- BBC journalist was targeted by hackers offering ransom profits
- The gang introduced themselves with links to darknet addresses and forums
- MFA bombing transformed online negotiations into an invasive and unsettling confrontation
The concept of an insider threat within cybersecurity is often discussed in abstract terms, a theoretical vulnerability that organizations know exists but rarely confront directly.
But this abstract risk became a tangible reality for BBC cyber correspondent Joe Tidy when he was unexpectedly propositioned by an individual calling themselves Syn, who claimed to represent the Medusa ransomware group.
The unsolicited contact, initiated on the encrypted messaging app Signal, presented a straightforward yet criminal proposal - for Tidy to provide access to the BBC’s internal systems in exchange for a percentage of a future ransom payment.
The proposal and lure of lucrative gains
After consulting with senior editorial figures, Tidy engaged with the individual to understand the mechanics of the proposition.
Syn outlined a process where the journalist would hand over his login credentials, allowing the gang to infiltrate the BBC’s network, deploy malware, and extort the corporation.
The financial pitch was aggressively escalated, with Syn suggesting the correspondent could receive 25% of a ransom calculated as a percentage of the BBC’s total revenue.
To establish credibility, Syn provided a link to Medusa's darknet address and pointed to previous alleged successes.
It named a UK healthcare company and a US emergency services provider as examples of where insider deals had supposedly facilitated attacks.
After several days of conversation, Tidy’s attempt to stall for time to consult with internal security experts prompted a drastic shift in tactics from the criminals.
The previously conversational Syn became impatient, demanding immediate action and attempting to pressure Tidy with taunts about a future life on a beach.
This verbal pressure quickly transformed into a direct technological assault, as Tidy's phone was suddenly inundated with a barrage of two-factor authentication pop-ups.
This technique is known as MFA bombing, where attackers spam login requests, hoping the victim will accidentally approve one, and transformed the situation from a distant negotiation into an unsettling, direct confrontation.
The BBC had to disconnect Tidy entirely from all BBC systems as a precautionary measure.
The criminals’ subsequent communication was strangely apologetic, but they maintained that the original deal was available.
“The team apologizes. We were testing your BBC login page and are extremely sorry if this caused you any issues,” they said.
The incident concluded with the hackers eventually deleting their account after receiving no further response.
While Tidy lacked the high-level access the criminals mistakenly assumed he possessed, the episode served as a chilling case study, as cybercriminals now use a mix of financial incentives and aggressive technical coercion to pursue their targets.
Organizations should therefore treat such encounters with skepticism and ensure staff can report unusual approaches quickly.
You might also like
- These are the best firewall offerings around today
- Here are the best free antivirus software to keep your devices safe
- Criminals are using AI-generated fake copyright violation threats to take over social media
English (US) ·