A BBC cyber correspondent was propositioned by a criminal organization on the Signal app in July, offering a share of a ransom payment in exchange for internal access to his employer’s computer systems. The incident provided a direct look into how cybercriminals attempt to recruit insiders to facilitate attacks.
The recruitment attempt
The unsolicited message came from an individual identified as “Syndicate,” who made a direct proposal for an insider-threat collaboration.
“If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.”
The correspondent, Joe Tidy, consulted with a senior editor and decided to engage with the individual to gather intelligence on the group’s methods. Feigning interest, he requested more details on how the plan would work. The contact, now named “Syn,” explained that the process would involve the reporter providing his corporate login credentials, which the gang would use to infiltrate the BBC’s network, deploy malicious software, and demand a ransom in bitcoin.
The negotiation
As the conversation continued, the financial incentive was significantly increased. The initial 15% offer was raised to 25% of a ransom that Syn projected could be in the “tens of millions.”
“We aren’t sure how much the BBC pays you but what if you took 25% of the final negotiation as we extract 1% of the BBC’s total revenue? You wouldn’t need to work ever again.”
To build trust, the contact, who identified himself as a “reach out manager” for the cyber-crime group Medusa, claimed to have successfully struck deals with insiders in past attacks, naming a UK-based healthcare company and a US-based emergency-services provider as previous victims.
The hackers’ identity
Medusa is a known ransomware-as-a-service (RaaS) group, which allows criminal affiliates to use its malicious software to launch attacks in exchange for a share of the profits. The group’s administrators are believed to operate from Russia or an allied state and reportedly avoid targeting organizations within that region. To prove their credibility, the contact sent the reporter a link to a public warning about Medusa issued by US cyber authorities in March, which noted the group had compromised more than 300 victims.
From conversation to attack
The tone shifted as the criminals grew impatient, urging the reporter to make a deposit of 0.5 bitcoin (approximately $55,000) to secure a guaranteed minimum payment. They began asking specific technical questions about the BBC’s IT network and sent a snippet of computer code, instructing the reporter to execute it on his work laptop to reveal his level of internal access.
After the reporter stalled for time, the criminals escalated their tactics. His phone began receiving a constant barrage of two-factor authentication notifications from the BBC’s security login app. This technique, known as MFA bombing or Multi-Factor Authentication fatigue, is designed to overwhelm a target with approval requests, hoping they will accept one by mistake or out of frustration.
The aftermath
Concerned about accidentally approving a prompt, the reporter contacted the BBC’s information security team. As a precaution, the team disconnected his account from the network, cutting off his access to all internal systems.
Later that evening, the hacker sent a message apologizing for the “test.” After the reporter ceased responding, the contact deleted their Signal account and disappeared. The reporter’s access to BBC systems was eventually reinstated with enhanced security protections. The incident provided him with firsthand experience of an insider threat attack and the evolving tactics used by cybercriminals.
