- 0APT Threatens to Expose Identity of Competing Ransomware Operators
- Double extortion tactics lose impact when used against cybercriminal groups
- Krybit credentials and wallet data found in leaked samples
The ransomware ecosystem has never been known for trust or cooperation, but a new conflict has pushed intra-criminal warfare into uncharted territory.
A cybercrime group called 0APT has threatened to reveal the identities of individuals affiliated with a rival ransomware operation known as Krybit.
In a leaked blog post, 0APT issued an unusual ultimatum to his fellow criminals. “If the group does not make payment or contact us, we will reveal their photo IDs, names, location, etc.,” the message states.
Article continues below
Double extortion pattern
The threat also contained an unexpected offer to Krybit’s first victims: “And if you are one of their victims, contact us to unlock your data.”
0APT uses a double extortion model that relies on the threat of reputational damage to pressure victims into paying ransoms.
This leverage almost completely evaporates when the target is another ransomware group, since criminal enterprises have no legitimate reputation to protect.
Cybersecurity researchers note that the tactic loses much of its appeal in this context, but 0APT proceeded as if following a conventional playbook.
The group leaked a small sample of allegedly stolen Krybit data as a warning shot and threatened to completely dump it if no payment comes.
Eric Taylor, owner of Barricade Cyber Solutions in South Carolina, analyzed the small number of Krybit files already released by 0APT.
His team discovered clear-text credentials belonging to Krybit operators and affiliates, as well as five cryptocurrency wallet addresses.
Notably, the team found no evidence of a single ransom paid to Krybit, suggesting that the group may have been less successful than its public claims suggested.
Krybit’s website is currently offline, replaced by a homepage that says: “Everything will return to work shortly. We apologize for this. We are sorry for the inconvenience.”
This type of intra-rivalry is not entirely unprecedented. In 2025, a group called DragonForce attacked rival groups BlackLock and Mamona by defacing their websites and leaking their internal communications.
DragonForce apparently also took over, then shut down the operations of former ransomware kingpin RansomHub in April last year, after a month of infighting.
Security firm Halcyon noted that 0APT “poses a legitimate threat” and demonstrates “credible technical depth,” although within the first 48 hours the group released a list of hundreds of victims almost certainly containing exaggerated claims.
For Krybit-encrypted organizations, the current conflict creates an unusual opportunity.
Victims should ensure that their firewall logs and network traffic data are preserved, as these may contain evidence of the attack.
Even if 0APT seems to offer a way out to Krybit victims, caution is required because the first remains a cybercriminal.
It remains to be proven that 0APT actually has the decryption keys for Krybit’s victims, and trusting one criminal group to save you from another carries obvious risks.
The situation is extraordinary, but the safest path for any victim remains to rely on professional defenders rather than rival attackers.
Via The register
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
