0APT Threatens Rival Krybit with Doxxing and Extortion, Escalating Ransomware Turf War
Cybersecurity

0APT Threatens Rival Krybit with Doxxing and Extortion, Escalating Ransomware Turf War

Pulse
PulseApr 14, 2026

Companies Mentioned

Halcyon

Halcyon

Why It Matters

The 0APT‑Krybit clash highlights a shift in ransomware dynamics, where groups are no longer content to operate in parallel silos but are willing to turn on each other to protect their own anonymity and revenue streams. Such infighting can destabilize the underground market, making it harder for criminal actors to maintain the steady flow of ransom payments that have underpinned the industry for years. For defenders, the incident offers a rare glimpse into the internal mechanics of ransomware gangs, including the types of credentials and crypto wallets they use. The leaked information could accelerate attribution efforts, potentially leading to arrests or takedowns that would reverberate across the broader cyber‑crime ecosystem.

Key Takeaways

  • 0APT threatens to publish identity photos, names and locations of Krybit affiliates unless paid
  • Krybit's website replaced with an apology splash page after the threat went public
  • Eric Taylor of Barricade Cyber Solutions found plaintext credentials and five crypto wallets in leaked Krybit files
  • Halcyon labels 0APT a "legitimate threat" with "credible technical depth" despite its two‑day existence
  • Criminal‑on‑criminal attacks have precedent, notably DragonForce's 2025 assaults on BlackLock, Mamona and RansomHub

Pulse Analysis

Ransomware gangs have traditionally avoided direct conflict, focusing instead on maximizing payouts from corporate victims. 0APT's decision to weaponize doxxing against a peer signals a new willingness to gamble on reputation damage within the criminal community. This could fragment the market, prompting smaller outfits to either merge with larger syndicates for protection or to adopt more aggressive defensive postures, such as pre‑emptive leaks of rival data.

From a strategic standpoint, 0APT appears to be leveraging its early notoriety to establish a deterrent reputation. By publicly threatening a competitor, it sends a message that any challenge will be met with swift exposure, potentially discouraging future incursions. However, the tactic also risks attracting heightened law‑enforcement attention, especially given the inclusion of cryptocurrency wallet addresses that can be traced. If authorities can link those wallets to real‑world identities, the fallout could be severe for both groups.

Looking ahead, the ransomware ecosystem may see a rise in similar intra‑gang skirmishes as new entrants seek to carve out market share. Security teams should monitor dark‑web chatter for signs of escalating feuds, as they often precede broader campaigns that target not only victims but also the infrastructure of rival gangs. The 0APT‑Krybit episode serves as a cautionary tale: the very tools that enable ransomware profitability—anonymity and leverage—can become liabilities when turned against each other.

0APT Threatens Rival Krybit with Doxxing and Extortion, Escalating Ransomware Turf War

Comments

Want to join the conversation?

Loading comments...