Rival Ransomware Gangs Clash as 0APT Threatens to Expose Krybit Operatives
In an unusual escalation within the cybercriminal underworld, the ransomware group 0APT has targeted a rival outfit, Krybit, threatening to expose its affiliates unless a payment is made. The confrontation, first observed by dark web monitors on Sunday, follows the standard double-extortion playbook leaking a sample of stolen data as leverage but with a twist: the victim is another criminal operation.
0APT, which launched in January 2026, accused Krybit of being a ransomware group that "poses significant risks to cybersecurity and data privacy worldwide," despite engaging in the same illicit activities. The group warned that if Krybit failed to comply, it would release identity photos, names, locations, and other sensitive details of its members. As an added incentive, 0APT offered to unlock data for Krybit’s victims though the practical impact of such an offer remains questionable, given the target’s lack of reputational concerns.
Security researchers at Barricade Cyber Solutions analyzed the leaked data and found plaintext credentials, five cryptocurrency wallet addresses, and no evidence of paid ransoms suggesting Krybit may be a fledgling operation. Meanwhile, Krybit’s website is currently offline, displaying a generic maintenance message.
While 0APT has been labeled a "legitimate threat" with "credible technical depth" by Halcyon’s ransomware research center, its initial victim claims were widely seen as inflated. Krybit, by contrast, remains poorly documented, with dark web tracking platforms indicating it has only been active for a few weeks.
This isn’t the first time cybercriminals have turned on each other. In 2025, DragonForce attacked rivals BlackLock and Mamona, defacing their sites and leaking internal communications. The group later seized control of RansomHub’s operations in April 2025 following a month-long feud, ultimately dismantling the once-dominant ransomware enterprise.
The incident underscores the paranoia and infighting within the ransomware ecosystem, where even criminal groups are not immune to extortion though the effectiveness of such tactics against fellow threat actors remains debatable.
Source: https://www.theregister.com/2026/04/14/0apt_krybit_spat/
Group-IB cybersecurity rating report: https://www.rankiteo.com/company/group-ib
"id": "GRO1776176694",
"linkid": "group-ib",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cybercrime',
'name': 'Krybit',
'size': 'Small (fledgling operation)',
'type': 'Ransomware Group'}],
'attack_vector': 'Double-extortion (data leak as leverage)',
'data_breach': {'data_exfiltration': 'Yes (sample leaked as leverage)',
'personally_identifiable_information': 'Yes (identity photos, '
'names, locations)',
'sensitivity_of_data': 'High (identity photos, names, '
'locations, plaintext credentials)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Credentials',
'Cryptocurrency Wallet '
'Addresses']},
'date_detected': '2026-01-01',
'date_publicly_disclosed': 'Sunday (exact date not specified)',
'description': 'The ransomware group 0APT targeted a rival outfit, Krybit, '
'threatening to expose its affiliates unless a payment is '
'made. 0APT leaked a sample of stolen data, including identity '
'photos, names, locations, and sensitive details of Krybit '
'members. The incident highlights infighting within the '
'ransomware ecosystem.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Krybit within the cybercriminal '
'underworld',
'data_compromised': 'Identity photos, names, locations, plaintext '
'credentials, cryptocurrency wallet addresses',
'identity_theft_risk': 'High (exposure of personal details of '
'Krybit operatives)',
'operational_impact': "Disruption of Krybit's operations",
'payment_information_risk': 'High (exposure of cryptocurrency '
'wallet addresses)',
'systems_affected': "Krybit's website (offline, displaying "
'maintenance message)'},
'investigation_status': 'Ongoing (analysis by security researchers)',
'lessons_learned': 'The incident underscores the paranoia and infighting '
'within the ransomware ecosystem, where even criminal '
'groups are not immune to extortion.',
'motivation': 'Extortion, Rivalry, Disruption of Competing Cybercriminal '
'Operations',
'post_incident_analysis': {'root_causes': 'Rivalry between ransomware groups, '
'competition for dominance in the '
'cybercriminal ecosystem'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Unspecified (threat to expose operatives '
'unless payment made)'},
'references': [{'source': 'Barricade Cyber Solutions'},
{'source': 'Halcyon’s Ransomware Research Center'}],
'response': {'communication_strategy': 'Threatening data leaks via dark web',
'third_party_assistance': 'Barricade Cyber Solutions (security '
'research)'},
'threat_actor': ['0APT', 'Krybit'],
'title': '0APT Threatens to Expose Krybit Ransomware Operatives',
'type': 'Ransomware, Cyber Extortion, Data Leak'}