Insider threats rarely make headlines in the cyber-crime world. Few people ever face them. Even fewer talk about them.
I was one of those rare cases. A criminal gang recently approached me with an offer that revealed how hackers try to recruit insiders.
The first contact
The message came without warning. “If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.”
It came from someone calling themselves Syndicate. They contacted me in July on the encrypted app Signal. I did not know them, but I knew exactly what they wanted.
They were offering me a share of a ransom if I helped them break into my employer’s systems. The plan was clear: they would steal data or install malicious software, then demand money. I would get a secret cut.
A global problem
I had heard about such cases before. Only days earlier, Brazilian police arrested an IT worker accused of selling his login details. Authorities linked the case to a $100m loss at a major bank.
I took advice from a senior editor and decided to play along with Syndicate. I wanted to see how such shady offers unfold, especially at a time when cyber-attacks disrupt everyday life worldwide.
I told Syndicate, later calling themselves Syn, that I was curious but needed details.
The pitch grows bolder
Syn explained that I should hand over my login and security codes. Their gang would then extort my employer for bitcoin. My reward would be a share of the ransom.
The offer quickly increased. “We aren’t sure how much you earn but what if you took 25% of the final negotiation? We extract 1% of total revenue. You wouldn’t need to work ever again.”
Syn claimed they could demand tens of millions. The national crime agency advises against paying ransoms, but Syn insisted the money would flow. They promised me millions and even deletion of the chat to avoid detection.
Previous deals with insiders
Syn claimed their group had many successes. They named two companies hit earlier this year: a UK healthcare firm and a US emergency services provider.
“You’d be surprised at the number of employees who would provide us access,” Syn boasted.
He said he worked as “reach out manager” for Medusa, a ransomware-as-a-service group. He claimed to be western and the only English speaker.
Medusa operates like a platform. Criminal affiliates can use it to hack organisations. A research report suggested its administrators operate from Russia or allied states.
The group avoids Russian targets and promotes its work on Russian-language dark web forums.
Pressure tactics
Syn proudly shared a US public warning about Medusa, which claimed the gang had hit more than 300 victims in four years.
He wanted proof of my cooperation. I suggested he might be a prankster or someone trying to trap me.
He responded with Medusa’s darknet link and invited me to contact them on Tox, a secure messaging app. He sent me their recruitment page and urged me to provide a 0.5 bitcoin deposit, worth about $55,000.
Syn insisted this money was guaranteed once I shared my login. “We aren’t bluffing or joking,” he said. “We are only for money and money only.”
He explained they had chosen me because they assumed I was technically skilled and had access to IT systems. I do not. They asked me questions I could not answer and sent me a code to run on my laptop. I refused.
A dangerous escalation
By now I had spoken with Syn for three days. I stalled, planning to brief the security team the next day. But Syn grew impatient.
“When can you do this? I’m not a patient person,” he pressed. “I guess you don’t want to live on the beach in the Bahamas?”
He set a deadline of Monday midnight. Then he changed tactics.
My phone suddenly flooded with security pop-ups. The requests came from the login app, asking me to confirm attempts to access my accounts.
I recognised the tactic: MFA bombing. Attackers bombard targets with authentication requests until they click accept. Uber fell victim to this method in 2022.
It was unsettling to experience it myself. The hackers had moved from private chat to direct attacks on my phone. It felt like them banging on my front door.
Cutting the connection
I knew clicking accept would give them access to my accounts. It would appear like a normal login attempt. From there, they could try to reach sensitive systems.
I contacted the information security team. Together we agreed to cut me off completely: no email, no intranet, no internal tools.
That evening, the hackers sent a calm message. “The team apologises. We were testing your login page and are sorry if this caused issues.”
I told them I was now locked out and frustrated. Syn repeated the offer. I ignored him. Days later, he deleted his Signal account and vanished.
The chilling lesson
Eventually, my access was restored with added security protections. The experience left me with a clear view of insider threat tactics.
Hackers are constantly evolving, and they actively hunt for insiders. Until this happened to me, I never fully appreciated how dangerous these offers can be.
It was a chilling lesson in the risks facing organisations everywhere.
