At the end of January 2026, a previously unknown group calling itself 0APT appeared on the cybercrime landscape with unusually bold claims: within days, it allegedly compromised hundreds of major companies worldwide. Subsequent analysis, however, indicates that most of these statements were fabricated, pointing to a deliberate extortion and reputation-building campaign rather than a wave of real ransomware attacks.
0APT’s explosive debut and early signs of a ransomware bluff
Unlike typical ransomware operations, which start with a limited number of intrusions and scale up over months, 0APT immediately asserted that it had breached more than 200 organizations in its first week. For incident responders and threat intelligence teams, such “instant global success” is a strong anomaly and often a sign of exaggeration or outright fraud.
Researchers from the GuidePoint Research and Intelligence Team (GRIT) systematically reviewed 0APT’s victim list. Many of the named companies reported no evidence of intrusion, no disruption of infrastructure, and no indications of data exfiltration. GRIT’s assessment concluded that a substantial portion of the alleged victims were either completely fabricated or opportunistically selected from well-known brand names to amplify the group’s perceived impact.
Manipulated leak site: from 200+ “victims” down to a handful of names
On 28 January 2026, 0APT launched a dedicated data leak site to pressure alleged victims by threatening public exposure. The site immediately listed over 200 supposed breached companies, echoing the group’s initial claims. This tactic mirrors the “double extortion” model used by real ransomware gangs, where stolen data is published if ransoms are not paid.
However, on 8 February, after growing public scrutiny and questions from the security community about the authenticity of these breaches, the site abruptly went offline. When it reappeared the next day, the list had shrunk to roughly 15 organizations. Even among these remaining names, GRIT analysts noted that no technical artifacts, sample files, or proof-of-breach indicators were provided in many cases.
Experts described these lists as “fully fabricated victim sets populated with invented entities and recognizable global brands”, crafted to simulate a large-scale ransomware campaign without the underlying compromises that typically accompany such operations.
Technical theater: simulating a 20 GB “data leak” with /dev/random
To reinforce its narrative, 0APT used a simple but visually convincing technical trick. Its servers pushed a continuous stream of random bytes from /dev/random to visitors’ browsers, making it appear as though a 20 GB encrypted archive of stolen data was being downloaded.
For non-specialists, a large, apparently encrypted file transfer can look like compelling proof of a major data theft. In reality, /dev/random is a standard Unix/Linux interface that outputs meaningless random data. No customer records, intellectual property, or internal documents were involved—only noise. This tactic illustrates how cybercriminals can use “technical theater” to exploit the psychological impact of data breach fears, even when no real intrusion has occurred.
Re-extortion and old data: monetizing previous breaches as “new” incidents
Despite the lack of confirmed large-scale compromises, intelligence assessments suggest that 0APT is still attempting to generate revenue through re-extortion. In this model, threat actors leverage data that was stolen years earlier by other groups and is already circulating in underground markets or open breach repositories.
By selectively combining historic breach data with publicly available information, extortionists can convincingly claim a “fresh” compromise to organizations that do not maintain a detailed inventory of past incidents. This pattern mirrors the behavior of groups such as RansomedVC, which in 2023 reportedly purchased legacy data sets and rebranded them as recent leaks to demand new ransom payments.
For security teams, the challenge is that old but still sensitive data—for example, legacy employee records or aging customer databases—can be weaponized repeatedly if organizations do not track what has already been exposed.
Copying Mogilevich: from fake corporate hacks to RaaS-style scams
Analysts note strong parallels between 0APT and the tactics used by the group Mogilevich in 2024. Mogilevich drew attention by claiming to have breached Epic Games, only to later admit that it operated primarily as a fraud ring reliant on bluff and social engineering rather than on sophisticated intrusion operations.
Mogilevich also asserted that it compromised drone manufacturer DJI and reportedly extracted around 85,000 USD in cryptocurrency from a would-be buyer of the supposedly stolen data. The pattern is clear: high-profile victim claims, minimal technical proof, and a focus on monetizing fear and speculation.
0APT appears to borrow directly from this playbook. In addition to fake victim rosters and unsubstantiated leak claims, early versions of its website invited aspiring cybercriminals to join its operations—but only after paying a 1 Bitcoin “deposit”. Such up-front payments are a known hallmark of fraudulent ransomware-as-a-service (RaaS) schemes designed to exploit inexperienced attackers as much as corporate victims.
Implications for organizations: verifying extortion claims and reducing exposure
The 0APT case highlights a broader evolution in the cybercrime ecosystem: organizations now face threats not only from technically advanced ransomware but also from extortion-only operations built on deception. Security and legal teams must therefore evaluate both confirmed incidents and unverified ransom claims with equal rigor.
Effective defenses include implementing a structured extortion verification process. Key steps involve comparing any “proof-of-leak” samples against known historical breaches, consulting external threat intelligence providers, and maintaining an internal registry of prior compromises and publicly exposed data. Without this baseline, differentiating a genuine new intrusion from a re-extortion attempt becomes significantly more difficult.
At the same time, foundational cybersecurity measures remain critical: timely patching, hardened remote access, multi-factor authentication, robust backup strategies, and employee training on recognizing phishing and extortion attempts. Public reporting from incident responders and blockchain analytics firms has shown that ransomware and extortion continue to generate hundreds of millions of dollars annually, underscoring the financial incentives behind both real and fake campaigns.
The emergence of 0APT is a reminder that modern cyber risk includes not only data theft, but also the manipulation of fear around potential leaks. Organizations that maintain an accurate record of past incidents, critically assess ransom demands, and invest in both technical controls and incident response planning are far less likely to fall victim—whether to a sophisticated intrusion or to a well-orchestrated bluff.
