- 841
- 224
Last July, a BBC IT news writer received an unexpected message on Signal. The journalist was asked to provide computer access in exchange for a share of a ransom to be collected from his employer.
The unknown individual introduced himself as "Syndicate" and initially offered Joe Tidy a 15% commission for assistance in hacking BBC systems through his laptop.
The reporter had heard of insider recruitment for the purpose of penetrating corporate networks, but this was his first experience with such a scheme and, after receiving the go-ahead from a senior editor, decided to investigate the scheme.
Continuing the conversation with the stranger, Tidy expressed interest and asked to know exactly what the assistance would entail. As it turned out, all he needed was to disclose the login credentials and access code to the news outlet's network.
As the conversation progressed, the pressure escalated; the offer was raised to 25% of the ransom, allegedly amounting to tens of millions of dollars. Having changed his name, Syndicate convinced the potential insider that the reward would last a lifetime, and that his involvement in the hack would remain undetected—even the chat would be deleted.
Tidy also learned that his interlocutor represented the operators of the Medusa ransomware (known for avoiding the CIS countries) and was the only English-speaking member of the cybercriminal group.
When Tidy expressed doubt that the recruiters would fulfill their promises, he was given the cybercriminal group's darknet address and invited to a private chat called Tox. He was also sent a link to a Medusa recruiting page on a hacker forum, which guaranteed a minimum deposit of 0.5 Bitcoin (at the time, about $55,000) for inside information.
Tidy's persistent interlocutors apparently assumed he was a techie with privileged access to the intended victim's IT systems. As proof that he wouldn't be cheated out of payment, the journalist was promised a deposit of 1 BTC.
Along the way, he was asked numerous questions about the BBC's IT infrastructure, which he couldn't answer even if he tried. He was also sent a complex code that he had to run on his laptop as a command and report the result.
It turned out to be a test of his access level to the BBC's internal network. Eventually, the reporter realized he couldn't get by without advice from his employer's information security team. However, the weekend was approaching, and his Signal contact was growing impatient.
He urged him on, reminding him of the prospect of a carefree vacation in the Bahamas, and finally demanded he hand over the coveted account keys by Monday afternoon.
Without waiting for the deadline, the recruiters began flooding Tidy's phone with password reset confirmation requests. This tactic is known as MFA bombing and is designed to trick the target into clicking consent, allowing the attackers to seize control of their account—a similar technique was used.Uber was hacked in 2022. To prevent the
attackers from gaining access to the corporate network, BBC security blocked Tidy's access to the employer's network. The attackers apologized to him, claiming they were simply testing the situation and didn't mean to cause any inconvenience.
After several days of silence, they deleted their Signal account and disappeared. Tidy's access to BBC systems was subsequently restored.
The unknown individual introduced himself as "Syndicate" and initially offered Joe Tidy a 15% commission for assistance in hacking BBC systems through his laptop.
The reporter had heard of insider recruitment for the purpose of penetrating corporate networks, but this was his first experience with such a scheme and, after receiving the go-ahead from a senior editor, decided to investigate the scheme.
Continuing the conversation with the stranger, Tidy expressed interest and asked to know exactly what the assistance would entail. As it turned out, all he needed was to disclose the login credentials and access code to the news outlet's network.
As the conversation progressed, the pressure escalated; the offer was raised to 25% of the ransom, allegedly amounting to tens of millions of dollars. Having changed his name, Syndicate convinced the potential insider that the reward would last a lifetime, and that his involvement in the hack would remain undetected—even the chat would be deleted.
Tidy also learned that his interlocutor represented the operators of the Medusa ransomware (known for avoiding the CIS countries) and was the only English-speaking member of the cybercriminal group.
When Tidy expressed doubt that the recruiters would fulfill their promises, he was given the cybercriminal group's darknet address and invited to a private chat called Tox. He was also sent a link to a Medusa recruiting page on a hacker forum, which guaranteed a minimum deposit of 0.5 Bitcoin (at the time, about $55,000) for inside information.
Tidy's persistent interlocutors apparently assumed he was a techie with privileged access to the intended victim's IT systems. As proof that he wouldn't be cheated out of payment, the journalist was promised a deposit of 1 BTC.
Along the way, he was asked numerous questions about the BBC's IT infrastructure, which he couldn't answer even if he tried. He was also sent a complex code that he had to run on his laptop as a command and report the result.
It turned out to be a test of his access level to the BBC's internal network. Eventually, the reporter realized he couldn't get by without advice from his employer's information security team. However, the weekend was approaching, and his Signal contact was growing impatient.
He urged him on, reminding him of the prospect of a carefree vacation in the Bahamas, and finally demanded he hand over the coveted account keys by Monday afternoon.
Without waiting for the deadline, the recruiters began flooding Tidy's phone with password reset confirmation requests. This tactic is known as MFA bombing and is designed to trick the target into clicking consent, allowing the attackers to seize control of their account—a similar technique was used.Uber was hacked in 2022. To prevent the
attackers from gaining access to the corporate network, BBC security blocked Tidy's access to the employer's network. The attackers apologized to him, claiming they were simply testing the situation and didn't mean to cause any inconvenience.
After several days of silence, they deleted their Signal account and disappeared. Tidy's access to BBC systems was subsequently restored.