- 0APT threatens to expose the identities of rival ransomware operators
- Double extortion tactics lose impact when used against cybercriminal groups
- Krybit credentials and wallet data found in leaked samples
The ransomware ecosystem has never been known for its trust or cooperation, but a new conflict has taken the intracriminal war into uncharted territory.
A cybercrime group called 0APT has threatened to expose the identities of people affiliated with a rival ransomware operation known as Krybit.
In a leaked blog post, 0APT issued an unusual ultimatum to his fellow criminals. “If the group does not make payment or contact us, we will reveal their ID photos, names, location and more,” the post said.
Article continues below.
Double extortion model
The threat also contained an unexpected offer addressed to the original Krybit victims: “And if you are one of its victims, contact us to unlock your data.”
0APT is using a double extortion model that relies on the threat of reputational damage to pressure victims to pay ransoms.
That influence almost completely evaporates when the target is another ransomware group, as criminal enterprises have no legitimate reputation to protect.
Cybersecurity researchers point out that the tactic loses much of its appeal in this context, but 0APT has proceeded as if it were following a conventional manual.
The group leaked a small sample of supposedly stolen Krybit data as a warning sign and threatened to perform a full dump if payment does not arrive.
Eric Taylor, owner of Barricade Cyber ​​Solutions in South Carolina, has analyzed the small number of Krybit files already published by 0APT.
His team discovered plaintext credentials belonging to Krybit traders and affiliates, along with five cryptocurrency wallet addresses.
Notably, the team found no evidence of a single ransom paid to Krybit, suggesting that the group may have been less successful than its public claims implied.
The Krybit website is currently offline, replaced by a homepage that reads: “Everything will be back up and running shortly. We apologize for this. We’re sorry for the inconvenience.”
This type of internal rivalry is not entirely unprecedented. In 2025, a group called DragonForce attacked rival groups BlackLock and Mamona by defacing their websites and leaking internal communications.
DragonForce also apparently took over and then shut down former ransomware kingpin RansomHub’s operation in April last year after a month of infighting.
Security firm Halcyon has noted that 0APT “represents a legitimate threat” and displays “credible technical depth,” although within its first 48 hours, the group published a list of hundreds of victims that almost certainly contained inflated claims.
For organizations that have been encrypted by Krybit, the current conflict creates an unusual opportunity.
Victims should be sure to retain their firewall logs and network traffic data as they may contain evidence of the attack.
Although 0APT seems to offer a way out for Krybit victims, caution is necessary because the former is still a cybercriminal.
Whether 0APT actually holds decryption keys for Krybit victims has yet to be proven, and trusting one criminal group to rescue you from another carries obvious risks.
The situation is extraordinary, but the safest path for any victim remains to rely on professional defenders rather than rival attackers.
Through The Registry
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
