By Festus Poquie
A newly emerged ransomware group calling itself 0APT has claimed responsibility for a series of cyberattacks against strategic Liberian government agencies, stealing roughly 15 terabytes of sensitive sovereign data and is demanding negotiations to prevent the information from being published on the dark web.
The group posted on dark web forums that the breaches targeted the Liberia Revenue Authority (LRA), the Liberia Electricity Corporation (LEC) and the National Investment Commission (NIC).
According to posts and reporting by ThreatMon’s Threat Intelligence Team, the haul allegedly includes confidential investment agreements, investor passports, blueprints for the national power grid and customer billing databases.
ThreatMon said it detected the activity on Feb. 2, 2026, at 12:58 UTC+3 through dark web monitoring and tracking of indicators of compromise and command and control infrastructure.
The incident follows a broader pattern of ransomware groups increasingly targeting public-sector institutions and multinational firms.
0APT warned in its communications that the stolen files would be exposed publicly unless negotiations began, an escalation experts say is consistent with modern double extortion tactics in which attackers both encrypt systems and threaten to publish exfiltrated data to pressure victims into paying ransoms.
Official responses from Liberia’s government were limited. A spokesperson for the Liberia Revenue Authority told Oracle News Daily, the agency’s data “are intact.”
The Liberia Electricity Corporation and the National Investment Commission had not immediately responded to requests for comment. The government has not issued an official statement confirming the scope of the alleged breaches.
Representative Taa Wongbe of Nimba County urged swift legislative action and transparency. In a Facebook post calling for an urgent briefing, he wrote: “It is being alleged that sensitive data from some of these systems may have been accessed and is being offered for sale on the dark web.
If true, this raises serious concerns about the safety of taxpayer information, investor records, and critical national infrastructure.”
He said he had formally requested that the Speaker of the House summon relevant agencies to explain whether a breach occurred, what data were affected, and what steps are being taken to secure systems.
Cybersecurity analysts said attacks of this type usually follow reconnaissance and exploitation of weaknesses such as outdated software, inadequate monitoring or insufficient segmentation of critical networks. For agencies like the LRA and LEC, successful intrusions can disrupt tax collection, billing and essential services, and erode investor confidence if sensitive commercial agreements or personal data are exposed.
Investigations into the claimed breaches and the veracity of the data posted on the dark web are underway by private threat intelligence groups and, it is expected, by national authorities.
Observers cautioned that initial claims made by criminal actors on underground forums are not always independently verifiable and urged institutions and citizens to monitor official communications and take standard protective measures, including changing credentials and increasing network monitoring.
