Two rival ransomware gangs have locked horns after 0APT threatened to expose people affiliated with Krybit.
Dark web watchers spotted the move on Sunday, though 0APT’s motive for extorting a fellow criminal outfit remains unclear. The notion seems even more bizarre given that 0APT hypocritically described Krybit in its leak blog post as a ransomware group, and that “such groups pose significant risks to cybersecurity and data privacy worldwide.”
“If the group does not make the payment or contact us, we will reveal their identity photos, names, location, and other,” 0APT said. “And if you are one of their victims, contact us to get your data unlocked.”
Following the standard double-extortion playbook, 0APT leaked a sample of the allegedly stolen Krybit data as a warning shot, threatening a full dump if payment isn’t made.
The tactic loses much of its sting when aimed at criminals rather than businesses. Ransomware operators typically rely on the threat of reputational damage to coerce victims, leverage that evaporates when the target has no reputation worth protecting. The model is, in this context, almost laughably toothless.
That said, cybercriminals are famously paranoid about their identities for good reason, which gives the threat at least some residual bite.
Eric Taylor, owner of South Carolina security shop Barricade Cyber Solutions, said his team downloaded the small number of Krybit files already leaked by 0APT.
His team found plaintext credentials belonging to Krybit operators and affiliates, five cryptocurrency wallet addresses, and no evidence of a single paid ransom, among other things, he said.
Krybit’s website is currently down, replaced by a splash page reading: “Everything will return to work shortly. We apologize for this. We are sorry for the inconvenience.”
0APT launched in January 2026. According to Halcyon’s ransomware research center, it “poses a legitimate threat” and shows “credible technical depth.”
Within the first 48 hours of life, however, 0APT posted hundreds of victim organizations to its leak blog, a list that almost certainly included inflated victim claims, Halcyon said.
Krybit is less well-documented. No major threat intelligence or cybersecurity outfit has published a report on the group, and dark web tracking platforms suggest it has only been active for a few weeks, based on its recently claimed victims.
Criminal-on-criminal attacks aren’t without precedent. DragonForce, for example, notably attacked rival groups BlackLock and Mamona in 2025, defacing their websites and leaking some internal communications.
DragonForce also seemingly took over and later shut down former ransomware kingpin RansomHub’s operation in April last year after a month of infighting between the two criminal enterprises. ®
