Why ‘0APT’ Allegedly Faked 200 Leak-Site Victims, According to GuidePoint GRIT

A new report from GuidePoint’s Research and Intelligence Team suggests a threat actor group created a phony list of victims. Here are the lessons midmarket security teams can learn from the findings.

A threat actor group claimed a list of companies as ones it had breached, but an assessment from GuidePoint Security’s Research and Intelligence Team (GRIT) found no evidence that these victims were attacked by the group.

The threat actor group “0APT” surfaced as a data leak site in late January 2026, according to GRIT’s report. The group claimed 200 victims in one week upon its emergence.

However, GRIT said it found “no evidence” that the claimed victims were “impacted by a threat actor associated with ‘0APT’ including through first-hand reporting.”

[RELATED: Cybersecurity Predictions: 5 That Came True In 2025, And 5 More For 2026]

“Multiple amateur threat researchers and ‘OSINT’ accounts on social media have reached the conclusion that 0APT is a ‘fabrication,’ citing unverifiable and potentially AI-generated victim names peppered with real businesses, and the absence of evidence of ongoing or historical operations,” the report read.

Diabolical Reasons Threat Actors Create Fake Victims

In 2024, Microsoft reported there were 600 million attacks daily from cybercriminals and nation-state actors against the Microsoft ecosystem alone. While it’s difficult to confirm current data on the average amount of attacks against businesses that happen per day, clearly AI has ramped up the cadence in which these attacks are carried out.

With many millions of confirmed victims of cybercrime, why would any threat actor group need to bluff about their victim count?

Ransomware-as-a-Service affiliate programs are a big motivator, the report asserted.

These groups look to recruit hackers through what are essentially dark web job boards.

They often collect application fees for want-to-be hackers, GRIT found. By boosting its victim count and prominence, 0APT looked for recruits willing to cough up a pay-to-wreak-havoc fee.

[RELATED: Report Reveals Shocking Details On Ransomware Attacks]

One threat actor “claimed to have defrauded interested cybercriminals out of at least $85,000,” the report stated.

Other reasons threat actors fabricate their victim lists include re-extorting real past victims and attracting attention for later-stage operations.

Midmarket Takeaways From ‘GRITREP 0APT and the Victims Who Weren’t’ Report

• Don’t Panic If You See Your Organization’s Name On A Leak Site

Attackers want to sow confusion in IT leaders’ minds. If you see your organization on any security leak site, don’t assume you have been breached without conducting a thorough investigation.

• Be Mindful Of Absence Of Evidence

GRIT says: “Without a ransom note, encrypted files, or direct attacker communication, a leak‑site listing is ‘almost certainly fabricated.’”

• Be Wary Of Threat Groups With High Victim Counts

GRIT said that these groups often “rebrand” or “splinter,” continuing operations under a new name and artificially inflating their victim hit numbers.

• If Your Organization Has Been Named To 0APT’s Leak Site, Do This

Activate an Incident Response Retainer,a “a pre-arranged agreement between an organization and a cybersecurity provider, ensuring rapid and expert assistance in the event of a cyberattack,” according to cybersecurity firm Esentire.