A ransomware operation claiming affiliation with the Medusa gang attempted to recruit BBC cybersecurity correspondent Joe Tidy as an insider threat, offering him substantial financial incentives in exchange for access to the broadcaster's systems.
The threat actor, using the alias "Syndicate" (later shortened to "Syn"), contacted Tidy in July via the encrypted messaging app Signal, proposing an arrangement that would give him a percentage of the ransom proceeds. The initial proposition involved offering Tidy 15% of any ransom payment if he provided access to his work laptop and BBC systems.
The cybercriminals planned to infiltrate the organization's network, exfiltrate sensitive data, and demand payment in cryptocurrency while threatening to release stolen information. As negotiations continued, Syn increased the offer to 25%, suggesting the total ransom demand could reach tens of millions of dollars and claiming Tidy "wouldn't need to work ever again".
To establish credibility, the threat actor offered 0.5 Bitcoin (approximately $55,000) as an upfront trust payment through escrow on a hacker forum. Syn referenced previous successful insider recruitment operations, citing cases involving a UK healthcare company and a US emergency services provider, suggesting such collaborations were common in their operations.
The Medusa ransomware operation has operated since January 2021 and evolved from a closed operation to a ransomware-as-a-service model with affiliates. According to a March report from CISA, the gang has compromised over 300 critical infrastructure organizations in the United States. The operation's core developers recruit initial access brokers through cybercrime forums and darknet marketplaces while maintaining central control over ransom negotiations.
Tidy, who reports on cybersecurity topics, believes the attackers likely mistook him for a technical employee with elevated system privileges rather than a journalist. After consulting with BBC editors, he engaged with the threat actor to gather intelligence on their methods. When Tidy delayed responding to their demands, the criminals launched an MFA bombing attack, flooding his phone with two-factor authentication requests in an attempt to force approval of a malicious login.
The journalist promptly contacted BBC's information security team and was disconnected from the organization's infrastructure as a precautionary measure. Following several days of silence from Tidy, the alleged Medusa representative deleted their Signal account.
