Ransomware gang 0APT threatens to expose rival Krybit operators

A newly emerged ransomware group has turned the double-extortion playbook against a fellow criminal operation, demanding payment from rival gang Krybit in exchange for withholding stolen member data, including names, photographs, and location information.

What happened

Dark web researchers spotted a post on 0APT's leak blog over the weekend of April 12, 2026, in which the group threatened to expose individuals affiliated with Krybit unless payment was made. According to The Register, 0APT leaked a sample of allegedly stolen Krybit data as a warning shot, stating "If the group does not make the payment or contact us, we will reveal their identity, photos, names, location, and other." Krybit's website subsequently went offline, replaced by a message reading, "Everything will return to work shortly. We apologize for this. We are sorry for the inconvenience." Researchers who downloaded the leaked sample found plaintext credentials belonging to Krybit operators and affiliates, five cryptocurrency wallet addresses, and no evidence of a single paid ransom. 0APT launched in January 2026, and within its first 48 hours claimed hundreds of victim organizations on its leak blog, a list researchers assessed as almost certainly inflated. Krybit has no major threat intelligence reports published against it, and dark web tracking platforms suggest it has been active for only a few weeks.

Going deeper

The 0APT post also included a note to Krybit's own victims, offering to unlock their data, which frames the incident as both a criminal extortion attempt and a possible recruitment pitch. The gesture loses most of its leverage because ransomware operators depend on reputational damage as the primary coercion mechanism, and a group with no public-facing reputation and no documented ransom payments has little to lose. Researchers noted the irony in 0APT's leak post, which characterized Krybit as a ransomware group and stated that "such groups pose significant risks to cybersecurity and data privacy worldwide," despite 0APT operating under the same model. The attack nonetheless carries some residual threat because cybercriminal operators are typically protective of their physical identities for self-preservation reasons, and exposure of real names, photographs, and locations to both law enforcement and rival criminal actors represents a non-trivial risk regardless of reputational standing.

What was said

0APT stated in its leak blog post that the targeted group "poses significant risks to cybersecurity and data privacy worldwide," while simultaneously running a ransomware operation under the same double-extortion model. Researchers tracking 0APT noted it "poses a legitimate threat" and shows "credible technical depth" despite its recent emergence and likely inflated victim claims in its early days of operation.

In the know

Criminal-on-criminal attacks within the ransomware ecosystem are unusual but documented. According to The Register, the DragonForce group attacked rival operations BlackLock and Mamona in 2025, defacing their websites and leaking internal communications. DragonForce also took over and later shut down RansomHub's operation in April 2025 following a month of internal conflict between the two groups. These incidents reflect an ecosystem under competitive pressure, where new entrants making inflated victim claims and established groups competing for affiliates create friction that occasionally surfaces as direct aggression between operators.

The big picture

For healthcare organizations, the internal dynamics of the ransomware ecosystem matter less than the operational reality that groups like 0APT and Krybit create. The FBI's 2025 Internet Crime Report confirmed healthcare as the most targeted critical infrastructure sector, recording 460 ransomware attacks in the year. According to Paubox's 2026 Healthcare Email Security Report, ransomware attacks on healthcare organizations have surged 264 percent since 2018, and phishing-driven mailbox takeovers exposed 630,000 individuals in healthcare in 2025 alone. The 0APT versus Krybit dispute is a reminder that the ransomware supply chain includes dozens of competing groups, affiliate networks, initial access brokers, and tool vendors, all operating simultaneously. When one group collapses or is disrupted, its affiliates, tools, and victim access listings migrate to others. The healthcare attack surface does not shrink when one operator turns on another.

FAQs

Why would a ransomware group extort another ransomware group?

Ransomware operators have real identities behind their pseudonyms, cryptocurrency wallets with traceable balances, and operational infrastructure worth seizing. Threatening to expose those details to law enforcement or rival groups carries genuine risk for the targeted operators, even if the reputational coercion that works on businesses has no equivalent effect on criminals.

What does the absence of paid ransoms in the leaked Krybit data indicate?

Krybit's apparent lack of paid ransoms suggests either a very recently launched operation that has not yet converted any victims or that the group is primarily a claims-based presence that posts victim names without having successfully encrypted or exfiltrated sufficient data to compel payment. Both are consistent with the dark web tracking assessment of a few weeks of activity.

What is double extortion, and how does 0APT apply it to a criminal target?

Double extortion involves exfiltrating data before encrypting it, then threatening to publish the data publicly if the ransom is not paid. 0APT applied the same structure to Krybit by leaking a sample and threatening a full dump of member identities if payment was not received, substituting reputational damage to a business with the threat of identity exposure to law enforcement and rivals.

How does infighting between ransomware groups affect their victims?

When groups like DragonForce absorb or dismantle rivals, they typically also inherit stolen data and victim access. Victims of a group that is disrupted or taken over may find their data transferred to a new operator who then repeats the extortion demand, meaning a takedown does not necessarily end the threat to organizations whose data was already exfiltrated.

Why do new ransomware groups inflate victim claims at launch?

Posting large numbers of claimed victims immediately establishes a public presence and signals operational capability to potential affiliates, who are the technical operators that carry out the actual attacks. Affiliates select platforms partly based on perceived success and reach, so inflated early claims function as a recruitment tool regardless of how many victims actually paid or were genuinely compromised.