Two rival ransomware gangs, 0APT and Krybit, are currently embroiled in a conflict after 0APT threatened to reveal the identities of Krybit affiliates. This confrontation was noted by dark web observers on Sunday, although the reasons behind 0APT’s extortion attempt against another criminal organization are not well understood.
In a blog post, 0APT referred to Krybit as a ransomware group, stating that “such groups pose significant risks to cybersecurity and data privacy worldwide.” They further warned that if Krybit does not comply with their demands, they would disclose personal information including identity photos, names, and locations of Krybit members. Additionally, 0APT invited victims of Krybit to reach out for assistance in unlocking their data.
Extortion Tactics and Implications
Following the common double-extortion strategy, 0APT leaked a sample of data they claim to have stolen from Krybit as a preliminary warning, threatening to release more if their demands are not met. However, the effectiveness of this tactic appears diminished when directed at fellow criminals, as the threat of reputational damage is less impactful in this context.
Initial Findings from Leaked Data
Eric Taylor, the owner of Barricade Cyber Solutions, reported that his team analyzed the limited data leaked by 0APT. They discovered plaintext credentials belonging to Krybit operators, five cryptocurrency wallet addresses, and no evidence indicating that any ransom had been paid. This suggests that the operational integrity of Krybit may be compromised.
Krybit’s Current Status
At present, Krybit’s website is down, displaying a message that reads: “Everything will return to work shortly. We apologize for this. We are sorry for the inconvenience.” This downtime may indicate a response to the ongoing threats from 0APT.
Background on 0APT
0APT emerged in January 2026 and has been characterized by cybersecurity researchers at Halcyon as a legitimate threat with credible technical capabilities. Within just 48 hours of its launch, 0APT had already posted hundreds of victim organizations on its leak blog, although these claims are likely inflated.
In contrast, Krybit is less documented, with no significant reports from major threat intelligence firms. Its activity appears to have started only recently, based on its claimed victims. While infighting among criminal groups is not unprecedented, as seen with DragonForce’s attacks on rival gangs, the current situation between 0APT and Krybit highlights the volatile nature of the ransomware landscape.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
