Insider threats sit among the most dangerous tactics in cyber-crime. Few workers ever face them. Even fewer reveal their experiences.
I unexpectedly became one of them. A criminal group tried to recruit me with the promise of millions.
Sudden contact on Signal
The first message arrived without warning. “If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.”
The sender called themselves Syndicate. They reached me in July through the encrypted app Signal. I had no idea who they were, but I quickly understood their proposal.
They wanted me to help them infiltrate my employer’s systems. They would ransom the company. I would secretly receive a share.
Insider cases already rising
This approach was not isolated. Just days earlier, Brazilian police arrested an IT worker accused of selling login details. Investigators linked the betrayal to a $100m banking loss.
I consulted a senior editor for advice, then decided to play along. I wanted to see how criminals pitch such deals.
Syndicate, later calling themselves Syn, quickly began outlining their plan.
A deal too good to refuse?
Syn explained that I should share my login details and security codes. They would then hack the company and extort ransom in bitcoin.
Soon, the offer increased. “What if you took 25% of the final negotiation? We extract 1% of total revenue. You would never need to work again.”
He claimed the ransom could reach tens of millions. Authorities strongly warn against paying. But Syn promised secrecy and fortune.
Recruiting insiders worldwide
Syn boasted of earlier successes. He said a UK healthcare company and a US emergency services provider had already fallen to insider betrayal this year.
“You’d be surprised how many employees give us access,” he said confidently.
He identified himself as “reach out manager” for Medusa, a ransomware-as-a-service group. He claimed to be western and the only English speaker in the gang.
Medusa functions like a subscription service for cyber criminals. Security analysts believe its leaders operate from Russia or allied states and avoid Russian targets.
Mounting pressure
Syn shared a US government alert naming Medusa’s 300 victims over four years. He sent darknet links and a recruitment page. Then he urged me to deposit 0.5 bitcoin, about $55,000.
He described the deposit as guaranteed money once I handed over credentials. “We aren’t bluffing. We are only here for money.”
He wrongly assumed I had privileged access. He pushed me for details and sent computer code to run on my laptop. I resisted.
Attack turns aggressive
After three days, I stalled. I intended to alert the security team. Syn grew impatient.
“When can you do this? I’m not a patient person,” he wrote. “I guess you don’t want to live on the beach in the Bahamas?”
He set a deadline. Then the harassment began.
My phone erupted with endless login notifications. Every minute, the security app asked me to approve access.
I knew the technique: MFA bombing. Hackers overwhelm a victim until they approve a request. Uber fell victim in 2022.
The attack left me rattled. It felt like criminals knocking hard at my front door.
Cutting them off
I knew one mistaken tap would open the door. The system would treat it as a normal login. From there, they could explore sensitive networks.
I called the security team. We disconnected me from everything: no email, no intranet, no accounts.
That night, Syn sent a calm message. “The team apologises. We were testing your login page and are sorry if this caused issues.”
I explained I was locked out. Syn repeated the offer. When I stayed silent, he vanished from Signal.
Hard lessons learned
My access was eventually restored with stronger protections. The ordeal showed me how hackers pressure insiders with escalating tactics.
What began as a polite conversation turned into aggressive harassment. The experience gave me a rare view of how far criminals go.
I had reported on insider threats before. But only as a target did I grasp their true danger.
