> On February 18, 2025, an investigative reporter at The Information contacted Rippling about a forthcoming article concerning Deel’s Russia-related sanctions activity, noting he had “been working on a story on Deel for the past few weeks” that “started as an exercise to look into the veracity of that lawsuit I previously reported on.” This reporter was referring to his January 9, 2025, article entitled “Deel Accused of Money Laundering, Sanctions Failures in Lawsuit,” which reported on Damian v. Deel Inc., No. 25-cv-20017 (S.D. Fla. Jan. 3, 2025). 84.
>
>
> The reporter’s email listed eleven assertions regarding supposed issues at Rippling relating to payments into Russia and other sanctioned jurisdictions. Each individual assertion was followed by internal Rippling Slack messages—thirteen messages in total
This is a fantastic example of applying deception strategies in practice as part of a detection & response plan. The most common use case is as a canary, but it absolutely works as evidence of compromise, too.
I won't comment on the specifics of the case (the complaint comes across as very convincing), but I will remind people that it's common for investigations to ostensibly show an employee doing bad things, when in reality it's e.g. that employee's credentials/devices that are compromised.
Parker Conrad’s X thread is good: https://x.com/parkerconrad/status/1901615179718406276
Here’s the full complaint: https://rippling2.imgix.net/Complaint.pdf