The Tech Sales Newsletter #85: Corporate espionage is a “growth hack”

Every now and then, tech sales brings a new twist on an old tale.

Asymmetry of information has always been one of the most important ways to get an edge over your rivals through the ages. No matter how good your execution is, sometimes knowing the right secret can give your opponent leverage over you.

This is the story of how the leadership at Deel allegedly took this principle one step further than what our laws and common decency allow for.

The key takeaway

For tech sales: It's very difficult to see how this doesn't lead to a lot of companies closing up access for most employees to key sales systems and workflows that we use day-to-day. It's also likely that we will start seeing more investigations into "unusual" behaviour, some of it potentially used to justify also terminations of "inconvenient" employees. In regards to Deel sales leadership - there are no excuses for how this played out. Rogue behaviour by the executives is one thing, but the information that was obtained was used repeatedly (often on a daily basis). It's extremely unlikely that there weren't multiple sales leaders at Deel not only aware of what was going on, but actively benefiting from it.

For investors: The thing about "controversial" and "aggressive" companies is that you never know when a founder might decide that the ends justify the means and will authorize a project with devastating reputational and legal damages. Losing your full investment here is not an unlikely scenario, particularly since it will be difficult to sue for being defrauded.

The Deel Spy and his singular mission

This case exposes a calculated and unlawful corporate espionage scheme, orchestrated by Deel, a global, multi-billion-dollar technology company. In a brazen act of corporate theft, Deel cultivated a spy to systematically steal its competitor’s most sensitive business information and trade secrets.

This was not an isolated act of misconduct—it was a deliberate attack, perpetrated for over four months, designed to steal and weaponize critical competitive data, including a competitor’s sales leads, sales pipeline, and its entire playbook for pitching prospective clients. These stolen goods appear intended to be deployed across the Deel organization to gain an unfair market advantage, including by:

● Deel’s Sales and Marketing functions to target the competitor’s leads and pipeline;

● Deel’s Customer Retention function to leverage stolen pricing proposals to lock in customers;

● Deel’s Recruiting function to exploit the competitor’s internal phone directory to attempt to poach key personnel; and

● Deel’s Communications and PR functions to combat and distort negative press cycles.

Most shockingly, these espionage efforts appear to have been directed by the highest levels of Deel’s leadership, including, upon information and belief, Philippe Bouaziz – Deel’s Board Chair, Chief Financial Officer, and the father of the CEO – or those closest to him.

The core of the allegations are related to suspicious activity by a Rippling contractual employee who within the case document is referred to as "Deel Spy" or DS for short. Recently the full name of the individual has been released (Keith O'Brien) as he had to face the Irish court due to breaching the interim order issued against him to stop destroying evidence or continue leaking confidential information.

That investigation revealed that Deel’s spy used Rippling systems to spy on Deel’s own customers, who were discussing a switch away from Deel. The spy searched the term “deel” in Rippling’s systems on average 23 times a day over a four-month period, which allowed the spy to comprehensively capture every detail of Rippling’s sales pipeline competing with Deel, including proposed pricing, details of sales meetings and conversations between Rippling and prospective customers evaluating a switch away from Deel, and training materials for Rippling’s sales organization on how to compete against Deel.

For example, on just one single day—February 21, 2025—Deel’s spy conducted searches that revealed 728 new companies requesting a demo of Rippling’s products; 282 in-depth notes from Rippling account executives on companies that were new prospects in its sales pipeline; and thorough information about 26 new deals with existing customers or prospective clients who were evaluating switching to Rippling directly from Deel. And that is just one single day. These activities were repeated nearly every single day, for over four months.

Astoundingly, this hijacking of Rippling’s most prized data appears to have been orchestrated by Deel’s senior leadership. The smoking gun came earlier this month, when Rippling set forth a test, or what is known by security professionals as a “honeypot.” Rippling knew that Deel was most likely to activate its spy if faced with potentially damaging press, and indeed, that is how the spy originally revealed himself. So, to confirm Deel’s involvement, Rippling’s General Counsel sent a legal letter to Deel’s senior leadership identifying a recently established Slack channel called “d-defectors,” in which (the letter implied) Rippling employees were discussing information that Deel would find embarrassing if made public. In reality, the “d defectors” channel was not used by Rippling employees and contained no discussions at all. It had never been searched for or accessed by the spy, would not have come up in any of the spy’s previous searches, and the spy had no legitimate reason to access the channel. Crucially, this legal letter was only sent to three recipients, all associated with Deel: Deel’s Chairman, Chief Financial Officer, and General Counsel (Philippe Bouaziz), Deel’s Head of U.S. Legal (Spiros Komis), and Deel’s outside counsel. Neither the letter nor the #d-defectors channel was known to anyone outside of Rippling’s investigative team and the Deel recipients.

Yet, just hours after Rippling sent the letter to Deel’s executives and counsel, Deel’s spy searched for and accessed the #d-defectors channel—proving beyond any doubt that Deel’s top leadership, or someone acting on their behalf, had fed the information on the #d-defectors channel to Deel’s spy inside Rippling.

O'Brien, an HR payroll employee, was repeatedly searching for Deel-related transactions and competitive info on Slack and Salesforce. He did this every day in a manner that leaves very little space to doubt that his behavior was accidental and very out of place related to his role and competencies.

Faced with a choice between providing his cell phone for examination pursuant to a lawful court order or going to jail for not complying, the spy chose the latter. In fact, Deel’s spy lied to the court-appointed solicitor about the location of his phone, and then locked himself in a bathroom—seemingly in order to delete evidence from his phone—all while the independent solicitor repeatedly warned him not to delete materials from his device and that his non-compliance was breaching a court order with penal endorsement. The spy responded: “I’m willing to take that risk.”

He then fled the premises.

This now-famous "I'M WILLING TO TAKE THAT RISK" statement has quickly turned into a tech sales meme. In court, he said the following about the exchange:

“I’ve destroyed the phone,” Mr O’Brien told the judge. “I had a breakdown, I was worried about my safety.”

So how did this all started?

On June 20, 2023, an affiliate of Rippling hired Deel’s spy (“D.S.”), because of his experience in global payroll, into a management role at Rippling as its Global Payroll Compliance Manager. D.S.’s responsibilities in that role included hiring payroll specialists, country launches, and setting up payroll processing and operations for approximately 15 countries in which Rippling offers global payroll services. D.S.’s daily responsibilities included managing a team of Global Payroll Operations Specialists to ensure timely and accurate performance of local payroll activities for customers, as well as resolving payroll-related customer escalations related to the countries within his job scope.

As a result of his employment in this role—and pursuant to several contracts he signed in connection therewith, detailed below—D.S. was granted access to: Rippling’s secure internal electronic messaging application, Slack (the “Slack Platform”); Rippling’s Salesforce database (the “Salesforce Database”), which contained confidential information about current and prospective customers; Rippling’s secure Google Drive repository (“Rippling’s Google Drive”); and Rippling’s internal human resources system, which contains information such as names, addresses, and personal cell phone numbers for Rippling employees (the “Rippling HR Platform”). The Slack Platform, the Salesforce Database, Rippling’s Google Drive, and Rippling HR Platform are confidential. Moreover, not all Rippling employees have access to all files stored on these platforms; rather, they must be granted permissions to access specific file. As described above, that restriction is enforced through industry standard authentication protocols.

In this rather entertaining description of how tech companies onboard new employees, basically the guy was hired to do payroll services and because of his manager role he was given full access to the standard set of systems, including Slack, Salesforce, and Google Drive. This is very common tech stack in companies such as Rippling, and access is just given typically to every single new employee onboarded.

DEEL’S SPY BEGINS STEALING RIPPLING’S TRADE SECRETS AND CONFIDENTIAL BUSINESS INFORMATION

As noted above, by virtue of their employment, Rippling employees enjoy access to Rippling Slack channels to aid in their business activities. Moreover, Rippling utilizes various additional software programs in conjunction with Slack, such as Gong, which transcribes telephone calls with customers and prospective customers. These transcripts are then “pushed” to Slack for authorized users to view and query.

In part to ensure that the confidential information in Rippling’s Slack channels is used only for authorized purposes, Rippling employees’ Slack activity is “logged,” meaning every time a user views a document through Slack, accesses a Slack channel, sends a message, or conducts searches on Slack, that activity (and the associated user) is recorded in a log file.

Rippling’s Slack logs show that D.S. began searching and accessing Rippling’s Slack channels at an unprecedented rate beginning in or around early November 2024. Notably, D.S. searched the term “deel” approximately 23 times per day.

The below illustrative example demonstrates why a search for “deel” is powerful and alarming. Namely, this example search shows that “deel” is mentioned in discussions concerning certain Rippling sales leads as well in a discussion related to a potential customer for Rippling’s Professional Employer Organization (“PEO”) product:

Basically, Rippling had decided to go all-in on RevOps automation and has been pushing alerts with actionable info in Slack for faster turnaround of activity.

Also notably, D.S. frequently accessed various channels in “preview” mode allowing him to see the contents of the channels without “joining” them. Although it is more common for Slack users to join a channel to review its contents, joining a channel generates an automated message to the members of the channel identifying the new user who has joined. On information and belief, D.S. chose to review the channels in question in preview mode to avoid alerting the channels’ members that he had accessed them.

The log-generated chart below shows that, between August and October 2024, D.S. rarely previewed any Slack channels, consistent with typical employee behavior. Moreover, on the rare occasions in which he did so, D.S. previewed the channels no more than four times in any given month, and did so for channels like “#ppl-dogs,” a channel dedicated to Rippling employees sharing pictures of their dogs:

One might say that he Got That Dawg In Him.

However, beginning in November 2024, D.S. beginning previewing channels at a rate orders of magnitude greater than he had before—both in terms of the number of channels previewed, and in the number of times he previewed each of those channels:

This doesn’t look good, dawg.

To illustrate a few examples of the Sales and Marketing Trade Secrets and confidential information within Rippling’s Slack channels, D.S. viewed the following slack channels:

● #[redacted]-global-nis: a channel that has only a single member — its creator, Rippling’s Senior Vice President of International Sales. This individual made the channel to pull in and collate summaries of sales calls with promising prospective customers for Rippling’s global products. Several recent entries on the channel describe specific prospective customers currently using Deel and other solutions, but who are interested in Rippling to address specific concerns or objectives. D.S. has viewed the channel 88 times since November 2024.

● #mops-inbound-request-alerts: a channel that records every inbound sales request and contact information for every prospective Rippling customer. Inbound sales requests are prospective customers who contact Rippling to initiate a sales discussion after having viewed Rippling’s Marketing or promotional materials. On one day in February alone, there were over 700 notifications posted in the channel. D.S. has viewed this channel 56 times since November 2024.

● #deal-desk-sales: a channel that includes an automated alert for each sales quote, which includes the name of the customer, the net revenue attributable to the potential sale, the discount to the product’s sticker price applied, the associated sales representative, the date the transaction closed, and a link to the customer account in Rippling’s Salesforce software. Through this channel, D.S. had access to every client name and sales quote dating back to September 10, 2024. D.S. has viewed this channel over 400 times since November 2024.

● “mm-global-high-intent-notifications”: a channel containing an automated feed of every prospective mid-market customer that books a demo with Rippling, along with key details about the customer, including their total domestic and international employee and contractor headcount, existing payroll provider, Rippling products they are most interested in exploring, and a summary of challenges they have faced with prior HR enterprise software. D.S. has visited the channel over 40 times since November 2024, exclusively from his personal mobile phone.

As an example, D.S. accessed this channel 16 times on March 12, 2025. On that single day, the channel captured 65 distinct mid-market prospects seeking to demo Rippling products, along with their entity profile details and HR software objectives. A competitor stealing these details would know exactly where to direct its outbound sales efforts, without having to deploy any of their own resources towards marketing or researching those prospects.

● “PEO-Dealroom”: a channel used for the sole purpose of requesting that a member of the sales team put together quotes for prospective customers of Rippling’s PEO product and who have reached the price-negotiation stage of Rippling’s Sales Pipeline. Knowledge of prospective customers seeking PEO quotes from Rippling and the quotes under discussion internally would enable a competitor to insert itself into every Rippling PEO contract negotiation, without having to spend the marketing budget or sales team resources to source or cultivate those prospects. On February 19, 2025, a single day during the scheme, D.S. viewed this channel 8 times.

In total, Slack logs of D.S.’s activity establish that he secretly viewed and downloaded information from Rippling Slack channels dedicated to prospective clients over 1,300 times between November 2024 and March 2025. Rippling’s forensic investigation has uncovered several examples of how D.S. plundered these prospective customer Sales and Marketing Trade Secrets in a pattern demonstrating an intent to misappropriate them for Deel’s commercial benefit.

For example:

● On March 11, 2025, a new Slack channel was created to discuss a company (“Prospect A”) that was already using Rippling for certain products but was not using Ripping’s HRIS product. A single message was posted, noting that this Prospect A was “exploring options to transition their 90+ international employees from Deel/Personio to a new HRIS platform and are evaluating Rippling.”

● By the very next day, March 12, 2025, D.S. had found and previewed this channel three times, guided by his cornerstone search term, “deel”.

● The Rippling sales team then used the channel to discuss confidential sales strategies to compete for the potential opportunity, including how to address specific pricing structure requests from Prospect A and Prospect A’s implementation objectives.

Little did the team know, there was a spy within Rippling viewing this information with the apparent intention of sharing it with Deel.

As another example: D.S. and Deel deployed this same methodology repeatedly throughout the scheme.

● On February 19, 2025, D.S. searched “deel” 27 times on Slack.

● Reacting to one of the search results, D.S. navigated to a mention of Deel in a channel focused on a particular prospective customer who was considering both Rippling and Deel (“Prospect B”).

● D.S. previewed the channel, which included details for a call scheduled with Prospect B the next day and communications in which Prospect B relayed to Rippling specific concerns with the products and services offered by Deel. The channel also contained the Rippling sales team’s internal pitch strategy discussion, including confidential details about how Rippling planned to highlight certain advantages of its products to address the prospect’s pain points with Deel’s offerings.

● D.S. downloaded to his mobile phone two communications from the channel.

● On February 20, 2025, the day of the scheduled call between Rippling and Prospect B, D.S. previewed the Prospect B-related channel sixty-six (66) times.

● Later that day, Prospect B abruptly canceled the scheduled call with Rippling in which Rippling was going to deliver its proposal—and explained that they were doing so because they had decided to select Deel for the product they were interested in, even though Rippling believes that customer would have been better served by Rippling.

D.S. also misappropriated details about Rippling’s confidential customer retention strategies. In violation of his duties to Rippling, and to improperly benefit Deel, D.S. viewed or downloaded information about Rippling’s existing customers on more than 600 occasions between November 2024 and March 2025, and targeted Slack channels related to customer experience and “churn” risks over 100 times, presumably for identification of vulnerable customer information for Deel to exploit.

For example, D.S. accessed the following channels containing highly confidential information about Rippling’s customer retention strategies:

● #smbrenewaldeck-test: a channel with an automated feed of notes regarding existing Rippling customers who are approaching their renewal date. D.S. viewed this channel 23 times between November 2024 and March 2025. On March 4, 2025, in particular, D.S. previewed the channel 8 times. On that day alone, the channel highlighted 10 customers approaching renewal.

● #in-product-cross-sell: a channel with an automated feed of existing customers who have expressed interest in additional Rippling products. D.S. accessed this channel 13 times. On January 22, 2025, a day when D.S. viewed the channel, the channel captured 14 different cross-sell opportunities.

● #exec-escalations: as described above, a channel recording customer support escalations that may warrant leadership attention. The channel captures details about customer experiences that could be used by a competitor to identify Rippling customers vulnerable to being recruited to a new provider. D.S. previewed this channel 65 times.

D.S. also viewed and downloaded Rippling’s Competitive Intelligence Card for Deel.

This document is a 31-page slide deck that outlines Rippling’s competitive strategy vis-a-vis Deel, product-by-product. As described in further detail above, Rippling uses this document and others like it to train its sales team how to sell against competitors (in this case, Deel) in competitive sales situations. Rippling’s Competitive Intelligence Card for Deel represents extensive, confidential work by Rippling’s sales, marketing, operations, and other teams to develop an effective strategy to engage with customers and explain the unique value of Rippling’s software platform as compared to Deel. Notably, D.S. did not download any of the other eighty (80) Rippling Competitive Intelligence Cards—that is, the cards associated with Rippling competitors other than Deel.

Throughout the scheme, D.S.’s Slack searches frequently followed a distinctive and unusual pattern: he searched for a channel on his personal iPhone, then, moments later, searched for the same channel on his company-issued computer, and then (and only then) did he download a file from that channel. On information and belief, D.S. followed this pattern so that most of his searches would occur on his personal device, on which he was less susceptible to detection, and so that he could reserve the use of his work computer for downloading information that he had determined was worthy of misappropriating.

For example, on January 28, 2025, D.S. searched the “deal-desk-sales” Slack channel from his phone 21 times. On that day, 140 unique customer sales deals were detailed in the channel.

Shortly after one of his visits to the channel that day from his mobile phone, D.S. then accessed the channel from his work laptop and subsequently downloaded certain files returned by his search.

Due the staggering scope of the corporate espionage scheme described in this section—involving over 6,000 queries through Rippling’s Slack channels, where, as described above, a single channel (“mm-global-high-intent-notifications”, or “deal-desk-sales”), may contain dozens or even hundreds of distinct customer or prospect opportunities—the commercial harm

Rippling has already experienced is likely to persist well beyond today. Indeed, each single instance of espionage may cause months of future harm, as Rippling has already seen. For example:

● On December 19, 2024, D.S. searched Rippling’s Slack for “deel” 33 times;

● Among other previews, on this day D.S. viewed the channel “Gong-Stream-Deel-Compete” 13 times;

● The channel, an automated feed of sales calls with customers evaluating Rippling and Deel products in tandem, included mention of an existing Deel customer considering moving to Rippling to address “compliance and payroll challenges as the company has grown” (“Prospect C”) and Rippling’s pitch strategy, noting the products that appeared to resonate most with the prospect; and

● The prospect ultimately signed with Deel.

This is basically the meat of the story. There are a couple of obvious things here:

1. The behavior was intentional, coordinated, and malicious in nature.

2. Logically, placing all the blame solely on O'Brien and the Deel executives would let numerous sales leaders off the hook. There was repeated activity stemming from new information being accessed daily. This means that sales reps took proactive actions as a consequence of the information they received. I wouldn't go so far as to claim that the reps were communicating directly with O'Brien; it's much more likely that they were simply given orders by their sales leaders.

   I would advise against hiring any sales manager who was active during this period at Deel and did not resign. While receiving one or two off-hand tips happens regularly in day-to-day operations, a constant stream of activity followed by directives to take action makes it very difficult to feign ignorance of the scheme.

   I'm not going to name names, but you know who you are. Shame on you and the complete lack of integrity you have displayed during this period.

   3. From a purely OpSec perspective, any use of company assets even on personal devices can be tracked and utilized against you, regardless of jurisdiction. Expect this to be utilized more proactively by companies going forward.

ON INFORMATION AND BELIEF, DEEL INDUCED THE THEFT OF RIPPLING EMPLOYEE CONTACT INFORMATION

In addition to misappropriating Rippling’s Sales and Marketing Trade Secrets, Deel appears to have induced its spy to misappropriate contact information for Rippling employees of his own team, the Global Payroll Operations Team.

Between January 29 and February 17, 2025, at least seventeen (17) members of Rippling’s Global Payroll Operations Team were contacted about similar jobs at Deel and at least ten reported receiving offers from Deel. Several of the team members reported that these offers were made without any substantive interview, and only after direct unsolicited contact from Deel’s Chief Operating Officer, Dan Westgarth. Some of these team members were contacted directly via WhatsApp, a messaging application that requires knowledge of a person’s mobile phone number to send a message.

In one telling case shown below, on January 23, 2025, Mr. Westgarth messaged a member of Rippling’s Global Payroll Operations Team on LinkedIn, presumably because he did not have this individual’s phone number. Four days later, on January 27, 2025, D.S. visited this individual’s page in Rippling’s internal personnel directory, which contains employees’ personal phone numbers. Later that same day, Mr. Westgarth messaged the team member on WhatsApp:

Some of the Rippling employees who received unsolicited contact from Deel expressed concern about this contact because they did not know how Deel had access to their personal data. Some of the contacted employees had not updated their public profiles on sites like LinkedIn, so Deel could not readily determine from public sources their current position in Rippling or even (for some of them) that they worked at Rippling at all. Some of the employees also noted that their phone numbers were de-listed. As a result of these employee concerns, Rippling opened a security investigation into the matter in early February 2025, but did not identify an internal source at that time. After conducting additional forensics in February and March 2025, Rippling believes that D.S. likely provided contact information on some or all of these individuals to Deel.

While this can be excused with "oh, they were just prospecting these", the fact that they specifically targeted multiple employees for non-essential functions over a prolonged period of time shows intent in destabilizing Rippling's operations.

RIPPLING DISCOVERS D.S.’S THEFT OF RIPPLING’S SALES AND MARKETING TRADE SECRETS AT DEEL’S BEHEST

On February 18, 2025, an investigative reporter at The Information contacted Rippling about a forthcoming article concerning Deel’s Russia-related sanctions activity, noting he had “been working on a story on Deel for the past few weeks” that “started as an exercise to look into the veracity of that lawsuit I previously reported on.” This reporter was referring to his January 9, 2025, article entitled “Deel Accused of Money Laundering, Sanctions Failures in Lawsuit,” which reported on Damian v. Deel Inc.,

The reporter’s email listed eleven assertions regarding supposed issues at Rippling relating to payments into Russia and other sanctioned jurisdictions. Each individual assertion was followed by internal Rippling Slack messages thirteen messages in total—that supposedly supported or related to the assertion (the “Shared Slack Messages”). As Rippling explained to the reporter, these assertions did not hold water—to be clear, Rippling has never transmitted a payment to a sanctioned country, individual, entity or bank, including Russia—but the fact that internal Rippling Slack messages (which are only available to Rippling employees) were in the possession of someone other than a Rippling employee caused Rippling to immediately open a security investigation.

An analysis of the Shared Slack Messages revealed that these messages came from thirteen different channels in Rippling’s Slack workspace, and that the messages all contained certain searchable keywords (“Russia,” “Belarus,” “Iran,” “Syria,” and/or “Sanctions”). Rippling’s investigators proceeded to review Slack log files. Upon review, Rippling learned that a single account associated with a single Rippling employee—D.S.—had searched for specific, targeted, and highly unusual names and keywords that corresponded with the Shared Slack Messages. Rippling further learned from the various Slack logs that the searches were tied to specific internet protocol (IP) addresses associated with D.S.’s location in Ireland, strongly suggesting that it was D.S. himself (rather than someone with D.S.’s login credentials impersonating him) conducting these searches.

Rippling’ forensic research revealed that D.S. had specifically conducted targeted keyword searches on each of the eleven points raised by The Information’s reporter in and around the time Rippling was contacted by that reporter, including:

a. D.S. first searched the term “Russia” on February 12, 2025. From that date until February 27, 2025, D.S. searched the term “Russia” 157 times, an average of almost 9 times per day.

b. D.S. first searched the term “Belarus” on February 13, 2025. From that date until February 27, 2025, D.S. searched the term “Belarus” 39 times, an average of almost 4 times per day.

c. D.S. first searched the term “OFAC” (i.e., U.S. Office of Foreign Assets Control, a regulator responsible for sanctions controls) on February 17, 2025. From that date until February 27, 2025, D.S. searched the term “OFAC” 42 times, an average of over 5 times per day.

d. D.S. first searched the term “sanctioned” on February 13, 2025. From that date until February 27, 2025, D.S. searched variations of that term (including using that term in combination with other terms like “payment”) a total of 31 times.

e. D.S. first searched the terms “Michael Roddan” or “Roddan” (the reporter’s name) as well as “the information” (the reporter’s outlet) on February 21, 2025. Over the following six days, up until the publication of The Information’s article, D.S. searched the reporter’s name 15 times and his outlet’s name 31 times.

As with any other conspiracy, the situation starts to fall apart as behavior becomes more brazen and uncontrolled. Conducting business in sanctioned countries is a significant compliance risk for companies processing financial information.

Based on the timing of the reporter’s investigation, Rippling’s forensic analysis team identified D.S. as the source of the Shared Slack Messages referenced in the reporter’s February 18, 2025, email. On information and belief, D.S. conducted these searches to assist Deel’s communications team, led by Elisabeth Diana, Deel’s Vice President of Communications, in an effort to reframe an upcoming story about Deel’s sanctions issues into one about a Deel-versus- Rippling rivalry.

The obvious question here, Elisabeth, is why did you consider leaking these screenshots to The Information as acceptable in any shape or form. Another “high integrity” hire.

The honeypot

RIPPLING ESTABLISHES A CLEAR CONNECTION BETWEEN DEEL’S SPY AND DEEL

Collectively, D.S.’s activities documented above suggest strongly that D.S. has acted at the behest of Deel since at least November 2024. However, three additional activities by D.S. make the connection certain: (1) D.S. meeting with Deel in December 2024; (2) D.S. searching for “Tinybird” without any lawful reason to know a company by that name existed; and, most tellingly, (3) D.S. searching for and accessing a Slack channel (“#d defectors”) which established a clear link between D.S. and Deel.

December 2024 Meeting Between D.S. and Deel.

While D.S. was logged into his Rippling work browser on December 9, 2024, he reviewed an email to himself indicating that he had a scheduled meeting with Deel that afternoon—approximately one month after his pattern of suspicious activity began. D.S.’s browser history also reveals that, on that same day, he searched for an email thread with “alex@deel.com” (Deel’s CEO), which produced an email presumably from Deel’s CEO to D.S., titled in part “Intro” with “Olivier.” “Olivier” likely refers to Olivier Elbaz, Deel’s Head of Global Expansion and a Senior Advisor at Sarona Ventures, a venture capital fund started by the Bouaziz family and early investor in Deel. On information and belief, based upon the browser history described above, on December 9, 2024, D.S. met, either electronically or in-person, with one or both of Alex Bouaziz (Deel’s CEO) and/or Elbaz.

Tinybird.

On February 27, 2025, when The Information published the article for which its reporter sought comment from Rippling, Rippling learned two important things for the first time: (1) that Tinybird, a startup discussed in the article, is Deel’s customer, and (2) that Tinybird reportedly made payments to sanctioned Russian banks using the Deel platform; specifically, “Tinybird [] followed instructions currently hosted on the website of a sanctioned Russian bank that guided companies on how to skirt sanctions rules by using Deel.” Prior to the publication of this article, no one at Rippling—including D.S —had any work-related reason to know about any connection between Tinybird and Deel, let alone search that name through Rippling’s Slack archives.

Nevertheless, Rippling’s investigation revealed that D.S. had searched for “tinybird” 20 times between February 19 and February 20—over a week before The Information’s article was published—and also ran other search terms related to The Information’s then-upcoming story.

#d-defectors. Upon learning of the “Tinybird” searches, Rippling strongly suspected that Deel was directing D.S.’s actions. But to ensure its suspicions were correct, Rippling conceived of a test (known in the security world as a “honeypot”) that would leave no doubt, utilizing Rippling’s understanding that Deel activated its spy when it perceived potential reputational damage (as it had with “tinybird”).

The evening of March 3, 2025, Rippling’s General Counsel sent a letter to three individuals: (1) Philippe Bouaziz, Deel’s Board Chair, Chief Financial Officer, General Counsel, and father of Deel’s CEO, (2) Spiros Komis, Deel’s Head of US Legal, and (3) an employment attorney at Deel’s outside law firm.

Rippling’s letter included a screenshot of a Slack message from its Chief Revenue Officer Matt Plank, referencing a “#d-defectors” Slack channel along with three points, which were all believed to be true but redacted for dramatic effect. The screenshot and reference to #d-defectors was intended to indicate to Deel that Rippling had a Slack channel for ex-Deel employees now employed by Rippling where they shared embarrassing information about Deel and that the channel contained information which would cause negative press attention if revealed. Rippling believed this would be extremely interesting to Deel:

In truth, the renamed #d-defectors channel did not exist until March 3, 2025 (or early morning March 4, 2025, Irish Time (UTC)). Rather than being a gathering place for ex-Deel employees, the channel was set up as part of a ruse designed to confirm that Deel was instructing D.S. to search for specific information in Rippling’s Slack.

Deel—through D.S.—took the bait. Within hours of Rippling sending the letter referencing the #d-defectors channel—again, a channel that existed only as bait for Deel, and one which D.S. could not have known existed absent a connection between himself and Deel—D.S. ran the following searches in Slack:

D.S. also accessed the #d-defectors channel five times that same day. For avoidance of doubt, before March 3, 2025, D.S. had never searched for the term “defectors” in Slack. Further, and crucially, at the time the letter was sent to Deel, no one at Rippling (apart from the investigations team) had ever viewed the (new) #d-defectors channel.

The results of Rippling’s honeypot operation left no doubt: Deel’s senior leadership or those closest to them were directing D.S.’s actions, in furtherance of Deel’s business interests and to harm Rippling and its customers.

The rest of the story finishes with the now-famous toilet flush drama.

PRAYER FOR RELIEF

Wherefore, Rippling respectfully requests that judgment be entered in its favor and against Deel and Does 1-100, jointly and severally, including:

1. Awarding compensatory damages in an amount to be determined at trial;

2. Awarding exemplary and/or punitive and/or treble damages in an amount to be

determined at trial;

3. Awarding interest at the maximum legal rate on all sums awarded;

4. Awarding reasonable attorneys’ fees as permitted by law;

5. Awarding all costs of suit herein; and

6. Awarding such other and further relief as the Court deems just and proper.

JURY DEMAND

Plaintiff Rippling hereby demands a trial by jury as to all issues so triable in this case.

As with all good stories, it's important to remember that at one point, Deel was an actual customer of Rippling. This is the email that concluded that relationship (delivered from a Rippling Prez Club winner for '21, '22, and '23):

However this plays out going forward, it's important to remember that business ethics exist for a reason. Very few important players will do business with you if your reputation is tainted. For Deel as a company, this will likely get ugly. For the employees that supported this, you will never get a sniff at another S-tier role for the rest of your tech sales career.

More importantly, this is being submitted as a RICO case. What that means is that very likely a significant amount of incriminating information will need to be submitted as part of the case (or it's being actively destroyed now, which will have its own consequences).

The sales leaders who drove the operational implementation of this will be found liable. And that's before the founders of Deel do exactly what they have shown to be very good at - try and get an advantage by any means necessary.

I hope that extra couple of percentage points of quota attainment was worth it.