February 11th – This Week’s Top Cybersecurity and Dark Web Stories

How 0apt is Using Random Noise to Fake a Ransomware Empire

The cyber threat landscape has witnessed a new type of deception with the emergence of the group calling itself 0apt, which has managed to fake a massive ransomware empire purely through bluff. Surfacing with an audacious hit list of 190 companies, 0apt quickly pivoted from low-tier victims to including “blue chip” corporate titans like Keysight Technologies, Hologic, and The Mayo Clinic.

However, analysis reveals the operation is a sophisticated scam built on “white noise.” When an analyst or victim attempts to download the alleged stolen data from the group’s leak site, they receive an infinite stream of random binary data, likely piped from a standard computer tool like /dev/random.

This tactic creates a powerful illusion: to a network monitor, the data appears exactly like a massive, encrypted file, and with the file size masked to look like hundreds of gigabytes, the notoriously slow Tor network ensures an analyst spends days or even a week capturing a mountain of useless binary static.

The technical deception is further aided by the lack of “magic bytes,” the digital signatures that signal a genuine file type. 0apt is weaponizing corporate fear, betting that for Fortune 500 companies, the PR crisis and threat to the stock price is sufficient leverage to authorize a payment just to get their name off the list, despite the fact that the stolen data does not exist.

By flooding the zone with “victims,” they also gamed automated security tracking systems, accidentally amplifying their bluff. Ultimately, 0apt is more of a carnival barker than a sophisticated hacker, and the best defense is simply a healthy dose of skepticism.

Why Zero-Day Downstream Mass Data Extortion Campaigns are Losing Their Effectiveness

The financial returns from large-scale, data-exfiltration-only extortion campaigns – a playbook perfected by the CL0P ransomware gang – are eroding significantly. The CL0P campaign against Oracle E-Business Suite in Q4 2025 generated one of the lowest levels of victim engagement and monetization observed across any of their prior incidents.

This decline is due to enterprises maturing their understanding of breach consequences, realizing that paying a ransom to suppress stolen data offers diminishing utility, as it does not eliminate legal or regulatory notification obligations, prevent litigation, or reliably stop threat actors from retaining and re-extorting the data years later. Ransom payment rates have continued their long-term decline, reaching a new historical low of approximately 20% overall in Q4 2025, with Data Exfiltration-Only (DXF-only) payment rates remaining structurally low at around 25%.

While payments remain low, the Average Ransom Payment ($591,988) and Median Ransom Payment ($325,000) both saw significant spikes. However, these increases were not driven by data theft pressure, but by isolated, high-impact incidents where business interruption due to encryption could not be mitigated.

As the economics of data extortion weaken, experts anticipate threat actors will pivot back to their data encryption roots, which has historically been a more effective lever to force payment.

State-Sponsored Cyber-Espionage Escalates

A new report from Google reveals a significant escalation in state-sponsored cyber-espionage, with defense companies, their employees, and even their hiring processes becoming prime targets. This “relentless barrage” of cyber operations is aimed squarely at US and EU industrial supply chains, ranging from German aerospace firms to UK carmakers, indicating a broadening of the industrial base under attack.

Analysts from Google’s threat intelligence group note a shift toward more “personalized” and “direct to individual” attacks, making threats harder to detect as they occur outside corporate networks on personal systems. Extortion attacks are also increasingly targeting smaller companies not directly in the defense supply chain, such as those making cars or ball bearings. Recent activity shows the breadth of the threat. Russian Intelligence-linked groups, for example, spoofed the websites of hundreds of leading defense contractors across nine countries to steal information and have also developed sophisticated hacks to compromise the Signal and Telegram accounts of Ukrainian military personnel and officials. Attacks in Ukraine have been highly targeted, including impersonating drone builders and training courses to compromise frontline drone units. Ukrainian authorities recorded a 37% increase in cyber incidents from 2024 to 2025.

A major theme is the exploitation of large companies’ hiring processes. North Korean hackers have impersonated corporate recruiters, using AI to extensively profile employees, and successfully placing “remote IT workers” in over 100 US companies to fund the North Korean government via stolen salaries and cryptocurrency. Iranian state-sponsored groups created spoof job portals and fake job offers to steal the credentials of defense and drone firms. Additionally, the China-linked group APT5 targeted aerospace and defense employees with highly tailored emails and messaging based on geographical location, personal life (such as fake Boy Scouts communications for parents), and professional roles. The integration of Western technologies and investments into Ukraine means the pool of potential victims now includes employees of foreign companies, contractors, and consultants involved in Ukraine-related projects, underscoring that this is a growing transnational security issue.