0APT Ransomware Group Claims 200 Victims Using Fabricated Leak Site

What happened

A ransomware operation called 0APT emerged on the dark web in January 2026, claiming to have breached more than 200 organizations and advertising its services through a Ransomware-as-a-Service platform. Researchers from GuidePoint Security, Halcyon, SOCRadar, and The Raven File found that the victim listings were fabricated and did not contain real stolen data, despite showing file trees and download options. The group built a functional leak site, ransomware builder tools, and affiliate recruitment infrastructure designed to attract cybercriminals. Affiliates could generate ransomware samples targeting Windows, Linux, and macOS, while attackers collected fees from participants believing they were joining a legitimate ransomware operation. One actor reportedly defrauded affiliates of at least $85,000. 

Who is affected

Cybercriminal affiliates who joined the 0APT Ransomware-as-a-Service platform were affected by the fraudulent operation, while organizations listed as victims were not confirmed to have been breached. 

Why CISOs should care

The emergence of ransomware operations using fabricated breach claims highlights the evolving ransomware ecosystem, including deceptive infrastructure that distributes functional ransomware tools and attempts to attract affiliates. 

3 practical actions

• Verify breach claims through official channels. Confirm incidents through direct forensic evidence rather than relying solely on leak site listings. 
• Monitor for 0APT ransomware indicators. Functional ransomware binaries remain available and could be used in real attacks. 
• Track emerging ransomware infrastructure. Identify malicious leak sites and affiliate recruitment platforms associated with ransomware groups.