0APT ransomware crew makes embarrassing splash

A newly-operational ransomware-as-a-service (RaaS) gang that emerged throughout January 2026 has made waves after publishing the names – and partial information – of virtually 200 victims in fast succession, however ransomware consultants say the legal operation is probably not all it’s cracked as much as be.

Based on information gleaned by the Halcyon Ransomware Analysis Middle, as of 5 February, nearly all of the alleged victims had been situated within the US, adopted by the UK and India.

The publication of so many victims in fast succession isn’t unprecedented – the Cl0p operation, well-known for the mass exploitation of victims comparable to in the course of the MOVEit incident of 2023, has usually printed in bulk.

Nonetheless, deeper evaluation of 0APT’s claims by a number of researchers reveals that the gang is nearly actually bluffing.

Rahul Ramesh and Reegun Jayapaul of the Cyderes Howler Cell workforce, stated there have been important doubts surrounding the credibility of 0APT’s sufferer claims.

“Claiming round 200 victims in a compressed time window, with out supporting artifacts, is operationally inconsistent with noticed ransomware group conduct,” they defined. “Mature teams usually stagger disclosures and supply proof of compromise to strengthen negotiation leverage. On this case, the bulletins seem speedy and unsupported.”

Ramesh and Jayapaul additionally stated the gang’s leak website raised issues concerning the authenticity of the info it claimed to have stolen. They stated that though the leak part advertises downloadable file timber, the precise recordsdata are far bigger than could be anticipated and appear to be structured to create an impression of large-scale information theft – when they are often downloaded in any respect, they primarily appear to comprise largely random junk disguised as a .zip archive or .pdf file.

There are additionally, they noticed, no screenshots of compromised information displayed on the positioning – a reasonably commonplace observe within the ransomware underground – which additional weakens the credibility of 0APT’s claims.

However past the junk information, there’s credibly proof that most of the victims themselves could not even exist. Certainly, screengrabs shared by Jason Baker of GuidePoint Safety’s Analysis and Intelligence (GRIT) workforce reference one sufferer, Metropolis Metropolis Municipal, from which 0APT claimed to have stolen metropolis planning paperwork, vendor funds and inner memos.

Whereas there’s a actual Metropolis, in southern Illinois, it’s a small city of barely 7,000 individuals and there’s no indication it has been hit by a ransomware assault. 0APT’s use of the identify is nearly actually a reference to the DC Comics Superman franchise – and it has since been faraway from the leak website.

Based on GRIT, there are some actual entities claimed by the gang together with Germany’s BASF, Taiwan’s Foxconn, the UK’s GlaxoSMithKline, Japan’s Hitachi, South Korea’s Hyundai Heavy Industries, and France’s TotalEnergies. However Baker stated that in at the least two situations he was conscious of, alleged victims had stated they skilled no intrusion, discovered no ransom be aware, and had had no direct communication with the cyber criminals.

“The victims claimed by 0APT are a mix of wholly fabricated generic firm names and recognisable organisations which risk actors haven’t breached. GRIT has noticed no proof that these victims had been impacted by a risk actor related to 0APT, together with via first-hand reporting,” wrote Baker.

“0APT is probably going working on this misleading method so as to help extortion of uninformed victims, re-extortion of historic victims from different teams, defrauding of potential associates, or to garner curiosity in a nascent RaaS group.”