What happened
A ransomware operation called 0APT emerged on the dark web in January 2026, claiming to have breached more than 200 organizations and advertising its services through a Ransomware-as-a-Service platform. Researchers from GuidePoint Security, Halcyon, SOCRadar, and The Raven File found that the victim listings were fabricated and did not contain real stolen data, despite showing file trees and download options. The group built a functional leak site, ransomware builder tools, and affiliate recruitment infrastructure designed to attract cybercriminals. Affiliates could generate ransomware samples targeting Windows, Linux, and macOS, while attackers collected fees from participants believing they were joining a legitimate ransomware operation. One actor reportedly defrauded affiliates of at least $85,000.Â
Who is affected
Cybercriminal affiliates who joined the 0APT Ransomware-as-a-Service platform were affected by the fraudulent operation, while organizations listed as victims were not confirmed to have been breached.Â
Why CISOs should care
The emergence of ransomware operations using fabricated breach claims highlights the evolving ransomware ecosystem, including deceptive infrastructure that distributes functional ransomware tools and attempts to attract affiliates.Â
3 practical actions
- Verify breach claims through official channels. Confirm incidents through direct forensic evidence rather than relying solely on leak site listings.Â
- Monitor for 0APT ransomware indicators. Functional ransomware binaries remain available and could be used in real attacks.Â
- Track emerging ransomware infrastructure. Identify malicious leak sites and affiliate recruitment platforms associated with ransomware groups.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.