- Joe Tidy, BBC cyber correspondent, was approached by a ransomware gang in July via Signal app
- The hacker offered 15-25% of ransom payments for access to Tidy's laptop to attack BBC systems
- The gang claimed links to Medusa ransomware, which has hit over 300 victims in four years
In a chilling glimpse into the world of cybercrime, a notorious ransomware gang recently approached a BBC cyber correspondent with a wild offer. Joe Tidy, who covers digital threats for the BBC World Service, received an unsolicited message in July from a hacker who promised her a substantial amount of money if she helped cyber criminals access BBC systems through her laptop.
The contact came via the encrypted app Signal. The hacker, initially using the alias "Syndicate" before switching to "Syn," said, "If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC." This would allow the criminals to steal sensitive data or deploy malware, holding the broadcaster hostage for bitcoin payouts.
Ms Tidy, sensing a rare opportunity to investigate, engaged cautiously after consulting BBC editors. She posed as a potential insider, probing Syn's motives. Later, Syn ramped up the pitch. Claiming affiliation with the Medusa ransomware group, the hacker promised 25% of the final ransom--potentially tens of millions.
"We aren't sure how much the BBC pays you but what if you took 25% of the final negotiation as we extract 1% of the BBC's total revenue? You wouldn't need to work ever again," the hacker said.
To build trust, Syn shared a link to Medusa's darknet site and invited Ms Tidy to their secure Tox chat, favoured by cybercriminals. He even offered a "trust payment" of 0.5 bitcoin (about $55,000) as a deposit, guaranteeing more once login details were handed over. Notably, Medusa, a ransomware-as-a-service outfit, lets affiliates hack targets worldwide. Believed to be run from Russia or allied nations, the group has struck over 300 victims in four years, per a US cybersecurity alert.
They avoid Russian-speaking countries and thrive on dark web forums. Syn boasted of prior successes, like insiders at a UK healthcare firm and a US. emergency services provider. "You'd be surprised at the number of employees who would provide us access," he added.
Meanwhile, Syn grew impatient, firing off questions about BBC IT setups and sending code to run on Tidy's laptop, which she wisely ignored. "When can you do this? I'm not a patient person," Syn pressed, dangling visions of "living on the beach in the Bahamas."
A deadline of midnight on Monday was set. When the hacker ran out of patience, the reporter's phone was bombarded with two-factor authentication notifications from the BBC's security login app. These pop-ups, known as MFA bombing, flooded her screen every minute. This technique, famously used in the 2022 Uber hack, aims to trick victims into accepting login attempts, potentially granting unauthorized access.
She immediately contacted the BBC's information security team, and as a precaution, they disconnected her from all BBC systems, including emails, intranet, and internal tools. Later that evening, the hackers sent a surprisingly calm message apologizing for the inconvenience, claiming they were just testing the BBC's login page. Ms Tidy expressed her frustration about being locked out, but Syn reiterated the offer. After she didn't respond, they deleted their account and disappeared. Eventually, she was reinstated with added account protections.
The shocking incident raises concerns about the vulnerability of organisations, even reputable ones like the BBC, to cyber threats.
