A newly-operational ransomware-as-a-service (RaaS) gang that emerged during January 2026 has made waves after publishing the names – and partial data – of almost 200 victims in quick succession, but ransomware experts say the criminal operation may not be all it’s cracked up to be.
According to data gleaned by the Halcyon Ransomware Research Center, as of 5 February, the majority of the alleged victims were located in the US, followed by the UK and India.
The publication of so many victims in quick succession is not unprecedented – the Cl0p operation, famous for the mass exploitation of victims such as during the MOVEit incident of 2023, has often published in bulk.
However, deeper analysis of 0APT’s claims by multiple researchers reveals that the gang is almost certainly bluffing.
Rahul Ramesh and Reegun Jayapaul of the Cyderes Howler Cell team, said there were significant doubts surrounding the credibility of 0APT’s victim claims.
“Claiming around 200 victims in a compressed time window, without supporting artifacts, is operationally inconsistent with observed ransomware group behavior,” they explained. “Mature groups typically stagger disclosures and provide proof of compromise to strengthen negotiation leverage. In this case, the announcements appear rapid and unsupported.”
Ramesh and Jayapaul also said the gang’s leak site raised concerns regarding the authenticity of the data it claimed to have stolen. They said that although the leak section advertises downloadable file trees, the actual files are far larger than would be expected and seem to be structured to create an impression of large-scale data theft – when they can be downloaded at all, they essentially seem to comprise mostly random junk disguised as a .zip archive or .pdf file.
There are also, they observed, no screenshots of compromised data displayed on the site – a fairly standard practice in the ransomware underground – which further weakens the credibility of 0APT’s claims.
But beyond the junk data, there is credibly evidence that many of the victims themselves may not even exist. Indeed, screengrabs shared by Jason Baker of GuidePoint Security’s Research and Intelligence (GRIT) team reference one victim, Metropolis City Municipal, from which 0APT claimed to have stolen city planning documents, vendor payments and internal memos.
While there is a real Metropolis, in southern Illinois, it is a small town of barely 7,000 people and there is no indication it has been hit by a ransomware attack. 0APT’s use of the name is almost certainly a reference to the DC Comics Superman franchise – and it has since been removed from the leak site.
According to GRIT, there are some real entities claimed by the gang including Germany’s BASF, Taiwan’s Foxconn, the UK’s GlaxoSMithKline, Japan’s Hitachi, South Korea’s Hyundai Heavy Industries, and France’s TotalEnergies. But Baker said that in at least two instances he was aware of, alleged victims had said they experienced no intrusion, found no ransom note, and had had no direct communication with the cyber criminals.
“The victims claimed by 0APT are a blend of wholly fabricated generic company names and recognisable organisations which threat actors have not breached. GRIT has observed no evidence that these victims were impacted by a threat actor associated with 0APT, including through first-hand reporting,” wrote Baker.
“0APT is likely operating in this deceptive manner in order to support extortion of uninformed victims, re-extortion of historical victims from other groups, defrauding of potential affiliates, or to garner interest in a nascent RaaS group.”
Potential threat
If 0APT is indeed seeking to lay the groundwork for a cyber crime spree, its activity still bears scrutiny, said Baker, who noted that legitimate attacks in the future could not be ruled out. And Ramesh and Jayapaul said that its amusingly farcical debut notwithstanding, 0APT was not technically incompetent by any means.
“Our investigation confirms that the operators behind 0APT are running an active RaaS platform with functional malicious payloads and a working affiliate model,” they said.
“The early bluff may have been intended to quickly build a reputation and attract a larger pool of partners, but it likely had the opposite effect, damaging credibility rather than strengthening it.
“Regardless, the group is now clearly moving forward with efforts to establish a legitimate cyber criminal operation,” they added.
