I was chatting to my friend Heath Pienaar recently about the joining together of Cyber and Physical risks after an article in The Register had piqued our mutual attention. We ended up having a good long chat about this and how we all need to stay ahead of the curve when it comes to cyber issues and especially what the future could hold, especially in a leading CISO role such as his. I thought it interesting to reflect upon joining together the old and new school tactics and how they play so nicely into the criminal’s hands and it led into this article.
Old School Coercion
In December 2004, an armed gang here in Belfast, carried out one of the largest bank robberies in recent history – not by hacking computers, but by kidnapping bank staff. In what’s known as a “tiger kidnapping”, criminals invaded the homes of two Northern Bank employees, held their families hostage, and forced the staff to cooperate in robbing the bank’s cash.
Under duress, manager Chris Ward and his colleague Kevin McMullan unlocked cash cages and helped thieves load £26.5 million into a van – all while praying their loved ones wouldn’t be harmed. McMullan was bluntly warned that if he didn’t play along:
he’d never see his wife again
The heist was brazen and audacious, exploiting insider access through fear and violence in a way police had rarely seen.
READ MORE: Leading with purpose: Custom House roundtable event hosted by VANRATH explores momentum and career progression for local women in tech
Glenn Patterson’s book The Northern Bank Job chronicles this real-life drama in vivid detail, highlighting how organised criminals leveraged insider knowledge under threat to pull off an unprecedented theft. It’s a stark reminder that even the best security systems can be undermined by old-fashioned coercion. Back then, such physical insider-extortion tactics were mainly a problem for cash in vaults. But today, CISOs are starting to realise that digital heists might be vulnerable to the same tactics, or worse.
Ransomware Gangs Turn to Physical Threats
Fast forward to 2025, and cybercriminals are reviving these intimidation techniques. Elite ransomware gangs, the kind that encrypt your data and demand millions in crypto, have started threatening physical violence against individuals to force payments. A recent industry survey found that 40% of ransomware negotiation experts reported attackers warning they would harm employees or their families if the victim organisation didn’t pay up.
Jeff Wichman, a veteran ransomware negotiator describes to The Register how criminal hackers now menace targets with tactics straight out of organised crime.
“The threats of physical harm are pretty scary… I am afraid of what’s next,”
These aren’t empty boasts, either. Cyber extortionists are doxxing victims – digging up home addresses, family photos, and personal details to lend credence to their threats. Wichman notes of one ransomware crew’s calls to a CEO:
“The attackers know where the executives live, they know where their kids go to school,”
In one case, intruders even SIM-swapped an executive’s child’s phone as a scare tactic, demonstrating that they could reach into the victim’s personal life. All of this is meant to ratchet up the fear factor, echoing the same pressure a bank manager felt with a gun to his head – except now the gun is held by a hacker on the other side of the world.
This convergence of digital crime with physical intimidation is blurring the lines between cybercrime and traditional organised crime. Ransomware gangs have essentially become the new-age mafia: they steal data instead of diamonds, but won’t hesitate to say
Nice business you’ve got there – it’d be a shame if something happened to your family.
It’s a chilling development that has CISOs and law enforcement on high alert.
From Millions to Billions: High Stakes Fuel Extreme Tactics
Why are hackers suddenly adopting the playbook of bank robbers and cartels? One reason is money, a lot more money. The scale of cyber heists today dwarfs the loot from old-school robberies. The Northern Bank gang risked their lives for £26 million; by contrast, North Korea’s infamous Lazarus Group of hackers has stolen over $1 billion in recent years. In fact, Lazarus Group is described as:
One of the most effective criminal enterprises on the planet,
They have been guilty of looting banks, cryptocurrency exchanges and film studios and the North Korean state have also been involved in direct assassinations abroad. That’s right – a single cyber syndicate robbed victims from Dhaka to Hollywood, moving seamlessly from digital bank theft to laundering money through Macau casinos. The sheer scale of such operations shows how cyber crime has escalated from million-pound ransoms to billion-dollar plunder.
As cyber criminals rake in bigger profits, they have more resources to fund real-world operations. It’s not hard to imagine a ransomware cartel hiring local muscle for enforcement. After all, if a £20 million payday is on the line, even a “respectable” hacker gang might consider paying a traditional thug £50,000 to knock on an executive’s door with a baseball bat as added persuasion. Security experts worry that collaborations could form between cyber gangs and violent organised crime networks, the same way drug cartels might employ hackers for money laundering, hackers could recruit cartel enforcers for intimidation.
Investigative journalist Geoff White, who has covered many complex cybercrime cases, notes that the underworld is already deeply interconnected. In his most recent book Rinsed: From Cartels to Crypto, Geoff exposes how modern tech is used to wash money for the world’s deadliest crooks.
Powerful drug cartels and mafias are using cryptocurrencies, online exchanges and tech platforms to launder billions, effectively merging old criminal enterprises with new digital tools. If cartels can harness crypto for profit, there’s every chance they might also offer their violent services to assist or extort on behalf of a hacking operation. We may soon see a criminal ecosystem where a ransomware gang’s extortion demand is enforced by the threat of a cartel hitman – a truly dystopian alliance of keyboard criminals and street criminals.
Sound far-fetched? Perhaps but recent trends suggest it’s increasingly plausible. As one former negotiator warned, attackers will find “any way feasible to force a payment”. Today it’s phone threats and doxxing; tomorrow it could be an actual kidnap of a CFO or an attempted assault on an uncooperative IT director. In the criminal mind, if cyber extortion doesn’t immediately work, the next step might be to escalate to physical extortion, especially given the high rewards at stake.
Preparing for Hybrid Attacks: A Call to Action for CISOs
For Chief Information Security Officers (CISOs) and cyber security leaders, especially in high-target industries like financial services, these developments carry an urgent message: expand your threat models. It’s no longer enough to plan for data breaches and ransomware in isolation, you must also consider scenarios where cyber incidents spill into the physical realm.
What would you do if attackers threatened an employee’s family to gain network access? Do your incident response plans account for the possibility of a “digital hostage situation”, where staff might be coerced to hand over passwords at gunpoint? These questions need to be on the table. In 2004, Northern Bank staff had plans for handling a tiger kidnapping but the result was still chaos and loss. We can’t afford to be caught similarly flat-footed in the era of cyber-physical convergence.
Here are a few steps cyber leaders should consider:
- Integrate Physical Security into Cyber Response: Coordinate with your corporate security or law enforcement contacts when formulating incident plans. For example, define clear protocols for what to do if an employee reports a threat against their family during a cyber incident. Early involvement of police in a potential extortion could save lives.
- Educate and Empower Your Team: Make sure executives and key IT administrators know about tactics like tiger kidnappings and doxxing threats. Provide training on personal security hygiene (e.g. protecting home addresses, social media privacy) and establish a culture where staff won’t be afraid to speak up if they feel threatened. An employee under duress should know how to alert the company safely – perhaps via a pre-agreed code word or panic button.
- Exercise “Hybrid” Scenarios: When you run cyber incident tabletop exercises, include scenarios that involve physical coercion or insider betrayal under duress. This could mean simulating a ransomware attack where the twist is a key admin receives a midnight threat call to cooperate with the attackers. Practising these uncomfortable situations in advance will surface policy gaps and help your team respond calmly if the unthinkable occurs.
Crucially, leverage external expertise to make these exercises as realistic as possible. The UK’s National Cyber Security Centre (NCSC) now certifies high-quality cyber incident exercise providers who can help organisations rehearse complex scenarios in a controlled way. Engaging an NCSC-certified exercising provider can bring fresh perspective and rigour to your drills, look for providers like ourselves approved under the NCSC Cyber Incident Exercising (CIE) scheme for assurance of quality. They can deliver tailored tabletop or even live-play simulations that test both your technical response and your crisis decision-making when lives might be on the line.
Stay Ahead of the Curve
The convergence of traditional organised crime tactics with modern cybercrime is no longer theoretical, it’s happening now in subtle ways, and may soon hit harder. As Geoff White’s investigations in The Lazarus Heist illustrate, today’s cyber heists can resemble a “cybercrime Ocean’s 11” – sprawling, cross-border capers involving everyone from nation-state hackers to front-company money mules. In such operations, the digital and physical worlds overlap: stolen funds move through real banks and casinos, and criminals navigate both the internet’s back alleys and actual city streets. The logical next step is that those same criminals use physical force to secure their digital fortunes.
For CISOs and security professionals, the task now is to anticipate that next step. Don’t dismiss that strange phone call to an exec’s home as a random crank – it could be the opening move in a new kind of ransomware siege. Review your crisis plans, talk with your peers, and include executive protection and law enforcement in the conversation. By acknowledging this hybrid threat, we can broaden our defences accordingly.
In the end, being a cyber security leader in 2025 means expecting the unexpected – including the possibility that the attacker behind a keyboard might also be willing to kick down a door. The best way to counter that threat is to shine a light on it.
- Have frank discussions within your organisation about these evolving risks.
- Use your imagination in drills – the criminals certainly are.
- Ensure your company’s next tabletop exercise doesn’t just stop at the technical containment of malware, but also challenges your team to respond to a scenario where people’s safety is at stake.
Now is the time to prepare.
As the saying goes, forewarned is forearmed. By learning from cases like the Northern Bank heist and heeding reports of ransomware gangs’ new tactics, cyber leaders can get ahead of this menace. The tools of yesterday’s organised crime are being repurposed for today’s cyber attacks. Let’s make sure our defence strategies evolve accordingly. In your next incident planning session, ask the tough question: are we ready if the hackers come with a physical threat? By considering that scenario now – and practising your response with qualified exercise partners – you can bolster your organisation’s resilience against this disturbing blend of digital and physical crime
READ MORE: Growth deal ‘catalyst for economic development’
Cyber security doesn’t stop at the keyboard. As guardians of our organisations, we must broaden our scope and defend against the full spectrum of threats. If you’re a CISO or security manager, take this as an urgent prompt to update your playbooks.
- Raise the issue in the next board meeting or risk review.
- Ensure your incident response plans account for potential human coercion.
- Most importantly, invest in regular exercises that test not just your technology, but your people under pressure – ideally with scenarios crafted by NCSC-certified experts who understand these hybrid risks. By doing so, you’ll foster a team that’s ready for anything, whether it’s a malware infection or a midnight phone call. In an era where cyber crime might literally knock on your front door, preparation is not just prudent – it’s essential.
Stay safe, stay prepared, and remember: today’s hackers might play by gangster rules, but with foresight and training, we can stay one step ahead of them
Simon is had of Cyber at Vertical Structure and chair of the steering committee for and is dedicated to improving the visibility, and capabilities of Northern Ireland’s Cyber Security organisations on the world’s stage. Simon is host of the
Simon is head of Cyber at Instil and chair of the steering committee for NICyber Security Cluster and is dedicated to improving the visibility, and capabilities of Northern Ireland’s Cyber Security organisations on the world’s stage. Simon is host of the CyberTuesday® podcast
Sync NI’s Summer 2025 magazine celebrates women in tech across Ireland as we continue to encourage more women to enter the thriving sector and address the current gender imbalance. Read the Summer 2025 Sync NI Magazine online for free here.
