Insider threats rarely reach the spotlight in cyber-crime. Few workers encounter them. Even fewer dare to reveal their stories.
I became one of those exceptions. A criminal group recently contacted me with an offer that exposed how hackers try to enlist insiders.
The first contact
The approach came suddenly. “If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.”
The message came from someone calling themselves Syndicate. They reached out in July via the encrypted app Signal. I had never heard of them, but their intention was obvious.
They wanted me to help them break into my employer’s systems. Their plan: steal data or plant malware, then demand a ransom. I would secretly pocket a cut.
A global problem
This kind of story was already in the news. Days earlier, Brazilian police arrested an IT worker accused of selling logins. Investigators linked the case to a $100m loss at a major bank.
I consulted a senior editor and then decided to play along with Syndicate. I wanted to witness how these negotiations play out, especially as cyber-attacks increasingly disrupt daily life.
Syndicate, who later renamed themselves Syn, pushed me to consider.
The pitch intensifies
Syn outlined the deal. I should provide my login details and codes. Their team would hack my employer and demand bitcoin ransom. I would receive a share.
The offer soon grew bigger. “We aren’t sure how much you earn but what if you took 25% of the final negotiation? We extract 1% of total revenue. You would never need to work again.”
Syn said they could demand tens of millions. Authorities warn against ransom payments, but Syn promised me millions and guaranteed secrecy.
Deals with insiders
Syn insisted they had experience. He cited two recent victims: a UK healthcare company and a US emergency services provider.
“You’d be surprised at the number of employees who would provide us access,” he claimed.
He introduced himself as “reach out manager” for Medusa, a ransomware-as-a-service network. He said he was western and the only English speaker in the group.
Medusa functions like a criminal franchise. Affiliates sign up and use its tools to breach organisations. A security report suggested its leaders operate from Russia or allied states.
The group avoids Russian targets and promotes itself on Russian-language dark web forums.
Mounting pressure
Syn sent me a US warning about Medusa. The notice said the gang had hit more than 300 victims in four years.
I questioned his claims. He replied with Medusa’s darknet site and invited me to use Tox, a secure messenger. He shared a recruitment page and urged me to send a 0.5 bitcoin deposit, about $55,000.
He described it as guaranteed payment after I shared my login. “We aren’t bluffing or joking,” he insisted. “We exist only for money.”
He wrongly assumed I had deep system access. I do not. He asked for technical details I couldn’t provide and sent me code to run on my laptop. I declined.
Escalation begins
By the third day, I stalled, planning to alert the security team on Monday. Syn’s patience wore thin.
“When can you do this? I’m not a patient person,” he warned. “I guess you don’t want to live on the beach in the Bahamas?”
He set a Monday midnight deadline. Then he escalated.
My phone began buzzing with login approvals. Every minute, the security app asked me to confirm access.
I recognised the method: MFA bombing. Hackers flood targets with login prompts until one gets approved. Uber fell victim to it in 2022.
Experiencing it directly was unsettling. The private chat had turned into direct harassment on my phone. It felt like intruders hammering on my door.
Cutting the link
I knew one wrong click would hand them access. To the system, it would look like a normal login. From there, they could search for sensitive data.
I contacted the security team. We agreed to cut my access completely. No email, no intranet, no tools.
That evening, the hackers messaged me. “The team apologises. We were testing your login page and are sorry if this caused issues.”
I replied that I was locked out and frustrated. Syn repeated his offer. I ignored him. Days later, he deleted his Signal account.
A sobering lesson
Eventually, my access was restored with stronger protections. The ordeal gave me firsthand insight into insider threat tactics.
Hackers adapt constantly and target insiders with growing determination. Before this, I never fully grasped how real these offers can be.
It was a sobering reminder of the dangers every organisation faces.
