BBC Journalist Targeted in $100M Ransomware Scam, Offered Bitcoin Payout to Become Insider Threat
BBC journalist Joe Tidy found himself entangled in a scenario that ordinarily lurks in the shadows of the cybercriminal world. In July he received an unexpected Signal message from an unknown interlocutor identifying himself as “Syndicate.” The stranger proposed that Tidy participate in a criminal scheme: if he surrendered access to his workstation, he would receive a cut of a ransom to be extorted from the corporation. Initially the offer was 15% of the potential haul; later it rose to 25%, accompanied by promises that such a “payout” would secure a life of ease.
The attackers rationalized their interest in insider collaboration by citing past windfalls from similar arrangements. Syndicate — who even altered his handle during the conversation — reassured Tidy that company staff frequently agree to assist intruders. To bolster his claims he referenced assaults on a British healthcare organisation and an American emergency service, and he noted the recent arrest in Brazil of an IT specialist who had sold credentials to hackers; according to police, the bank’s losses in that incident approached $100 million. Such anecdotes lent an unsettling plausibility to the proposal.
The interlocutor presented himself as a “liaison manager” for the group Medusa, known as one of the most active operators of ransomware-as-a-service. Any affiliated actor may deploy Medusa’s platform to mount attacks. Check Point estimates that the gang’s core operates from Russia or allied jurisdictions and intentionally avoids striking targets within the CIS, focusing instead on foreign firms. U.S. authorities have warned that over four years Medusa has attacked more than 300 organisations; the gang’s dark-web portal lists dozens of victims, their names concealed.
Syndicate steadily escalated the pressure during negotiations. He asserted his awareness that BBC salaries are modest and dangled the prospect of “retiring to the Bahamas” after a successful hack. As a purported token of good faith, the hackers offered to deposit 0.5 BTC — roughly $55,000 — and demanded Tidy’s login, two-factor authentication codes, and even asked him to execute a complex code snippet on his work laptop and report back. Such a test would reveal the depth of internal access and guide subsequent steps. Syndicate urged the discussion to move to Tox — a messaging app favoured by cybercriminals — and sent links to Medusa pages on closed forums.
When Tidy, after consulting colleagues, began to stall, the interlocutor’s patience evaporated and his tactics shifted. Tidy’s phone was soon flooded with push notifications requesting login confirmations for his BBC account — a method known as MFA bombing. Overwhelmed by dozens or hundreds of approval prompts, a user can, from fatigue or confusion, inadvertently tap “approve.” Similar tactics contributed to the 2022 compromise of Uber. For Tidy the barrage felt like an invasive assault, a virtual battering at his front door.
He refused to cooperate and immediately contacted the BBC’s security team. To eliminate any risk he was temporarily severed from corporate systems — no email, no internal services, no remote access. That same evening Syndicate sent a surprisingly conciliatory message: “The team apologises. We were testing the BBC login page and are very sorry if this caused problems.” Despite continuing to propose a deal, the hacker deleted his Signal account and vanished when no response came.
Tidy’s access was later restored with strengthened protections on his account. His experience illustrates that real threats often arise not only from sophisticated technical exploits but from deliberate, targeted manipulation of employees. Even staff without privileged credentials can be recruited or coerced, and the episode starkly demonstrates how criminal groups combine enticement, psychological pressure, and technical tricks to subvert internal defenses and coerce organisations into capitulation.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
