When the group calling itself 0apt surfaced on the dark web earlier this month, the numbers were a gut punch. Usually, a new ransomware operation builds its name slowly, one victim at a time. 0apt took a shortcut by posting a list of 190 companies all at once: a hit list that covered almost every major industry.
But as we started checking the group's claims, we found something strange. While the group initially populated its site with a string of low-tier, nameless "garbage" companies, it has recently pivoted to a much more dangerous game. The list now features some of the world’s most recognizable corporate titans, from medical technology leaders to defense contractors.
The group’s vibe-coded leak site is the usual minimalist page common in on the dark web, offering a download button for each victim. Yet anyone who clicks it is walking into a trap, not of malware, but of wasted time. The downloads are infinite streams of random data, built on the fly. There are no folders of internal emails, no spreadsheets of customer data, and no social security numbers.
It is a scam built entirely on white noise.
The /dev/random Ruse
The trick is simple, but it works. According to researchers who watched the traffic, the group's servers are likely piping a stream of /dev/random (a standard computer tool for making random bits) straight into the user's browser.
This creates a solid illusion. To a network monitor, the jumble of data looks exactly like a massive, encrypted file. There are no "magic bytes," the digital signatures at the start of a file that tell a computer it is looking at a ZIP or a PDF, to give the game away.
Worse, the group masks the file size to look like hundreds of gigabytes. Because the Tor network is notoriously slow, an analyst can spend a week downloading what they think is a smoking gun, only to find they have spent days capturing a mountain of useless binary static.
The Psychology of the Bluff
Why bother with a fake leak? The answer is corporate fear.
We are seeing a move toward commodifying the PR crisis. For a Fortune 500 company, the technical facts often matter less than the headline. If a company's name shows up on a leak site next to a 200GB download link, the stock price doesn't wait for a forensic team to check the file.
By upgrading their victim list to include "blue chip" names like Keysight Technologies, Hologic, Align Technology, and The Mayo Clinic , 0apt is deliberately raising the stakes. They are betting that for some of these victims, the risk of a "real" breach is too high to ignore. They are hoping a lawyer or a board of directors will authorize a payment just to get their name off the list, essentially paying a ransom for data that was never stolen.
A High-Volume Mirage
By flooding the zone with 190 "victims," 0apt also gamed the automated systems the security industry uses to track threats. News bots and data aggregators that scrape the dark web for new victims treated the 0apt list as fact, accidentally spreading the group's name and giving the bluff a sense of scale.
The reality is that 0apt is more of a carnival barker than a sophisticated hacker. They have no secret exploits, no access to corporate networks, and no leverage, as long as the victim is patient enough to see that the stolen data does not exist.
In the case of 0apt, the best defense isn't a better firewall but just a healthy dose of skepticism.
Update 02.05.26 06:00 am EST -
It seems 0apt has been removed from https://www.ransomware.live with the comment "The group appears unreliable. Most, if not all, of its alleged victims cannot be verified and appear to be randomly selected organizations. WE HAVE DECIDED TO REMOVE ENTRIES FOR THIS GROUP"