide for the SMB customer as for the enterprise customer, and the recourse asymmetry is exactly as one-sided. What the SMB customer lacks is the infrastructure to absorb the downside if it happens.

The structural answer for the SMB customer is to insist on US-based US-citizen staffing for any role with access to your data. The cost difference is real, and it is also the cost of the legal recourse and the compliance fit you are quietly buying along with the support.

If you want to see what that model looks like end-to-end for a company your size, the build flow gives you the price and the scope in five minutes. If you would like to walk through the staffing model with a real human, a 15-minute conversation is the fastest way to get answers to all seven questions above for your specific situation. We will give you written answers to every one.

Technically reviewed by Tobias Wexler.

Want this turned into a real plan?

The build flow uses the same logic this article describes — three minutes to a configured IT department.

Build your IT department Talk to us