The ransomware landscape turned inward this week as the 0APT gang initiated an extortion campaign against a rival group, Krybit. Observers on the dark web first noted the move on Sunday, which involves threats to dox Krybit’s affiliates and operators.
0APT, which emerged in January 2026, claims that Krybit poses a threat to global data privacy. In a move described by analysts as hypocritical, the group stated: "If the group does not make the payment or contact us, we will reveal their identity photos, names, location, and other."
To prove its intent, 0APT released a sample of data allegedly stolen from Krybit. The group has offered to unlock data for any of Krybit’s own victims who come forward.
Analysts uncover internal data
Eric Taylor, owner of the South Carolina-based firm Barricade Cyber Solutions, confirmed his team analyzed the leaked sample. The files included plaintext credentials belonging to Krybit operators, five cryptocurrency wallet addresses, and no evidence that the group had successfully collected any ransoms from its own targets.
Krybit’s official website is currently offline. A splash page now displays a message apologizing for the downtime and promising that services will return shortly.
While extortion tactics are standard in the ransomware industry, they typically rely on the threat of reputational damage or operational disruption. Because criminal gangs operate in the shadows, these threats often carry less weight than they would against legitimate corporations. However, the extreme paranoia surrounding the identities of threat actors provides 0APT with potential leverage.
According to research from Halcyon, 0APT possesses "credible technical depth" and has maintained a high volume of activity since its inception. Within 48 hours of launching, the group claimed responsibility for hundreds of victim organizations, though researchers suggest many of those claims were inflated.
Little is known about the target, Krybit. Major threat intelligence firms have yet to publish formal reports on the group, which appears to have been active for only a few weeks.
Criminal-on-criminal attacks are not unprecedented. In previous cases, such as the activity involving the DragonForce gang, ransomware operators have targeted their peers to disrupt operations or gain access to illicit infrastructure.
