- 0APT threatens to reveal the identity of rival ransomware operators
- Dual extortion tactics lose their effectiveness when used against cybercriminal groups
- Krybit credentials and wallet data were found in leaked samples
The ransomware ecosystem has never been known for trust or cooperation, but a new conflict has pushed intra-criminal warfare into uncharted territory.
A cybercrime group called 0APT has threatened to reveal the identities of people associated with a rival ransomware operation known as Krybit.
In a leaked blog post, 0APT issued an unusual ultimatum to his fellow criminals. “If the group does not make the payment or contact us, we will reveal their identity photos, names, location and more,” the post said.
The article continues below
Double blackmail model
The threat also contained an unexpected offer aimed at Krybit’s original victims: “And if you are one of their victims, contact us to have your data unlocked.”
0APT uses a dual extortion model that relies on the threat of reputational damage to pressure victims into paying ransoms.
This leverage evaporates almost completely when the target is another ransomware group, as criminal enterprises have no legitimate reputation to protect.
Cyber security researchers note that the tactic loses much of its sting in this context, yet the 0APT is run as if following a conventional playbook.
The group leaked a small sample of allegedly stolen Krybit data as a warning shot and has threatened a full dump if no payment is forthcoming.
Eric Taylor, owner of Barricade Cyber Solutions in South Carolina, has analyzed the small number of Krybit files already released by 0APT.
His team discovered plain-text credentials belonging to Krybit operators and affiliates, along with five cryptocurrency wallet addresses.
Notably, the team found no evidence of a single ransom paid to Krybit, suggesting the group may have been less successful than its public claims suggested.
Krybit’s website is currently offline, replaced by a splash page that reads: “Everything will be back up and running soon. We apologize for this. We apologize for the inconvenience.”
This kind of intra-rivalry is not entirely without precedent. In 2025, a group called DragonForce attacked rival groups BlackLock and Mamona by defacing their websites and leaking internal communications.
DragonForce also apparently took over and later shut down the operations of former ransomware king RansomHub last April after a month-long battle.
Security firm Halcyon has noted that 0APT “poses a legitimate threat” and shows “credible technical depth,” although within the first 48 hours the group posted a list of hundreds of victims that almost certainly contained high claims.
For organizations that have been encrypted by Krybit, the current conflict creates an unusual opportunity.
Victims should ensure that their firewall logs and network traffic data are preserved, as these may contain evidence of the attack.
Although 0APT appears to offer a way out for Krybit’s victims, caution is needed because the former remains a cybercriminal.
Whether or not 0APT actually holds decryption keys for Krybit’s victims remains unproven, and trusting one criminal group to save you from another carries obvious risks.
The situation is extraordinary, but the safest path for any victim is still to rely on professional defenders rather than rival attackers.
Via The register
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
