Insider threats rarely dominate headlines in cyber-crime. Few employees experience them. Even fewer share what really happens.
I became one of those exceptions. A criminal group reached out and exposed how hackers attempt to recruit insiders.
The first approach
The message landed without warning. “If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.”
It came from someone using the name Syndicate. They contacted me in July through the encrypted app Signal. I had no idea who they were, but their intention was clear.
They wanted me to help them break into my employer’s systems. Their plan: steal data or install malicious software, then demand ransom. I would secretly earn a share.
A wider problem
I knew such attempts were happening elsewhere. Just days before, police in Brazil arrested an IT worker accused of selling login details. Authorities linked that betrayal to a $100m loss at a bank.
I sought advice from a senior editor and then chose to play along. I wanted to see how such negotiations unfold at a time when cyber-attacks disrupt lives around the world.
Syndicate soon renamed themselves Syn and pressed me further.
A tempting pitch
Syn explained the deal. I would provide my login credentials and codes. Their team would then extort my employer for bitcoin. My reward would be a cut.
The offer quickly increased. “We aren’t sure how much you earn but what if you took 25% of the final negotiation? We extract 1% of total revenue. You would never need to work again.”
Syn said the ransom could reach tens of millions. Authorities strongly advise against paying, but Syn promised me millions and full secrecy.
Insider collaborations
Syn claimed they had struck similar deals before. He cited two recent victims: a UK healthcare firm and a US emergency services provider.
“You’d be surprised at the number of employees who would provide us access,” he said confidently.
He introduced himself as “reach out manager” for Medusa, a ransomware-as-a-service operation. He claimed to be western and the only English speaker in the group.
Medusa functions like a platform. Affiliates sign up and use its tools to hack organisations. A security report suggested its administrators operate from Russia or allied states.
The group avoids Russian targets and advertises itself on Russian-language dark web forums.
Pressure increases
Syn sent me a US cyber warning about Medusa, stating the group had attacked more than 300 victims in four years.
I challenged his claims. He responded with Medusa’s darknet link and invited me to contact them through Tox, a secure messenger. He also sent me their recruitment page and urged me to make a 0.5 bitcoin deposit, worth about $55,000.
He said the deposit was guaranteed money once I shared my login. “We aren’t bluffing or joking,” he wrote. “We are only for money.”
He assumed I had advanced access to IT systems. I did not. He asked for information I could not provide and sent code to run on my laptop. I refused.
Escalation
By the third day, I stalled. I planned to brief the security team the next morning. Syn’s patience snapped.
“When can you do this? I’m not a patient person,” he warned. “I guess you don’t want to live on the beach in the Bahamas?”
He set a Monday midnight deadline. Then he escalated his attack.
My phone started filling with login notifications. Every minute, the security app asked me to approve access.
I recognised the method: MFA bombing. Hackers overwhelm victims with constant requests until they click accept. Uber suffered this tactic in 2022.
It was unsettling to endure. The chat had escalated into direct harassment on my phone. It felt like intruders knocking at my door.
Breaking the link
I knew one wrong tap would give them access. To the system, it would look like a normal login. From there, they could search for sensitive data.
I contacted the security team. We cut my connection entirely: no email, no intranet, no tools.
That evening, the hackers sent a strangely calm message. “The team apologises. We were testing your login page and are sorry if this caused issues.”
I told them I was locked out and angry. Syn repeated the offer. I ignored him. Days later, he deleted his Signal account.
A stark lesson
Eventually, my access was restored with stronger protections. The ordeal gave me a rare look at how insider threats unfold.
Hackers constantly adapt and chase insiders with bold strategies. Before this, I never truly understood how dangerous such offers could be.
It was a stark reminder of the risks every organisation faces.
