Operators of the Medusa ransomware offered a large sum of money to a BBC employee and wanted to use them as an insider for a cyberattack on the media company.
Joe Tidy, a BBC employee specializing in cybersecurity, said that hackers wanted to use his laptop to break into the British Broadcasting Corporation’s network and then demand a ransom from the organization.
After gaining access to the BBC’s internal systems, the attackers planned to steal data and then demand a ransom. At least 15% of the payout was supposed to go to Tidy for providing the initial access to the BBC network.
Tidy writes that in July 2025, a cybercriminal using the handle Syndicate contacted him via Signal. At first, he offered the journalist 15% of the ransom, then added another 10%, stating that the group would demand from the corporation “a ransom in the tens of millions if it successfully infiltrates the network.” Allegedly, after that, Tidy would never have to work again, living off his share of the proceeds.
The Medusa ransomware group emerged in January 2021. Experts at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) attribute more than 300 attacks on U.S. critical infrastructure organizations to the hacking group. According to their data, Medusa’s core operators recruit initial access brokers on cybercrime forums and darknet marketplaces, focusing on the post-compromise phase.
In his article, Tidy reports that a representative of the hacker group promised him anonymity in the event of successful cooperation and referred to several major past attacks that, he said, had also involved insiders.
Syndicate also tried to persuade Tidy by offering him 0.5 BTC (about $55,000 at the current rate) in an escrow account on a hacker forum even before the attack began.
“We’re not bluffing and we’re not joking. We don’t want media attention; we want only and exclusively money. One of our senior managers wanted me to contact you,” the hacker wrote.
Tidy, who covers infosec news, suspects that the attackers mistook him for a member of the BBC cybersecurity team with high-level access. During the conversation, Syndicate insisted that the journalist run a script, and when Tidy began stalling for time, his phone was flooded with multi-factor authentication (MFA) prompts.
This tactic is commonly known as MFA bombing or MFA spamming. Hackers automate login attempts using the victim’s credentials, triggering a flood of MFA prompts and pressuring the user to give in and approve the sign-in.
However, Tidy didn’t fall for the ruse. He contacted BBC information security specialists, and as a precaution he was completely disconnected from the organization’s infrastructure.
In a later message, the alleged Medusa representative apologized for the MFA prompts and said that the offer to participate in the attack would remain in force for a few more days. When the journalist did not respond, the attacker deleted their Signal account.