A newly operational ransomware-as-a-service (RaaS) gang that emerged during January 2026 has made waves after publishing the names – and partial data – of almost 200 victims in quick succession, but ransomware experts say the criminal operation may not be all it’s cracked up to be.

According to data gleaned by the Halcyon Ransomware Research Center, as of 5 February, the majority of the alleged victims were located in the US, followed by the UK and India.

The publication of so many victims in quick succession is not unprecedented – the Cl0p operation, famous for the mass exploitation of victims such as during the MOVEit incident of 2023, has often published in bulk.

However, deeper analysis of 0APT’s claims by multiple researchers reveals that the gang is almost certainly bluffing.

Rahul Ramesh and Reegun Jayapaul of the Cyderes Howler Cell team said there were significant doubts surrounding the credibility of 0APT’s victim claims.

“Claiming around 200 victims in a compressed time window, without supporting artefacts, is operationally inconsistent with observed ransomware group behaviour,” they said. “Mature groups typically stagger disclosures and provide proof of compromise to strengthen negotiation leverage. In this case, the announcements appear rapid and unsupported.”

Ramesh and Jayapaul also said the gang’s leak site raised concerns regarding the authenticity of the data it claimed to have stolen. They said that although the leak section advertises downloadable file trees, the actual files are far larger than would be expected and seem to be structured to create an impression of large-scale data theft – when they can be downloaded at all, they essentially seem to comprise mostly random junk disguised as a .zip archive or .pdf file.

There are also, they observed, no screenshots of compromised data displayed on the site – a fairly standard practice in the ransomware underground – which further weakens the credibility of 0APT’s claims.

But beyond the junk data, there is credibly evidence that many of the victims themselves may not even exist. Indeed, screenshots shared by Jason Baker of GuidePoint Security’s Research and Intelligence (Grit) team reference one victim, Metropolis City Municipal, from which 0APT claimed to have stolen city planning documents, supplier payments and internal memos.

While there is a real Metropolis, in southern Illinois, it is a small town of barely 7,000 people and there is no indication it has been hit by a ransomware attack. 0APT’s use of the name is almost certainly a reference to the DC Comics Superman franchise – and it has since been removed from the leak site.

According to Grit, there are some real entities claimed by the gang, including Germany’s BASF, Taiwan’s Foxconn, the UK’s GlaxoSmithKline, Japan’s Hitachi, South Korea’s Hyundai Heavy Industries and France’s TotalEnergies. But Baker said that in at least two instances he was aware of, alleged victims had said they experienced no intrusion, found no ransom note, and had no direct communication with the cyber criminals.

“The victims claimed by 0APT are a blend of wholly fabricated generic company names and recognisable organisations which threat actors have not breached,” he said. “Grit has observed no evidence that these victims were impacted by a threat actor associated with 0APT, including through first-hand reporting.

“0APT is likely operating in this deceptive manner in order to support extortion of uninformed victims, re-extortion of historical victims from other groups, defrauding of potential affiliates, or to garner interest in a nascent RaaS group.”

Read more on Hackers and cybercrime prevention

• 
  

  Warlock ransomware may be linked to Chinese state

  By: Alex Scroxton

• 
  

  Financially motivated cyber crime remains biggest threat source

  By: Alex Scroxton

• 
  

  Top 10 cyber crime stories of 2024

  By: Alex Scroxton

• 
  

  Emerging Ymir ransomware heralds more coordinated threats in 2025

  By: Alex Scroxton