- 0APT is threatening to expose the identities of rival ransomware operators
- Double extortion tactics lose impact when used against cybercriminal groups
- Krybit credentials and wallet data were found in leaked samples
The ransomware ecosystem has never been known for trust or cooperation, but a new conflict has pushed intra-criminal warfare into uncharted territory.
A cybercrime group called 0APT has threatened to expose the identities of individuals affiliated with a rival ransomware operation known as Krybit.
In a leaked blog post, 0APT issued an unusual ultimatum to its fellow criminals. “If the group does not make the payment or contact us, we will reveal their identity photos, names, location, and more,” the post stated.
Article continues below
Double-extortion model
The threat also contained an unexpected offer directed at Krybit’s original victims: “And if you are one of their victims, contact us to get your data unlocked.”
0APT is using a double-extortion model that relies on the threat of reputational damage to pressure victims into paying ransoms.
That leverage evaporates almost completely when the target is another ransomware group, since criminal enterprises have no legitimate reputation to protect.
Cybersecurity researchers note that the tactic loses much of its sting in this context, yet 0APT has proceeded as if following a conventional playbook.
The group leaked a small sample of allegedly stolen Krybit data as a warning shot and has threatened a full dump if no payment arrives.
Eric Taylor, owner of Barricade Cyber Solutions in South Carolina, has analyzed the small number of Krybit files already released by 0APT.
His team discovered plaintext credentials belonging to Krybit operators and affiliates, along with five cryptocurrency wallet addresses.
Notably, the team found no evidence of a single paid ransom to Krybit, suggesting the group may have been less successful than its public claims implied.
Krybit’s website is currently offline, replaced by a splash page that reads: “Everything will return to work shortly. We apologize for this. We are sorry for the inconvenience.”
This type of intra-rivalry is not entirely without precedent. In 2025, a group called DragonForce attacked rival groups BlackLock and Mamona by defacing their websites and leaking internal communications.
DragonForce also seemingly took over and later shut down the operation of former ransomware kingpin RansomHub in April last year after a month of infighting.
Security firm Halcyon has noted that 0APT “poses a legitimate threat” and shows “credible technical depth,” though within its first 48 hours, the group posted a list of hundreds of victims that almost certainly contained inflated claims.
For organizations that have been encrypted by Krybit, the current conflict creates an unusual opportunity.
Victims should ensure their firewall logs and network traffic data are preserved, as these may contain evidence of the attack.
Although 0APT seems to offer a way out for Krybit’s victims, there is a need for caution because the former remains a cybercriminal.
Whether 0APT actually possesses decryption keys for Krybit’s victims remains unproven, and trusting one criminal group to rescue you from another carries obvious risks.
The situation is extraordinary, but the safest path for any victim is still to rely on professional defenders rather than rival attackers.
Via The Register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
