In July 2025, a BBC journalist got a Signal message from a man calling himself Syndicate: give us access to your PC, and you get 15% of any ransom we squeeze out of the BBC. The target was Joe Tidy, the BBC’s cyber correspondent, whose actual job is exposing criminals exactly like the one now sliding into his DMs. The ransomware gang had, out of 22,000 BBC employees, picked the single worst person to bribe.

Key Takeaways

  • The bribe: In July 2025, a Medusa ransomware recruiter calling himself “Syndicate” offered BBC cyber correspondent Joe Tidy 15%, later raised to 25%, of a ransom the gang projected in the tens of millions of pounds.
  • The escalation: When Tidy went quiet, the gang MFA-bombed his BBC account with a flood of login-approval requests, forcing the BBC to cut his access to the corporate network as a precaution.
  • The gang: US cyber agencies have linked Medusa, active since 2021, to more than 300 attacks on critical infrastructure, including the January 2025 SimonMed breach that exposed data on over a million patients.
  • The precedent: Insider recruitment is an established criminal tactic: in 2020, a Russian national offered a Tesla employee $1 million to plant malware at the Nevada Gigafactory, and the employee went straight to the FBI.
  • The outcome: The BBC was never breached. Tidy published the entire exchange, screenshots included, turning Medusa’s private recruitment playbook into public record.

How Did the Medusa Gang Try to Recruit Joe Tidy?

The approach was a bribe dressed up as a business development call: a Signal message offering Tidy a cut of any ransom extracted from the BBC, starting at 15% and climbing to 25%, in exchange for access to his work computer. Syndicate introduced himself as a “reachout manager” for the Medusa ransomware gang (a real job title he gave himself, like he was in LinkedIn sales) and mentioned he was the only English speaker on the team. His pitch escalated fast. When 15% of the ransom didn’t land, he added another 10%, bringing Tidy’s cut to 25% of a ransom the gang said would run into the tens of millions of pounds. He offered to park a five-figure Bitcoin deposit in escrow to prove they were serious. Then came the line that made every headline:

“You wouldn’t need to work ever again.” (“Syndicate,” recruiting for the Medusa ransomware gang)

To build trust, Syndicate name-dropped previous wins: insiders, he claimed, had already helped Medusa hit a UK healthcare company and an American emergency services provider. He promised Tidy total anonymity: take the money, carry on with your life.

Tidy could have blocked him. He is one of the best-known cybersecurity reporters in the world, a journalist who has spent years interviewing ransomware operators and teenage hackers for a living. Instead, he did what reporters do: he stalled, asked questions, gathered screenshots, and quietly briefed the BBC’s security team, who were understandably alarmed.

From Charm to Siege

Eventually Syndicate wanted action, asking Tidy to run reconnaissance commands on his BBC laptop: what software was installed, how the network looked, who had access to what. Tidy kept stalling. Then he stopped replying, and Medusa went to plan B.

His phone erupted with two-factor authentication pop-ups: approval requests for logins to his BBC account, one after another. This is MFA bombing: hammer an account with login attempts and hope the victim taps “approve” by accident or exhaustion. It works often enough that criminals keep doing it. It’s how an attacker cracked Uber in September 2022, hammering a contractor with push notifications until one got approved. Tidy, who writes articles about this exact technique, didn’t tap. He called BBC security, and they cut his account off from the entire corporate network as a precaution.

Then came the strangest beat in the story: an apology. “The team apologizes,” Syndicate wrote. They’d been “testing” his BBC login page and were “extremely sorry” for any issues. A criminal enterprise, politely contrite about the account takeover attempt, while reminding him the offer still stood, no pressure. Days later, Syndicate’s Signal account vanished. The gang had moved on to the next target.

StageMedusa’s move
The hook15% of a ransom in the tens of millions
The sweetenerCut raised to 25%, Bitcoin deposit offered in escrow
The askRun reconnaissance commands on a BBC laptop
The stickMFA bombing of Tidy’s BBC account
The retreatAn apology, an open offer, then a deleted account

What Is the Medusa Ransomware Gang?

Medusa is a ransomware-as-a-service operation active since 2021, which US cyber agencies have linked to more than 300 attacks on critical infrastructure: power companies, water utilities, hospitals. In a joint advisory published in March 2025 (AA25-071A), CISA, the FBI, and MS-ISAC described a double-extortion model (encrypt the victim’s systems, then threaten to leak the stolen data) with ransom demands reported to range from $100,000 to $15 million. In January 2025 it hit medical imaging firm SimonMed, exposing health data on more than a million people, in the same healthcare sector where a cybersecurity CEO was caught planting spyware in a hospital that very year.

The unsettling part isn’t that Medusa targeted a journalist. It’s how routine the machinery was. The gang runs recruitment as a business function, with staff whose entire job is messaging employees at target companies. And the insider-bribery tactic has a documented history:

  • Tesla, 2020: Russian national Egor Kriuchkov offered a Nevada Gigafactory employee $1 million to plant malware; the worker reported it, the FBI ran a sting, and Kriuchkov pleaded guilty in 2021.
  • AT&T, 2012-2017: fraudster Muhammad Fahd paid more than $1 million in bribes to call-center insiders to unlock nearly two million phones; he was sentenced to 12 years in 2021.
  • Ubiquiti, 2021: in the inverted version, developer Nickolas Sharp stole his own employer’s data, posed as an anonymous hacker, and demanded a roughly 50 Bitcoin ransom; he got six years in 2023.

The economics explain everything. Why spend weeks defeating firewalls when someone in accounting might click a file for a life-changing payment, or when a single phone call to a help desk can shut down MGM’s casinos? It’s the logic behind the Coinbase breach, where bribed support agents leaked customer data, and behind Lapsus$ openly offering telecom staff weekly payments before a teenager torched Rockstar’s secrecy from a hotel room. For a mid-level employee with a mortgage, millions to click a link is a genuine temptation, which is precisely what gangs like Medusa are counting on.

The Critical Choice

Joe Tidy’s critical choice came in the first minute: block and forget, or engage and expose. He chose to play along, carefully, with BBC security looped in, and then to publish the entire exchange, screenshots and all, on the BBC’s website. That decision converted a private bribery attempt into a public field manual: the exact language, escalation pattern, and pressure tactics these gangs use, now readable by every employee at every company on Earth. Medusa tried to buy an insider and instead handed its playbook to its future targets. The recruiter, in trying to flip a journalist, became the subject of one of the most talked-about cybersecurity stories of 2025.

Where Things Stand Now

Medusa remains active, and agencies including CISA and the FBI have published detailed advisories on its tactics as attacks on critical infrastructure continue. The prescriptions are unglamorous (patch known vulnerabilities, enforce multi-factor authentication, segment networks) but they would blunt most of the gang’s playbook. The BBC was never breached; Tidy’s account lockdown was purely precautionary. But the recruitment machine that found him is still running, and for every journalist who says no and writes the story, there is likely someone at another company, somewhere in the world of insider-driven hacks, who quietly said yes and hasn’t been caught yet.