Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

They’re offering you €55,000 for access to your office account. What should you do?

Redazione RHC : 3 October 2025 11:54

BBC journalist Joe Tidy found himself in a situation usually hidden in the shadows of cybercrime. In July, he received an unexpected message on the messaging app Signal from an unknown person who identified themselves as ” Syndicate .”

The person offered to participate in a criminal scheme: if Tidy gave up access to his computer, he would receive a portion of the ransom demanded by the company . Initially, the offer was 15% of the available amount, but later increased to 25%, with the promise that this “deal” would be enough to live comfortably.

The criminals explained their interest in the collaboration by citing the benefits they had received in the past from similar agreements. Syndicate, which even changed its name during the communications, stated that company employees often agree to help the hackers.

They cited as evidence attacks on a British healthcare organization and an American emergency services agency. Furthermore, just days earlier, an IT expert had been arrested in Brazil for selling his credentials to hackers. According to police, the bank suffered losses of approximately $100 million, a story that reinforced the sense of urgency.

The source identified himself as a “communications manager” for the Medusa group , known as one of the most active organizations operating under the “ransomware-as-a-service” model. Any affiliated criminal can use the Medusa platform for attacks. According to CheckPoint, the core of the group operates from Russia or allied countries and avoids attacks within the CIS, focusing instead on foreign companies. In an official announcement, US authorities reported that Medusa has attacked more than 300 organizations in four years. The group’s darknet website lists dozens of affected companies, but their names are redacted.

During the negotiations, the Syndicate continued to increase the pressure. They claimed to know that salaries at the BBC were not particularly high and offered to “retire in the Bahamas” after a successful hack. As a “guarantee of honesty,” the hackers promised a deposit of 0.5 Bitcoin, approximately $55,000.

They requested a login, a two-factor authentication code, and even sent a complex code snippet with the request to run it on a company laptop and report the results. This would allow them to assess their level of access and plan further interventions within the infrastructure.

Syndicate insisted that the conversation be moved to Tox, a messenger actively used by cybercriminals, and posted links to Medusa pages on closed forums.

When the journalist, consulting with colleagues, began stalling for time, the other person lost patience. He set a deadline and soon switched to a different tactic. Tidy’s phone was bombarded with pop-up notifications asking him to confirm access to his BBC account. This method is known as MFA bombing: the victim receives dozens or hundreds of push notifications and may eventually tap “confirm,” either accidentally or out of tiredness. Uber was hacked in a similar way in 2022, for example.

Tidy didn’t respond and urgently contacted the BBC’s cybersecurity team. To mitigate the risk, he was temporarily disconnected from the company’s systems: no email, no internal services, no login tools. That same evening, an unexpectedly calm message from Syndicate apologized: “The team apologizes. We were testing the BBC login page and apologize if this caused any issues.” Despite the pressure, the hacker continued to offer a deal, but receiving no response, he deleted his Signal account and disappeared.

The journalist’s access to the systems was subsequently restored, and his account security was strengthened. This experience demonstrated that real threats come not only from sophisticated technical attacks, but also from targeted attacks on employees.

Even those without privileged rights on the corporate network can be targets for recruitment. Tidy’s story has become a clear example of how criminal groups use a combination of promises, manipulation, and techniques to bypass internal security and force organizations to pay a ransom.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli