0APT Threatens to Dox Rival Ransomware Group Krybit in Unprecedented Cybercriminal Feud
A new escalation in the ransomware underworld has emerged as the cybercriminal group 0APT publicly threatened to expose the identities of operators behind the rival Krybit ransomware operation. In a leaked blog post, 0APT issued an ultimatum: pay an undisclosed sum or face the release of personal details, including names, photos, and locations of Krybit affiliates.
The group also extended an unusual offer to Krybit’s victims, promising decryption assistance an attempt to leverage its double-extortion tactics. However, cybersecurity experts note that such threats lose potency when directed at fellow criminals, who lack reputational concerns. Despite this, 0APT released a sample of allegedly stolen Krybit data as a warning, including plaintext credentials and five cryptocurrency wallet addresses. Analysis by Barricade Cyber Solutions found no evidence of paid ransoms to Krybit, contradicting the group’s public claims of success.
Krybit’s website is currently offline, displaying a generic maintenance message. The conflict mirrors past intra-criminal disputes, such as DragonForce’s 2025 attacks on rivals BlackLock and Mamona, and its later takeover of RansomHub in 2024. Security firm Halcyon has acknowledged 0APT’s technical capabilities but noted that its initial victim list appeared inflated.
For organizations encrypted by Krybit, the feud presents a rare but risky opportunity. While 0APT claims to offer decryption keys, its criminal nature makes such offers unreliable. Victims are advised to preserve forensic evidence, though engaging with either group remains hazardous. The incident underscores the volatile and unpredictable nature of ransomware rivalries.
Barricade Cyber Solutions cybersecurity rating report: https://www.rankiteo.com/company/barricadecyber
"id": "BAR1776889447",
"linkid": "barricadecyber",
"type": "Ransomware",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cybercrime',
'name': 'Krybit',
'type': 'Ransomware Group'},
{'name': 'Krybit Victims', 'type': 'Organizations'}],
'data_breach': {'data_exfiltration': 'Yes (sample data released)',
'personally_identifiable_information': 'Names, photos, '
'locations',
'sensitivity_of_data': 'High (PII of Krybit affiliates)',
'type_of_data_compromised': 'Personal details, credentials, '
'cryptocurrency wallet addresses'},
'description': 'A new escalation in the ransomware underworld has emerged as '
'the cybercriminal group 0APT publicly threatened to expose '
'the identities of operators behind the rival Krybit '
'ransomware operation. In a leaked blog post, 0APT issued an '
'ultimatum: pay an undisclosed sum or face the release of '
'personal details, including names, photos, and locations of '
'Krybit affiliates. The group also extended an unusual offer '
'to Krybit’s victims, promising decryption assistance as an '
'attempt to leverage its double-extortion tactics. However, '
'cybersecurity experts note that such threats lose potency '
'when directed at fellow criminals, who lack reputational '
'concerns. Despite this, 0APT released a sample of allegedly '
'stolen Krybit data as a warning, including plaintext '
'credentials and five cryptocurrency wallet addresses. '
'Analysis by Barricade Cyber Solutions found no evidence of '
'paid ransoms to Krybit, contradicting the group’s public '
'claims of success. Krybit’s website is currently offline, '
'displaying a generic maintenance message. The conflict '
'mirrors past intra-criminal disputes, such as DragonForce’s '
'2025 attacks on rivals BlackLock and Mamona, and its later '
'takeover of RansomHub in 2024. Security firm Halcyon has '
'acknowledged 0APT’s technical capabilities but noted that its '
'initial victim list appeared inflated. For organizations '
'encrypted by Krybit, the feud presents a rare but risky '
'opportunity. While 0APT claims to offer decryption keys, its '
'criminal nature makes such offers unreliable. Victims are '
'advised to preserve forensic evidence, though engaging with '
'either group remains hazardous. The incident underscores the '
'volatile and unpredictable nature of ransomware rivalries.',
'impact': {'data_compromised': 'Personal details (names, photos, locations), '
'plaintext credentials, cryptocurrency wallet '
'addresses',
'identity_theft_risk': 'High (for Krybit affiliates)',
'operational_impact': 'Krybit’s website offline (maintenance '
'message)'},
'lessons_learned': 'The incident underscores the volatile and unpredictable '
'nature of ransomware rivalries. Engaging with criminal '
'groups for decryption assistance is unreliable and '
'hazardous.',
'motivation': 'Extortion / Disruption of Rival Group',
'post_incident_analysis': {'root_causes': 'Rivalry between cybercriminal '
'groups (0APT and Krybit)'},
'ransomware': {'data_exfiltration': 'Yes (by 0APT)',
'ransom_demanded': 'Undisclosed sum (from 0APT to Krybit)'},
'recommendations': 'Victims of Krybit should preserve forensic evidence and '
'avoid engaging with either 0APT or Krybit. Organizations '
'should remain vigilant against intra-criminal disputes '
'spilling over into broader cyber threats.',
'references': [{'source': 'Barricade Cyber Solutions'}, {'source': 'Halcyon'}],
'response': {'communication_strategy': 'Leaked blog post, public threats',
'third_party_assistance': 'Barricade Cyber Solutions, Halcyon'},
'stakeholder_advisories': 'Victims are advised to preserve forensic evidence '
'and avoid engaging with either group.',
'threat_actor': '0APT',
'title': '0APT Threatens to Dox Rival Ransomware Group Krybit in '
'Unprecedented Cybercriminal Feud',
'type': 'Ransomware Feud / Extortion'}