A recent emergence on the dark web, known as 0APT, has raised eyebrows in the cybersecurity community. Launched in late January 2026, this ransomware operation boldly claimed to have compromised over 200 organizations in its first week. Despite these assertions, investigations revealed a lack of genuine data breaches.
Unveiling the 0APT Scheme
The 0APT group initiated its presence with a professional-looking data leak site hosted on a TOR domain, advertising a Ransomware-as-a-Service (RaaS) model to attract affiliates. However, security analysts soon determined that the majority of the group’s claims lacked substance, with no legitimate stolen data to show. This operation appears to have been orchestrated to deceive would-be cybercriminals instead of targeting real organizations.
The group established a sophisticated infrastructure, including a data leak site supported by NGINX servers, a functional RaaS panel, and chat systems for negotiation. Each supposed victim was listed with file trees claiming gigabytes of data. Yet, attempts to download these files revealed impossibly exaggerated sizes, with downloads halting after five minutes. Analysts from THE RAVEN FILE identified these tactics as deliberate deceptions to feign successful breaches.
Investigations and Findings
Multiple cybersecurity firms, including GuidePoint Security, Halcyon, and SOCRadar, investigated these claims and found no evidence of actual breaches among the listed organizations. Some entities like Epworth HealthCare publicly confirmed no compromise occurred. Additionally, 0APT listed fictional organizations, further highlighting their fraudulent claims. The group reported 91 victims in just two days, a rate far exceeding known ransomware operations.
Researchers uncovered the true motive when they accessed the RaaS panel. It allowed affiliates to generate ransomware samples for various operating systems, using encryption algorithms such as AES256 and the Speck cipher. Despite the functionality of the malware, the victim list was fabricated to attract paying affiliates, deceiving one actor out of $85,000.
Recommendations and Future Outlook
Security experts recommend that organizations verify breach claims through official channels before responding to ransom demands. Without authentic ransom notes or encrypted files, listings on the leak site should be considered potentially false. Organizations should remain vigilant for indicators of compromise from 0APT, as their ransomware binaries remain active.
This case highlights the importance of thorough verification and skepticism in the face of cyber threats. As ransomware tactics evolve, organizations must adapt their defenses and stay informed through reliable cybersecurity sources.
