![\"Medusa](\"https:\/\/dataconomy.com\/wp-content\/uploads\/2025\/09\/1161221.jpg\" "\\"Medusa")
<\/p>\n<\/p>\n
A BBC cyber correspondent was propositioned by a criminal organization on the Signal app in July, offering a share of a ransom payment in exchange for internal access to his employer\u2019s computer systems. The incident provided a direct look into how cybercriminals attempt to recruit insiders to facilitate attacks.<\/p>\n
The unsolicited message came from an individual identified as \u201cSyndicate,\u201d who made a direct proposal for an insider-threat collaboration.<\/p>\n
\n\u201cIf you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.\u201d<\/p>\n<\/blockquote>\n
The correspondent, Joe Tidy, consulted with a senior editor and decided to engage with the individual to gather intelligence on the group\u2019s methods. Feigning interest, he requested more details on how the plan would work. The contact, now named \u201cSyn,\u201d explained that the process would involve the reporter providing his corporate login credentials, which the gang would use to infiltrate the BBC\u2019s network, deploy malicious software, and demand a ransom in bitcoin.<\/p>\n
The negotiation<\/h2>\n
As the conversation continued, the financial incentive was significantly increased. The initial 15% offer was raised to 25% of a ransom that Syn projected could be in the \u201ctens of millions.\u201d<\/p>\n
\n\u201cWe aren\u2019t sure how much the BBC pays you but what if you took 25% of the final negotiation as we extract 1% of the BBC\u2019s total revenue? You wouldn\u2019t need to work ever again.\u201d<\/p>\n<\/blockquote>\n
To build trust, the contact, who identified himself as a \u201creach out manager\u201d for the cyber-crime group Medusa, claimed to have successfully struck deals with insiders in past attacks, naming a UK-based healthcare company and a US-based emergency-services provider as previous victims.<\/p>\n
The hackers\u2019 identity<\/h2>\n
Medusa is a known ransomware-as-a-service (RaaS) group, which allows criminal affiliates to use its malicious software to launch attacks in exchange for a share of the profits. The group\u2019s administrators are believed to operate from Russia or an allied state and reportedly avoid targeting organizations within that region. To prove their credibility, the contact sent the reporter a link to a public warning about Medusa issued by US cyber authorities in March, which noted the group had compromised more than 300 victims.<\/p>\n
From conversation to attack<\/h2>\n
The tone shifted as the criminals grew impatient, urging the reporter to make a deposit of 0.5 bitcoin (approximately $55,000) to secure a guaranteed minimum payment. They began asking specific technical questions about the BBC\u2019s IT network and sent a snippet of computer code, instructing the reporter to execute it on his work laptop to reveal his level of internal access.<\/p>\n
After the reporter stalled for time, the criminals escalated their tactics. His phone began receiving a constant barrage of two-factor authentication notifications from the BBC\u2019s security login app. This technique, known as MFA bombing or Multi-Factor Authentication fatigue, is designed to overwhelm a target with approval requests, hoping they will accept one by mistake or out of frustration.<\/p>\n
The aftermath<\/h2>\n
Concerned about accidentally approving a prompt, the reporter contacted the BBC\u2019s information security team. As a precaution, the team disconnected his account from the network, cutting off his access to all internal systems.<\/p>\n
Later that evening, the hacker sent a message apologizing for the \u201ctest.\u201d After the reporter ceased responding, the contact deleted their Signal account and disappeared. The reporter\u2019s access to BBC systems was eventually reinstated with enhanced security protections. The incident provided him with firsthand experience of an insider threat attack and the evolving tactics used by cybercriminals.<\/p>\n
Featured image credit<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
A BBC cyber correspondent was propositioned by a criminal organization on the Signal app in July, offering a share of a ransom payment in exchange for internal access to his employer\u2019s computer systems. The incident provided a direct look into how cybercriminals attempt to recruit insiders to facilitate attacks. The recruitment attempt The unsolicited message […]<\/p>\n","protected":false},"author":1,"featured_media":33617,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37],"tags":[],"class_list":{"0":"post-33616","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technologies"},"_links":{"self":[{"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/posts\/33616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/comments?post=33616"}],"version-history":[{"count":0,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/posts\/33616\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/media\/33617"}],"wp:attachment":[{"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/media?parent=33616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/categories?post=33616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/tags?post=33616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}