Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

0APT and KryBit ransomware turf war forces rebuild and rebrand pressure

Threat Actor Meta
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

0APT and KryBit escalated a ransomware turf war in April 2026 by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that undermine their credibility. The clash revealed KryBit's operators, affiliates, negotiation data, and the fact that 0APT's claimed victim list was fabricated. The damage is likely to force both groups to rebuild, rebrand, and deploy new infrastructure to stay active.

Related Happenings

ShinyHunters school-by-school extortion campaign targeting Canvas institutions

Campaign
First: 11.05.2026 13:05 Last: 11.05.2026 13:05 Sources 1

About this happening: ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...

Open Happening

Instructure hit by cyberattack

Incident
First: 04.05.2026 01:16 Last: 04.05.2026 01:16 Sources 1

About this happening: **Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...

Latest development: 14.05.2026 23:19

The House Committee on Homeland Security and the US Senate Committee on Health, Education, Labor, and Pensions sought briefings from Instructure over the Canvas compromise, pressing the edtech vendor on whether it paid a ransom, what data was affected, how it handled the recent attacks, and whether the incident was linked to a prior Salesforce compromise.

Open Happening

0APT and KryBit mutual operational data leak

Data Leak
First: 28.04.2026 16:00 Last: 28.04.2026 16:00 Sources 1

How related: Two ransomware groups are licking their wounds and rebuilding their infrastructure after leaking each other’s operational data online, according to Halcyon.

About this happening: The **0APT** and **KryBit** ransomware groups are in a live **data leak** fight that exposed internal operator records, victim negotiation data, and core infrastructure files. One...

Open Happening

Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure

Campaign
First: 20.04.2026 23:02 Last: 20.04.2026 23:02 Sources 1

About this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...

Open Happening

2025 Automotive carmakers ransomware surge

Target Trend
First: 16.04.2026 11:35 Last: 16.04.2026 11:35 Sources 1

About this happening: In **2025**, ransomware became the **fastest-growing** and most disruptive threat to **automotive carmakers**, accounting for **44% of attacks** and **more than doubling** over th...

Open Happening

Timeline

  1. 28.04.2026 16:00 2 articles · 29d ago

    Halcyon discloses 0APT and KryBit mutual leak retaliation

    Initial Disclosure

    Halcyon says 0APT and KryBit escalated a ransomware turf war by leaking each other’s operational data, with KryBit exposing 0APT access logs, PHP source code, and system files after 0APT claimed KryBit, RansomHouse, and Everest Group on its leak site. The exposure showed 0APT’s claimed 190+ January 2026 victims were fabricated, while KryBit’s leaked administrator panel exposed two administrators, five affiliates, 20 potential victims, victim negotiation data, exfiltration volumes of 10-250GB per victim, and ransom demands of $40,000-$100,000; KryBit also maintained defacement of the 0APT leak site, and both groups now appear likely to rebuild, rebrand, and spin up new infrastructure.

    Show sources
    Open in new tab