Hackers Asked a BBC Journalist to Help Them Hack the Company
Operators of the Medusa ransomware group attempted to recruit a BBC journalist as an insider, offering him a large payout in exchange for helping launch a cyberattack against the broadcaster.
The Approach
Joe Tidy, a BBC cybersecurity correspondent, reported that the hackers wanted to use his laptop to infiltrate the British Broadcasting Corporation’s internal systems. Once inside, they planned to steal sensitive data and then demand a ransom.
The attackers initially offered Tidy 15% of the ransom payment for providing access, later increasing the offer by another 10%. According to the hackers, the ransom demand would have been in the “tens of millions,” and Tidy would “never have to work again” if he agreed.
Contact with “Syndicate”
Tidy writes that in July 2025, a cybercriminal using the alias Syndicate contacted him via Signal. The hacker promised anonymity and cited several previous Medusa attacks that allegedly involved insiders. To build credibility, Syndicate offered to place 0.5 BTC (about $55,000 at current value) in an escrow account on a hacker forum before the attack began.
“We are not bluffing and not joking. We don’t want publicity, we want only and exclusively money. One of our main managers wanted me to contact you,” the hacker wrote.
Who Is Medusa?
The Medusa ransomware group emerged in January 2021. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the group has carried out over 300 attacks on U.S. critical infrastructure. Medusa typically recruits initial access brokers from darknet forums and then focuses on the post-compromise phase of operations.
Mistaken Identity and MFA Bombing
Tidy believes the hackers mistook him for a BBC cybersecurity staff member with privileged access. During their exchanges, Syndicate asked him to run a script. When he hesitated, his phone was suddenly flooded with multi-factor authentication (MFA) prompts—a tactic known as MFA bombing or MFA fatigue attacks.
In such attacks, hackers automate login attempts with stolen credentials, overwhelming the target with repeated MFA requests in hopes the user eventually approves one.
Tidy did not fall for the ploy. Instead, he contacted BBC cybersecurity specialists. As a precaution, the corporation disconnected him completely from its infrastructure.
Aftermath
Following the failed attempt, the hacker apologized for the MFA spamming and said the offer would remain open for a few days. When Tidy did not respond, the Signal account used by Syndicate was deleted.
