Insider threats remain one of cyber-crime’s darkest tactics. Few employees ever face them. Even fewer describe what happens inside.
I recently experienced one firsthand. A criminal group approached me with an unsettling offer: betray my employer for millions.
The approach on Signal
The message appeared suddenly. “If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.”
The sender called themselves Syndicate. They contacted me in July through Signal, an encrypted app. I had no clue who they were, but I knew exactly what they wanted.
The deal was clear. Let them use my work laptop to break in. They would ransom the company. I would secretly get a cut.
Growing global trend
I knew of similar cases. Only days earlier, police in Brazil arrested an IT worker accused of selling login details. Investigators linked that betrayal to a $100m loss at a bank.
Curious about how such negotiations unfold, I sought advice from a senior editor. Then I decided to play along. Syndicate, who later shortened the name to Syn, began explaining the process.
The big offer
Syn wanted my login details and security codes. Their team would then hack the company and demand bitcoin ransom.
The offer grew bolder. “What if you took 25% of the final negotiation? We extract 1% of total revenue. You would never need to work again.”
He claimed the ransom could reach tens of millions. Cyber authorities advise against paying, but Syn promised secrecy and fortune.
Insider betrayals
Syn insisted their group already had experience striking deals with insiders. He named two victims this year: a UK healthcare company and a US emergency services provider.
“You’d be surprised how many employees give us access,” he said.
He introduced himself as “reach out manager” for Medusa, a ransomware-as-a-service gang. He claimed to be western and the only English speaker in the group.
Medusa sells hacking tools to affiliates worldwide. Security researchers believe its leaders operate from Russia or allied states and avoid Russian targets.
Tactics of persuasion
To convince me, Syn sent a US cyber alert that listed Medusa’s 300 victims. He shared darknet links, recruitment pages and demanded a deposit of 0.5 bitcoin, worth $55,000.
He called it guaranteed income once I handed over credentials. “We aren’t bluffing. We are only about money.”
He wrongly assumed I had privileged access. He pushed me to share details and even sent code to run on my laptop. I refused.
Escalation and pressure
After three days, I stalled. I planned to alert the security team. Syn grew impatient.
“When can you do this? I’m not a patient person,” he warned. “I guess you don’t want to live on the beach in the Bahamas?”
He set a strict deadline. Then the harassment began.
My phone lit up with nonstop login requests. Every minute, the security app asked me to approve access.
I recognised the tactic: MFA bombing. Hackers overwhelm victims until they approve a request. Uber was hacked this way in 2022.
This attack crossed into my daily life. It felt like criminals pounding at my front door.
Locking them out
I knew one wrong tap would hand them the keys. To the system, it would look like a normal login. From there, they could search sensitive networks.
I called the security team. We cut me off from every system: no email, no intranet, no access.
That night, Syn messaged calmly. “The team apologises. We were testing your login page and are sorry if this caused issues.”
I replied that I was locked out. Syn repeated the offer. When I ignored him, he deleted his Signal account.
A sobering lesson
Eventually, I regained access with stronger protections. The ordeal revealed how aggressively hackers pursue insiders.
What began as a polite pitch ended with relentless harassment. The experience exposed the true scale of insider threats.
I had reported on such risks before. But only after being targeted did I fully grasp the danger.
