Insider threats remain one of the most dangerous forms of cyber-crime. Few employees face them. Even fewer speak openly about their experiences.
I recently became one of those rare cases. A criminal group approached me with an offer to betray my employer for millions.
Unexpected message on Signal
The first contact arrived without warning. “If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.”
The sender called themselves Syndicate. They reached me in July via the encrypted app Signal. I did not know them, but I understood immediately what they wanted.
They wanted me to help them infiltrate my employer’s systems. Their plan: steal data or install malware, then demand a ransom. I would secretly receive a cut.
A growing global problem
This kind of insider betrayal is rising. Just days earlier, Brazilian police arrested an IT worker accused of selling login details. Investigators linked the case to a $100m banking loss.
I consulted a senior editor before deciding to play along. I wanted to understand how criminals pitch such schemes.
Syndicate, who later renamed themselves Syn, began explaining the operation.
A tempting proposal
Syn said I should provide login credentials and security codes. Their team would hack my employer and demand bitcoin ransom. I would earn a portion.
The offer grew bolder. “What if you took 25% of the final negotiation? We extract 1% of total revenue. You would never need to work again.”
Syn claimed the ransom could reach tens of millions. Authorities strongly advise against paying, but Syn promised both wealth and secrecy.
Insider deals
Syn insisted the gang had succeeded before. He named two recent victims: a UK healthcare company and a US emergency services provider.
“You’d be surprised at the number of employees who would provide us access,” he said.
He identified himself as “reach out manager” for Medusa, a ransomware-as-a-service group. He claimed to be western and the only English speaker in the gang.
Medusa functions like a criminal platform. Affiliates use its tools to hack organisations. Security researchers say its leaders operate from Russia or allied states.
The group avoids Russian targets and promotes itself on Russian-language dark web forums.
Rising pressure
Syn shared a US alert that named Medusa’s 300 victims. He sent darknet links and recruitment pages, urging me to deposit 0.5 bitcoin—about $55,000.
He described it as guaranteed payment once I shared credentials. “We aren’t bluffing. We are only for money.”
He assumed I had privileged access. He asked for technical details and sent code to run on my laptop. I refused.
Escalation
After three days, I stalled, planning to contact the security team. Syn grew impatient.
“When can you do this? I’m not a patient person,” he wrote. “I guess you don’t want to live on the beach in the Bahamas?”
He set a deadline. Then the harassment escalated.
My phone filled with nonstop login requests. Every minute, the security app asked me to approve access.
I recognised the tactic: MFA bombing. Hackers bombard victims until they approve a request. Uber fell victim in 2022.
The attack was unsettling. The private conversation had spilled into direct pressure on my phone. It felt like intruders knocking at my door.
Cutting access
I knew one wrong tap would hand them the keys. The system would treat it as a normal login. From there, they could explore sensitive networks.
I contacted the security team. We disconnected me completely: no email, no intranet, no accounts.
That night, Syn sent a calm message. “The team apologises. We were testing your login page and are sorry if this caused issues.”
I replied I was locked out. Syn repeated the offer. When I stayed silent, he disappeared from Signal.
A chilling lesson
Eventually, my access was restored with stronger protections. The incident gave me firsthand insight into insider threat tactics.
Hackers constantly evolve and target insiders. Before this, I had not fully grasped the risks.
It was a stark reminder of the dangers every organisation faces today.
