A BBC journalist has revealed how cybercriminals tried to recruit him as an insider, offering a share of potential ransom money in exchange for access to his employer’s systems. The incident highlights the growing trend of hackers attempting to bypass security through human cooperation rather than technical breaches alone.
In July, the journalist received an unexpected message through the encrypted messaging platform Signal. The sender, identifying himself as “Syndicate,” proposed that the reporter provide login details for his BBC computer in return for 15 percent of any ransom collected. The plan, according to the contact, was to infiltrate the network, deploy ransomware, and negotiate a bitcoin payment from the broadcaster.
The reporter, after consulting his editors, chose to continue the conversation to better understand the tactics used by such groups. Soon, the offer escalated. The hackers suggested raising the share to 25 percent of what they claimed could be “tens of millions,” implying that one successful attack could secure the insider’s financial future.
The individual eventually introduced himself as a representative of Medusa, a well-known ransomware-as-a-service operation. Medusa provides its software to affiliates who then carry out attacks and share profits with the group’s administrators. Cybersecurity experts believe the leadership of Medusa operates from Russia or allied states, and the group avoids striking targets in that region.
To strengthen credibility, the hacker referenced public warnings from U.S. cyber authorities about Medusa, claiming the group had already compromised hundreds of organizations. They also pointed to previous cases in the healthcare and emergency services sectors where insiders allegedly cooperated.
The tone of the exchange shifted as the hacker pushed for faster cooperation. He suggested the journalist make a deposit of 0.5 bitcoin—around $55,000—as a gesture of commitment. He also sent a piece of code and asked that it be run on a BBC laptop to reveal internal access levels.
When these steps were not taken, the pressure intensified. The reporter’s phone began receiving nonstop prompts from the BBC’s security system asking him to verify logins. This method, known as “MFA bombing,” aims to overwhelm a target with two-factor authentication requests until they approve one out of frustration or error. The journalist, concerned about mistakenly granting access, contacted the BBC’s information security team. As a precaution, his account was disconnected from the network.
Later, the hacker sent a message apologizing for what he called a “test.” When no further replies were given, the account used for contact was deleted. The reporter’s access to BBC systems was eventually restored with added protections, but the experience offered a rare firsthand look at how ransomware groups attempt to lure insiders.
The case illustrates a key vulnerability for organizations: employees themselves. While most cybersecurity efforts focus on technical defenses, criminals are increasingly seeking to exploit human access points. Insider recruitment attempts, once considered rare, are becoming a tool in the arsenal of well-resourced ransomware groups. For companies, the lesson is clear—defense must include not just firewalls and software, but training, vigilance, and awareness of the risks posed by targeted approaches to staff.
This image is the property of The New Dispatch LLC and is not licenseable for external use without explicit written permission.
