In late January 2026, a brand-new ransomware operation known as 0APT appeared on the dark web, claiming to have compromised more than 200 organizations in its first week This article explores ransomware operations deception. . To attract affiliates, the group created a legitimate data leak website on a phony TOR domain and advertised itself as Ransomware-as-a-Service.

But with no real stolen data available, security researchers soon discovered that almost all of the victims that were reported were fake. Instead of extorting lawful organizations, the operation seems to be intended to defraud would-be cybercriminals. The 0APT group constructed complex infrastructure, such as a working RaaS panel, chat systems for negotiations, and a data leak website driven by NGINX servers. File trees purportedly holding gigabytes of corporate data were displayed in each victim listing.

When researchers attempted to download files, they found that file trees that should only be kilobytes in size were unreasonably large—they exceeded 4GB. After five minutes, the downloads automatically ended. Analysts at THE RAVEN FILE determined that this was a purposeful deception strategy that produced the appearance of successful breaches without providing accurate information.

After conducting investigations, several cybersecurity companies, including SOCRadar, Halcyon, and GuidePoint Security, discovered no proof that the listed organizations had experienced real breaches. Operation center (Reference: The Raven File) Epworth HealthCare, one of the alleged victims, openly declared that they could find no compromise. Researchers found that fictional entities inspired by DC Comics, like "Metropolis City Municipal," were listed by 0APT. According to reports, the group added 91 victims in two days, far exceeding the claim rate of well-known ransomware operations.

The Deception Strategy of RaaS Panels When researchers gained access to the RaaS panel, the operation's actual goal became clear. With support for Windows, Linux, and macOS, the platform enabled affiliates to create five ransomware samples per account. Linux binaries were 1.3MB in size, whereas Rust-compiled Windows executables were 5.6MB.

AES256, Salsa20/ChaCha, and the uncommon Speck cipher linked to AI-generated code were among the encryption algorithms used in these samples. 0APT RaaS Panel (The Raven File is the source) The generated ransomware adds the.README0apt.txt, which contains distinct victim identifiers, is dropped after the 0apt extension. Check for Security (Source: The Raven File) Through conspicuous "JOIN RAAS" notifications, the operation attracted affiliates and collected fees from cybercriminals who thought they had joined a prosperous ecosystem. According to reports, one actor defrauded at least $85,000 from criminals who were interested.

Technical documentation, admin support, negotiation chat, and payment tracking were all included in the panel. The entire victim list was designed to draw in paying affiliates, even though the malware works when it is executed. Before reacting to ransom demands, security teams should verify breach claims via official channels.

Listings on leak sites should be regarded as possibly fake if they lack authentic ransom notes, encrypted files, or direct communication. Because functional ransomware binaries are still in circulation, organizations are advised to keep an eye out for 0APT indicators of compromise. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.