A ransomware gang’s attempt to recruit a BBC journalist for insider access exposes alarming vulnerabilities within media organizations.
Story Snapshot
- The Medusa gang tried to recruit BBC reporter Joe Tidy for insider access.
- A financial offer to breach BBC systems escalated from 15% to 25% of ransom.
- The BBC’s security team thwarted the attempt, preventing a potential breach.
- This incident highlights the growing threat of insider recruitment by cybercriminals.
Medusa Gang’s Brazen Recruitment Attempt
In July 2025, the Medusa ransomware gang reached out to BBC cyber correspondent Joe Tidy using the encrypted messaging app Signal. The gang’s representative, “Syndicate,” later known as “Syn,” attempted to recruit Tidy as an insider, offering a share of any ransom paid—initially set at 15% and later increased to 25%. Such direct recruitment of a high-profile journalist is unprecedented, exposing the gang’s bold strategy to infiltrate major organizations from within.
The BBC reporter engaged with the hacker to gather intelligence, documenting the negotiation tactics and the methods employed by the attackers. The engagement revealed a series of technical and social engineering attacks, including a multi-factor authentication (MFA) bombing attempt aimed at compromising the BBC’s internal systems. However, the BBC’s vigilant security team intervened, disconnecting Tidy’s account to prevent any breach, leading the hacker to cease contact and delete the Signal account.
🚨Hackers Tried to Recruit BBC Reporter as Insider.
“You'll never need to work again”On 29 September 2025, BBC cyber correspondent Joe Tidy revealed that a criminal calling himself “Syndicate,” claiming ties to the Medusa ransomware group, tried to recruit him as an insider.… pic.twitter.com/94evyL0MrH
— Hackmanac (@H4ckmanac) September 29, 2025
Insider Recruitment: A Growing Cyber Threat
The Medusa gang’s attempt to recruit Tidy underscores a growing trend among ransomware groups: the recruitment of insiders to bypass external defenses. Known as a ransomware-as-a-service (RaaS) operation, the Medusa gang has been active since 2021, targeting large Western entities while avoiding Russian or allied state targets. This model allows even lesser-skilled criminals to launch sophisticated attacks, making insider threats a significant concern for organizations.
Historically, ransomware groups have targeted media organizations for their sensitive data and reputational stakes. The BBC incident is a stark reminder of the vulnerabilities that exist within such institutions. The Medusa gang’s claims of prior insider successes, although unverified, raise questions about the effectiveness of current cybersecurity measures in place across the industry.
Implications for Cybersecurity Practices
The incident at the BBC highlights the urgent need for heightened security protocols and employee awareness training to combat insider threats. As ransomware gangs become more aggressive in their recruitment tactics, organizations must invest in robust internal controls and technical safeguards. The transparency with which the BBC handled the situation provides a valuable case study for other media organizations and high-value targets to learn from.
Certainly, media organizations and similar high-value targets must reevaluate their approach to cybersecurity in light of such incidents. The potential financial losses and erosion of trust in media cybersecurity could have far-reaching economic, social, and political impacts. This incident serves as a wake-up call for organizations to bolster their defenses against the evolving ransomware threat landscape.
Sources:
Medusa Gang Offered BBC Reporter Share Of Ransom
