A shocking incident has revealed how cybercriminals linked to the Medusa ransomware group attempted to bribe a BBC journalist into becoming an insider threat. According to cybersecurity correspondent Joe Tidy, the hackers contacted him directly in July through the encrypted messaging app Signal, offering him a lucrative deal in exchange for granting access to BBC’s internal systems.
The threat actor, using the alias “Syndicate” (or “Syn”), initially proposed that Tidy would receive 15% of any ransom payment if he helped them infiltrate the British broadcaster. Syn later attempted to sweeten the deal, increasing the promised cut by another 10%, suggesting the total ransom could reach tens of millions of dollars. The hackers claimed that Tidy could live comfortably off his share and never work again.
The plan was straightforward yet dangerous: once access was secured, the Medusa ransomware gang intended to exfiltrate sensitive BBC data and then hold the organization hostage with the threat of public leaks. This aligns with Medusa’s notorious double-extortion tactics, where data theft amplifies ransom demands.
Tidy explained that Syn attempted to build trust by offering an upfront escrow payment of 0.5 BTC (over $55,000) through a hacker forum, highlighting how criminal groups use financial guarantees to lure insiders. The hackers also promised complete anonymity, citing past attacks where disgruntled employees provided access for relatively small sums.
When persuasion failed, Syn resorted to MFA bombing (also known as MFA fatigue or MFA spam). Tidy’s phone was flooded with endless two-factor authentication requests designed to trick him into approving a fraudulent login attempt. This aggressive technique has become a popular method among ransomware gangs to bypass multi-factor authentication defenses.
Despite the pressure, Tidy never complied. Instead, he immediately alerted the BBC’s information security team, who disconnected him from the network as a precaution. Interestingly, Syn later apologized for the harassment and kept the offer open, but eventually deleted their Signal account when no response came.
The Medusa ransomware gang, active since 2021, has already been linked to over 300 attacks on U.S. critical infrastructure, according to a report by CISA. Their operations rely heavily on insider recruitment and collaboration with initial access brokers on dark web marketplaces, showing how deeply embedded the insider threat strategy has become in modern cybercrime.
Conclusion: This attempted recruitment underscores a disturbing trend in cybercrime—ransomware groups are no longer just targeting external vulnerabilities but actively seeking insiders. The BBC case highlights how valuable employees can be to hackers, and how organizations must double down on security awareness, insider threat monitoring, and MFA resilience. The Medusa attempt failed this time, but it signals that insider recruitment schemes will remain a growing threat vector for corporations worldwide.
