Ransomware groups 0APT and KryBit engage in retaliatory data leaks disrupting operations
Summary
Hide ▲
Show ▼
A retaliatory cyber conflict between the ransomware groups 0APT and KryBit resulted in mutual data leaks exposing operational details, infrastructure, and fabricated victim claims. The incident began in late March 2026 when 0APT leaked KryBit’s administrative panel, personnel data, and negotiation records, prompting KryBit to retaliate by stealing 0APT’s operational data and defacing its leak site. Both groups now face operational disruption, requiring infrastructure rebuilds, while Everest Group remains unaffected but exposed. The event highlights escalating instability within the ransomware ecosystem driven by credibility erosion and financial pressure.
Timeline
-
28.04.2026 16:00 1 articles · 1h ago
Retaliatory data leaks between 0APT and KryBit disrupt ransomware operations
0APT leaks KryBit’s administrative and negotiation data in late March 2026, prompting KryBit to retaliate by exfiltrating 0APT’s full operational dataset and defacing its leak site. Analysis reveals 0APT’s previously claimed victims were fabricated. Both groups now face operational collapse, requiring infrastructure rebuilds to resume activities.
Show sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00
Information Snippets
-
0APT initially claimed responsibility for breaching KryBit, RansomHouse, and Everest Group, publishing victim data on its leak site.
First reported: 28.04.2026 16:001 source, 1 articleShow sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00
-
KryBit’s leaked administrative panel contained data for two primary operators, five affiliates, 20 potential victims, and victim negotiation records spanning 28 March 2026 to 12 April 2026.
First reported: 28.04.2026 16:001 source, 1 articleShow sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00
-
KryBit retaliated by exfiltrating 0APT’s full operational dataset, including access logs, PHP source code, and system files, and defacing 0APT’s leak site with a warning message.
First reported: 28.04.2026 16:001 source, 1 articleShow sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00
-
Analysis of 0APT’s leaked access logs revealed that its previously claimed 190+ victims in January 2026 were fabricated, with no actual data exfiltration occurring.
First reported: 28.04.2026 16:001 source, 1 articleShow sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00
-
0APT’s leak site infrastructure operated on an AnLinux-Parrot OS, with content pushed via an Android phone’s internal SD card.
First reported: 28.04.2026 16:001 source, 1 articleShow sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00
-
0APT has been unable to recover from the infrastructure compromise, while KryBit maintains control of the defaced leak site.
First reported: 28.04.2026 16:001 source, 1 articleShow sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00
-
Operators for both 0APT and KryBit are expected to rebuild, rebrand, and relaunch new infrastructure over the coming weeks to months to resume operations.
First reported: 28.04.2026 16:001 source, 1 articleShow sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00
-
Everest Group’s encoded and hashed publication and user data was leaked by 0APT but has not yet responded with retaliatory actions.
First reported: 28.04.2026 16:001 source, 1 articleShow sources
- Ransomware Turf War as 0APT and KryBit Groups Trade Blows — www.infosecurity-magazine.com — 28.04.2026 16:00