Rippling Sues Deel

Rippling ($14B HR company) just filed a lawsuit accusing Deel ($12B HR Company) of corporate espionage, trade-secret theft, and cultivating a spy within Rippling.

And you thought SaaS was boring?!?! Netflix documentary coming soon?

If the accusations in the lawsuit are true then this is one of the most insane things to happen in the software world:

• Creating a spy at a competitor

• Spy steals TONs of competitive information

• Rippling creates a “honeypot” trap to prove that top leadership was involved

• Spy hides in the office bathroom when confronted, tries to flush his phone down the toilet, and then runs away (and now faces imprisonment in Ireland)

Let’s dig into this insane story…

*Note - these are allegations from Rippling’s lawsuit and the story is still unfolding. So far it is only being told from Rippling’s point of view so we need to wait before making too many judgements.

Catching a Spy

According to the lawsuit, Deel cultivated a Rippling employee to conduct thousands of suspicious searches and funnel stolen confidential business intelligence directly back to Deel.

Per the lawsuit, the Deel spy (Rippling employee) used Rippling systems to steal all kinds of confidential information:

• Sales data to get unfair competitive advantage on sales prospects

• Data on Deel’s own customers that might be switching to Rippling

• Pricing and other customer retention data

• Internal employee contact information (to poach Rippling talent)

• And other confidential data relevant and helpful to Deel

Unusual Activity

The spy searched the term “Deel” in the competitor’s systems on average 23 times a day over a four month period, which allowed the spy to comprehensively capture every detail of Rippling’s sales pipeline competing with Deel, including proposed pricing, details of sales meetings and conversations between Rippling and prospective customers evaluating a switch away from Deel, and training materials for Rippling’s sales organization on how to compete against Deel.

The Deel spy had been employed at Rippling since June 2023 but only started searching “Deel” within Rippling’s Slack in November of 2024. And he searched it A LOT since that time…Perhaps an indication on when he became a Deel spy.

The other obviously suspicious activity of the spy is the number of times he “previewed” various company Slack channels that he had no businesses viewing. Slack allows users to “preview” a Slack channel without joining it. The reason to only preview the channel is because if you join a Slack channel the Slack channel members are alerted of the new person that joined. And since the spy had no business being in those channels the spy didn’t want to trip any alarms by joining the channels.

He previewed a lot of channels….

I was surprised that Rippling was able to get this level of information from Slack analytics, but turns out that typically companies don’t have this level of detail. Rippling worked with Salesforce.com (Slack’s parent company) to run these searches on their logs.

The “Honeypot” Trap

All of the spy’s unusual online activity/searches in Rippling databases raised red flags for Rippling’s security team. After the security team continued to dig, it likely became clear what was going on.

But the big question for Rippling was how high up at Deel did the espionage go?

It is one thing to prove that someone like a sales rep at Deel is stealing secrets, but a REALLY huge deal if they can prove that Deel’s top leadership was involved.

This is where the investigation turned into a Netflix-style investigation crime documentary. Rippling set up a “honeypot” to prove how high up the espionage within Deel went.

Honeypot = a decoy system designed to attract and trap cyber attackers, allowing security professionals to catch the spies without endangering real systems.

Rippling crafted a letter that was sent to Deel that referenced an empty Slack channel in Rippling’s corporate Slack instance called “d-defectors,” and implied the Slack channel contained messages that Deel would find embarrassing if made public.

The letter was apparently sent to only three people at Deel:

1. Phillipe Bouaziz, the chairman of Deel’s board, CFO, General Counsel

2. Spiros Komis, Deel’s Head of US Legal

3. Deel’s outside counsel

No one knew about the Slack channel except for Rippling’s investigation team and those three Deel leaders.

But…within hours of sending the letter, Deel’s alleged spy inside of Rippling searched for this empty and never-before-used Slack channel. This in theory proves that Deel’s top executives or its legal representatives (or people very close to them) were running the covert espionage operation.

Confronting the Alleged Spy

Rippling got a court order from Ireland (where spy was located) to obtain the spy’s phone for further evidence. When the court-appointed solicitor confronted the spy, the spy ran to the bathroom and refused to turn over his phone.

When told he must give up his phone (and not delete anything) or he will be imprisoned the spy said the following and then ran away:

I’m willing to take that risk [of violating the court order] — alleged spy

Not really the actions of an innocent person…

Important Lessons

Good security teams are critical

The majority of companies probably would not have caught this. Or it would have taken much longer. Kudos to Rippling’s security team for uncovering it. Don’t neglect mission critical functions like your security team. When things are going well, you never hear of issues but that doesn’t mean they aren’t stopping potentially big problems.

Security and IT are watching…

Not sure if this is true…but don’t do stuff like this. You will probably get caught (eventually). The tools for monitoring employee activity are REALLY good and getting better. Your management team may be getting reports of all your activities (I know a lot of companies that do this).

My ethics test is the following:

How would I feel if my actions were reported on the front page of the newspaper?

Cost of corporate espionage can be HUGE

It’s not something we talk about a lot because it happens so infrequently (at least it isn’t caught that often), but there are some potentially massive costs for this type of alleged espionage.

Some of the big costs include the following:

• Significant lost of employee time/attention in investigation and the aftermath

• Lost employees from competitor stealing top talent

• Lost sales competitive advantage. Deel allegedly stole lots of important information pertaining to sales to new customers and retaining existing Rippling customers. Lost SaaS ARR is massively expensive (read my unit economics post)

  • Lost new business

  • Increased churn

  • More pressure on Rippling pricing due to the unfair advantage that Deel allegedly obtained

• Cost of hiring an investigative firm, attorneys, etc

What Happens Next?

The ball is now in Deel’s court. Rippling provided a lot of evidence so Deel must now respond.

Rippling is not yet able to prove conclusively that Deel execs (like the CFO) were involved. It only seems likely that someone high up within Deel was involved given the evidence found in the honeypot trap.

Next steps are probably something like this:

• Deel to hire own investigation team. Deel will conduct its own internal investigation to determine what (if any) wrongdoing occurred and who was involved. They must do this given the evidence and the lawsuit.

• The legal process happens. Deel has a certain amount of time to respond, then there is a discovery phase, legal battles, etc.

This legal process can take a long time, but given the evidence and very public nature of the lawsuit, Deel will need to move fast because now it is going to be very damaging to Deel’s business.

Final Thoughts

Again, these are all alleged crimes as of right now. While there seems to be strong evidence that there is wrongdoing, we don’t know exactly who was involved yet.

1. Strong corporate governance is critical (including the appearance of it). Regardless if the CFO was involved, the CFO being the CEOs father is usually a bad idea. Make sure corporate governance is strong.

2. Good job Rippling security team! Luckily very few security teams have a high-profile breach like this, but Rippling’s security seemed to have been on top of the issue. I suspect many companies would have never caught this or it would have taken a lot longer.

Footnotes:

• Check out these 25 actionable ideas for CFOs in 2025 from NetSuite

• Check out OnlyExperts to find offshore accounting resources. They have some amazing talent for 20% the cost of a U.S. hire