In July 2025, a person claiming to represent the Medusa ransomware gang reached out to Joe Tidy, BBC’s cybersecurity correspondent, via the encrypted app Signal. The group offered him 15% of the ransom if he provided access to his BBC laptop later increasing the commission to 25%.
They described themselves as “Syn” or “Syndicate,” claiming to act as a liaison for Medusa. Their pitch promised that once they got into the BBC network, they could demand a multi million dollar ransom. In exchange, Tidy would receive his cut quietly, they said.
MFA Bombing & Escalation
When Tidy delayed, the threat actor escalated pressure tactics:
-
They bombarded him with two-factor authentication (2FA) prompts, hoping he’d unwittingly approve one a tactic known as MFA bombing or MFA fatigue.
- At one point, they even sent him a link to Medusa’s darknet portal and asked him to fund an initial deposit of 0.5 BTC (~$55,000) to show commitment.
When Tidy stalled further, BBC’s security operations had his account disconnected to prevent any unauthorized access. The adversary later apologized and deleted their Signal account.
Insider Threat Meets Ransomware
This incident is startling for multiple reasons:
-
Targeting a journalist — not an IT staff or system admin suggests attackers may cast a wider net for insider access.
-
Offering a commission on ransom blurs the line between insider threat and recruited collaborator.
-
Using social engineering + technical pressure (MFA bombing) shows the hybrid tactics attackers use to break through internal defenses.
In other words, the threat evolves: recruitment, persuasion, and coercion become just as important as malware.
About Medusa & Broader Risk Trends
Medusa is a ransomware-as-a-service (RaaS) operation known for double-extortion attacks and a public-facing extortion portal.
It often recruits initial access brokers from dark web markets to yield network penetration before deploying ransomware. This recruitment of a journalist is a novel escalation of that model.
Thieves are increasingly targeting insider liabilities staff with elevated access, disgruntled employees, or individuals who think they’re safe.
Recommended Defensive Steps
Organizations that handle high profile communications or journalism should:
-
Train all staff (not just tech) on insider threat awareness
-
Implement MFA throttling and anomaly detection to block MFA spam or floods
-
Monitor for unusual 2FA prompts, login floods, or password resets
-
Isolate journalist or operational devices from core infrastructure
-
Enact strict separation of duties and limit trust zones
FAQs
Q: Why did the ransomware gang target a BBC reporter?
A: They likely assumed Tidy had network access and tried recruiting him as a covert insider for entry.
Q: What is MFA bombing?
A: MFA bombing floods a user with repeated 2FA requests hoping to trick them into approving one out of frustration.
Q: Who is Medusa ransomware?
A: Medusa is a ransomware operation known for recruiting affiliates and executing double-extortion campaigns.
Q: How can media orgs defend against such insider recruitment?
A: Train personnel broadly, monitor 2FA behavior, segregate critical systems, and deploy anomaly detection.
One thought on “Ransomware Gang Tried to Recruit BBC Reporter for Media Hack”