Full Report
Two Ransomware Groups Tore Each Other Apart — Here’s What We Found Inside On April 13, 2026, a threat actor calling itself 0APT published the complete database of the Krybit ransomware operation — victim records, plaintext credentials, Bitcoin wallets, encryption tokens, and a 56MB exfiltration file inventory. For the first time, 0APT had produced something real. Krybit hit back hard. Within 48 hours, Krybit compromised 0APT’s server, defaced their data leak site, and published everything: source code, bash history, nginx logs, system files. Then Krybit posted 0APT as victim #1 on their own leak site with the message: > “HACKED BY KRYBIT — Next time, don’t play with the big boys. The response will be fast.” The result is something rarely seen in threat intelligence — both sides of a ransomware conflict fully exposed at the same time. This report walks through what each leak reveals, what it means for defenders, and why one of these groups was never real to begin with.
Analysis Summary
# Incident Report: The 0APT vs. Krybit Conflict
## Executive Summary
A mutual compromise occurred between two ransomware entities, 0APT and Krybit, resulting in the total exposure of both groups' internal infrastructures. After 0APT leaked the Krybit database, the Krybit collective launched a rapid counter-offensive, fully compromising 0APT's servers and exposing them as a fraudulent operation. The outcome provided a rare, symmetrical look into the source code, victimology, and operational failings of concurrent threat actors.
## Incident Details
- **Discovery Date:** April 13, 2026
- **Incident Date:** April 13 – April 15, 2026
- **Affected Organizations:** 0APT (Threat Group/Fraudulent Op) and Krybit (Ransomware Group)
- **Sector:** Cybercrime / Ransomware-as-a-Service (RaaS)
- **Geography:** Global / Digital
## Timeline of Events
### Initial Access
- **Date/Time:** April 13, 2026
- **Vector:** Targeted Data Leak / Insider Access (0APT against Krybit)
- **Details:** 0APT published Krybit’s entire backend database, including plaintext credentials and encryption tokens.
### Lateral Movement
- **April 14, 2026:** Krybit operators conducted rapid reconnaissance against 0APT’s leak site infrastructure, identifying vulnerabilities in their web server configuration.
### Data Exfiltration/Impact
- **April 15, 2026:** Krybit successfully exfiltrated 0APT’s entire server directory, including Nginx logs, bash history, system files, and source code.
- **April 15, 2026:** Krybit defaced the 0APT leak site and officially listed 0APT as "Victim #1" on the Krybit portal.
### Detection & Response
- **Detection:** Immediate; both groups used their public leak sites to broadcast the compromises.
- **Response:** Krybit engaged in a "hack-back" operation to neutralize 0APT’s data leak and reclaim dominance.
## Attack Methodology
- **Initial Access:** Vulnerability exploitation of web server/leak site (Krybit's counter-attack).
- **Persistence:** System file modification and shell access evidenced by bash history leaks.
- **Privilege Escalation:** Likely exploitation of misconfigured server permissions on 0APT assets.
- **Defense Evasion:** 0APT attempted to mimic a sophisticated APT; however, poor server hardening led to their exposure.
- **Credential Access:** 0APT leaked Krybit's plaintext credentials; Krybit retrieved 0APT's system logs.
- **Discovery:** Krybit utilized 0APT’s public infrastructure to map back to their origin server.
- **Lateral Movement:** Server-side movement from the web-facing application to the underlying file system.
- **Collection:** Gathering of 56MB exfiltration file inventories and Bitcoin wallet addresses.
- **Exfiltration:** Public posting of the competitor’s internal backend data on leak sites.
- **Impact:** Total loss of operational security (OPSEC) for both groups; 0APT’s reputation as a "real" group was destroyed.
## Impact Assessment
- **Financial:** Exposure of Bitcoin wallets for both entities, potentially allowing for law enforcement tracking.
- **Data Breach:** High; includes victim logs, encryption keys (allowing victims to potentially decrypt for free), and source code.
- **Operational:** Total shutdown of 0APT operations; significant disruption to Krybit’s anonymity.
- **Reputational:** 0APT exposed as a "fake" group; Krybit demonstrated aggressive "hack-back" capabilities.
## Indicators of Compromise
- **Network indicators:**
- `0apt[.]leaks` (defanged)
- `krybit[.]news` (defanged)
- **File indicators:**
- `0apt_leak_inventory.csv` (56MB file list)
- `krybit_source_code.zip`
- **Behavioral indicators:**
- Rapid server defacement followed by file system dumping on TOR-based leak sites.
## Response Actions
- **Containment:** Krybit compromised the source of the leak to stop further dissemination.
- **Eradication:** 0APT’s infrastructure was effectively dismantled by the competitor.
- **Recovery:** Krybit attempted to restore "brand authority" via aggressive PR on their leak site.
## Lessons Learned
- **Threat Actor Infighting:** Cybercriminal groups are not a monolith and will bypass legal/ethical boundaries to attack competitors.
- **OPSEC Failures:** Even "advanced" actors like 0APT failed basic server hardening, leading to a total system compromise within 48 hours.
- **Intelligence Goldmine:** Mutual leaks provide defenders with encryption tokens and victim lists that are usually protected by ransom demands.
## Recommendations
- **Victim Remediation:** Organizations listed in the 56MB inventory should immediately check for matching encryption tokens to facilitate data recovery.
- **Intelligence Monitoring:** Security teams should monitor the leaked bash histories and Nginx logs to identify the IP addresses and tools used by both groups.
- **Infrastructure Hardening:** Ensure all public-facing assets (like leak sites or portals) are hardened against the same vulnerabilities Krybit used for their counter-strike.