TheConfigPig
The Phantom Ransomware Group That Ran Off a Phone

The Phantom Ransomware Group That Ran Off a Phone

April 16, 2026 · 5 min read · securityransomwarethreat-intelanalysis

A ransomware leak site went up in January 2026 under the name 0APT. Within its first week it posted more than 190 victim claims. On the screen that is the signature of a busy, capable, global ransomware-as-a-service operation — the kind that earns a row in every tracker and a bullet in every quarterly threat brief.

Here is what was actually behind the screen. Per Halcyon’s research, the whole thing was operating on an AnLinux-Parrot OS and pushing all content via an Android phone’s internal SD card. A phone. Not a botnet, not a resilient bulletproof-hosted panel — a handset running a Linux userland app off the SD card, posting victims faster than most real crews can encrypt them.

And the victims weren’t real either. Halcyon’s assessment is blunt: 0APT is a nominal threat to corporations with its limited operational capacity and fully fabricated victim entries. All 190-plus of those first-week entries — fabricated, with no evidence of data exfiltration. The leak site was a stage set. Anyone who counted 0APT in their Q1 ransomware numbers counted a phone.

The phone isn’t the story

It’s a good story. But the forensic absurdity is a distraction from the actual problem, and the actual problem is worse.

The problem is that 0APT was countable in the first place. A leak site is attacker-controlled media. It exists to manufacture pressure — on victims to pay, on affiliates to join, on journalists to write. The numbers on it are not measurements of anything. They are claims, published by the one party with the strongest possible incentive to inflate them, costing nothing to fabricate. 0APT’s marginal cost per “victim” was a few seconds of typing on a phone.

Those claims do not stay on the leak site. It is well established in the threat-intel community — though the precise mechanics vary by vendor and are rarely disclosed — that attacker-posted victim counts get ingested into ransomware trackers, then aggregated into trend lines, then into the “ransomware was up N% this quarter” slide that lands in a board deck. Each hop launders the claim a little cleaner. By the time it reaches leadership it has shed every qualifier and reads as fact. The phone’s lie is now your strategy input.

This is not a 0APT problem. 0APT is just the case where the gap between claim and reality is so wide it’s funny. The same pipeline runs every day with gaps you can’t see.

The corroboration was an accident

Now the part that should actually change how you work.

The only reason anyone knows 0APT was fake is that a rival ransomware group breached it. On April 14, 2026, KryBit breached 0APT’s servers — Halcyon’s own timeline calls it KryBit overtaking 0APT — and exfiltrated its infrastructure. The following day it leaked the full operational data set: access logs, PHP source code, and system files. That is what exposed the AnLinux phone, the lack of exfiltration, the whole charade. The proof came from an adversary turning over the rug, and Halcyon analyzing what crawled out.

Sit with the timeline. The fabricated claims went up in January. The proof arrived in mid-April. For the better part of three months, the only honest position on 0APT’s numbers was “unverified attacker claim” — because the evidence that settled it did not exist yet, and arrived only by luck. There was no responsible way to assert 0APT had 190 victims in February. There was no way to disprove it either.

You cannot build a process that waits for a rival breach. Adversarial, accidental corroboration is not a control. So the discipline can’t be “wait for proof.” It has to be “label the uncertainty correctly and act accordingly from day one.” That means tiering every claim by what actually backs it, the moment it lands.

Tier the claim before it moves

Four rungs. Each says exactly how much weight a statement can bear.

TierWhat it meansMapped to the 0APT / KryBit case
ObservedDirectly evidenced in a primary sourceThe AnLinux-Parrot phone infrastructure and the absence of exfiltration — established from the breached access logs and source code, per Halcyon
ReportedCredible secondary assessment, not independently primary-confirmedHalcyon’s read that KryBit is a functional RaaS with real skillsets, exfil of 10–250GB per target, demands of $40,000–$100,000 — an attributed expert judgment, treat as such
InferredA reasonable deduction, flagged as your own reasoningThat fabricating-victims-from-a-phone is cheap enough to repeat, so other low-effort imitator brands likely exist — a deduction, not a finding
UnprovenCirculating but unconfirmed; do not build on it0APT’s 190+ victim claims as victim counts before April 14 — pure leak-site assertion, zero corroboration

Run 0APT through it and the whole thing resolves. The 190+ figure was Unproven the day it posted and stayed Unproven for months — and a tier discipline would have stamped it that way in February, long before the breach. The phone and the missing exfiltration are Observed, but only after April 14 and only via the logs. KryBit’s capability is Reported — Halcyon’s attributed call, strong but not the same epistemic weight as the logs.

Notice one more thing. Halcyon’s figure is “190+.” Some secondary coverage rounds it to “nearly 200.” That drift — a hard floor quietly becoming a soft estimate — is the laundering happening in real time, in a number small enough to check. Now imagine it across thousands of claims nobody checks. Use the primary figure, cite it, and watch what your sources do to it.

The takeaway

Claimed is not corroborated. Corroborated is not confirmed. Those are three different things and a leak-site number is almost always the first one.

Before any figure off an attacker’s site drives incident-response spend, shapes a prioritization call, or becomes a number in front of your board, give it a tier and make the tier visible. An Unproven claim can still inform a hypothesis — it just can’t carry a budget. The point of tiering isn’t to ignore leak sites; it’s to stop letting attacker marketing set your agenda while wearing the costume of fact.

0APT got counted because counting was the easy thing to do. The honest thing was harder and it was available the whole time. Anyone who counted 0APT counted a phone — and the only reason you don’t have to take my word for it is that, this once, a thief got robbed.

Sources