• Home
  • cyber
  • 0APT: Cybercriminals Behind 0APT Ransomware Claim 200 Attacks, Provide No Data
cyber Ransomware

0APT: Cybercriminals Behind 0APT Ransomware Claim 200 Attacks, Provide No Data

Jan 28, 2026 2 min read
0APT: Cybercriminals Behind 0APT Ransomware Claim 200 Attacks, Provide No Data

0APT Ransomware Group Exposed as Scam Despite Sophisticated Infrastructure

The 0APT ransomware group surfaced on the Dark Web on January 28, 2026, quickly drawing attention by claiming 200 victims a figure cybersecurity researchers now dismiss as fraudulent. Unlike legitimate ransomware operations, 0APT’s data leak site (DLS) hosted on a TOR domain (secured by Cloudflare and CDNJS) contains no verifiable evidence of breaches. Most "leaked" files, advertised at 4GB each, fail to download, with transfers halting after five minutes due to bandwidth limitations. The absence of screenshots or tangible proof standard in real ransomware campaigns further undermines the group’s credibility.

Despite the deception, 0APT’s infrastructure reveals technical ambition. The group operates a Ransomware-as-a-Service (RaaS) panel, allowing affiliates to generate custom payloads for Windows, Linux, and macOS via a "Generate New Payload" feature (limited to five samples per account). The malware employs AES-256 encryption, renames files with a .0apt extension, and drops a ransom note (README0apt.txt) with a unique victim ID. Builds are compiled using Visual C++ (Windows) and GCC (Linux), incorporating obfuscation techniques like RC4 PRGA. A now-removed "Submit Details" feature hinted at attempts to log compromised hosts, though operational instability suggests the group’s efforts remain unproven.

Researchers, including those from The Raven File, conclude that 0APT’s campaign is a scam designed to inflate its reputation within the ransomware ecosystem. While the group’s tools exhibit cross-platform sophistication, the lack of verifiable attacks and the implausible scale of claimed victims expose the operation as a deceptive publicity stunt. The TOR-based RaaS panel (accessible via raasdash.php) and chat links (COCHAT for admins, JOCHAT for affiliates) remain active, though no legitimate activity has been confirmed.

Source: https://cyberpress.org/0apt-ransomware-claims-200-attacks/

0APT TPRM report: https://www.rankiteo.com/company/intel-471

"id": "int1771338875",
"linkid": "intel-471",
"type": "Ransomware",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'attack_vector': 'Ransomware-as-a-Service (RaaS) Panel',
 'data_breach': {'data_encryption': 'AES-256'},
 'date_detected': '2026-01-28',
 'description': 'The 0APT ransomware group surfaced on the Dark Web on January '
                '28, 2026, claiming 200 victims, but cybersecurity researchers '
                "dismiss these claims as fraudulent. The group's data leak "
                'site (DLS) lacks verifiable evidence of breaches, with most '
                'advertised files failing to download. Despite this, 0APT '
                'operates a technically ambitious Ransomware-as-a-Service '
                '(RaaS) panel, allowing affiliates to generate custom payloads '
                'for Windows, Linux, and macOS using AES-256 encryption. The '
                "operation is deemed a scam designed to inflate the group's "
                'reputation within the ransomware ecosystem.',
 'impact': {'systems_affected': ['Windows', 'Linux', 'macOS']},
 'investigation_status': 'Ongoing',
 'lessons_learned': "The 0APT ransomware group's operation highlights the "
                    'prevalence of scams within the ransomware ecosystem, '
                    'where groups may inflate their reputation without '
                    'verifiable attacks. Despite sophisticated infrastructure, '
                    'the lack of tangible evidence underscores the importance '
                    'of verifying claims before responding to ransomware '
                    'threats.',
 'motivation': 'Reputation Inflation / Scam',
 'post_incident_analysis': {'corrective_actions': ['Enhance threat '
                                                   'intelligence to identify '
                                                   'and expose fraudulent '
                                                   'ransomware groups.',
                                                   'Improve verification '
                                                   'processes for ransomware '
                                                   'claims.'],
                            'root_causes': 'Fraudulent claims and lack of '
                                           'verifiable evidence suggest the '
                                           '0APT group is a scam operation '
                                           'designed to inflate its '
                                           'reputation.'},
 'ransomware': {'data_encryption': 'AES-256', 'ransomware_strain': '0APT'},
 'recommendations': ['Verify the legitimacy of ransomware claims before taking '
                     'action.',
                     'Monitor Dark Web forums for fraudulent ransomware '
                     'groups.',
                     'Implement multi-layered security measures to defend '
                     'against potential ransomware attacks.',
                     'Educate stakeholders on the risks of ransomware scams '
                     'and the importance of evidence-based responses.'],
 'references': [{'source': 'The Raven File'}],
 'threat_actor': '0APT Ransomware Group',
 'title': '0APT Ransomware Group Exposed as Scam Despite Sophisticated '
          'Infrastructure',
 'type': 'Ransomware Scam'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.