Multiple security researchers are concluding that victim lists and data leaks are fabrications, with no real intrusions evidenced.

A newly emerged cybercrime group calling itself 0APT has been exposed as probably a scam operation that never actually breached most of the organizations it claimed to have compromised, according to multiple security researchers.

The group surfaced on 28 January this year and rapidly listed more than 200 alleged victims on its dark web leak site, only to vanish briefly in early February before reappearing with a shorter roster of roughly 15 multinational organizations.

Among the names listed was Epworth HealthCare, Victoria’s largest private hospital group, which the group claimed had leaked 920 gigabytes of sensitive clinical and billing information. Epworth stated it had found no verified evidence of a breach, and that specialist partners had detected no compromise of its systems.

Analysts also noted that 0APT has included obviously fictional entities, such as a “Metropolis City Municipal” apparently inspired by DC Comics, before quietly removing them to appear more credible.

Threat researcher analyses
One firm — GuidePoint Security — has assessed with high confidence that 0APT’s victim lists are a mix of completely invented company names and real organizations that were never breached, noting there is no evidence the group has successfully intruded into these entities’ networks. In at least two cases where firms engaged incident‑response teams, investigators found no indicators of compromise, ransom notes, or any signs of a real attack.

Another firm, DataBreaches.net (and others cybersecurity researchers) has discovered that 0APT’s supposed “data dumps” were not stolen files but infinite streams of random binary noise, likely piped directly from the Unix /dev/random source to victims’ browsers, creating the illusion of large encrypted archives. The files, often advertised as tens of gigabytes, were in fact unstructured digital static with no internal emails, customer records, or meaningful corporate data.

Researchers have also pointed out that 0APT’s playbook closely resembles that of earlier fraud groups:

  • The operation initially demands a 1‑bitcoin “security bond” from would‑be affiliates, a tactic previously used by the 2024 Mogilevich scam, whose operators later confessed to being “professional fraudsters” who had defrauded other cybercriminals out of about US$85,000.
  • Similar patterns are seen in the RansomedVC group, which researcher Jon DiMaggio had documented as fabricating stolen data to extort victims.

While analysts currently treat 0APT as a largely fabricated threat, they nevertheless warn that the underlying actors could still launch genuine attacks in the future. Organizations affected should verify any ransomware claims through technical evidence rather than leak‑site listings alone.