Two rival ransomware gangs — 0APT and KryBit — hacked each other in April 2026 and published each other’s full operational datasets. The resulting ransomware infrastructure exposure produced the kind of unfiltered intelligence defenders rarely get: plaintext affiliate credentials, Bitcoin wallet addresses, victim negotiation records, and — most significantly — proof that 0APT fabricated all 190+ of its claimed victims. For blue teams, this is a rare, direct look inside two active ransomware operations.
How the Conflict Unfolded
On April 13, 2026, the threat actor known as 0APT published what it claimed was the complete database of the KryBit ransomware operation. The dump included victim records, administrator and affiliate credentials stored in plaintext, five Bitcoin wallet addresses, encryption tokens, and a 56MB exfiltration file inventory covering activity from March 28 to April 12, 2026.
The apparent motive was leverage, not ideology. 0APT threatened to dox KryBit’s operators — to publish real identities, photographs, and locations — unless a ransom was paid. This inverted the standard victim–attacker dynamic, with a ransomware group attempting to extort another ransomware group.
KryBit responded within 48 hours. Rather than pay, the group compromised 0APT’s server and defaced its leak site with the message: “Next time, don’t play with the big boys.” KryBit then published 0APT’s complete operational dataset: PHP source code, 998 lines of bash history, 652,813 lines of nginx access logs, and Linux system files including /etc/passwd, /etc/shadow, /etc/gshadow, the server hostname, and the full nginx configuration.
The exchange produced more actionable threat intelligence in 72 hours than most external research efforts yield in months.
What KryBit’s Exposed Data Reveals
Halcyon’s analysis of the KryBit leak revealed a small but structurally complete ransomware-as-a-service (RaaS) operation:
- 2 administrators and 5 active affiliates
- 20 active victim negotiations with ransom demands ranging from $40,000 to $100,000
- 10–250GB of staged exfiltration data per victim, covering activity between late March and mid-April 2026
- 5 Bitcoin wallet addresses — none showing any incoming or outgoing transactions
- Plaintext credential storage — passwords appear in both a
passwordfield and aplain_passwordfield with identical values; no hashing, no salting
The zero-transaction wallet state is operationally significant. KryBit had active affiliates, live victim negotiations, and staged exfiltration data — but had collected zero ransom payments at the time of the leak. Whether this reflects a recently launched operation or unusually resistant victims, the leaked records do not confirm.
Also exposed: six .onion domains used by KryBit’s infrastructure, and Tox communication handles for all administrators and affiliates. Tox IDs are particularly worth tracking; these identifiers frequently persist when operators rebrand or migrate to new services.
What 0APT’s Exposed Data Reveals
KryBit’s counter-hack produced a more operationally surprising dataset. Barricade Cyber Solutions’ analysis of the 0APT breach confirmed:
0APT’s entire data leak site ran on an Android phone. The group used AnLinux-Parrot — Parrot OS deployed through Android’s Linux compatibility layer — as its hosting environment. The full server stack was Nginx on port 8080 → PHP 8.2-FPM → Tor hidden service, with all web content stored under /sdcard/ (Android internal storage). Services were started manually each session with no systemd, no auto-start, and no persistence mechanism. There is no redundancy, no failover.
KryBit gained server access by exploiting a combination of insecure 777 file permissions, an exposed admin panel at the path admin9apt.php, and general server misconfiguration.
More consequential than the infrastructure findings: 0APT’s 190+ claimed victims, posted to its leak site in January 2026, were entirely fabricated. No data was ever exfiltrated from any of the listed organizations. The group posted fake victim entries to establish credibility in a criminal marketplace where reputation depends on demonstrated activity. The 652,813 nginx log lines and 998 bash history entries recovered from 0APT’s server made the fabrication provable — there are no exfiltration commands, no staging activity, no victim network access.
Ransomware Infrastructure Exposure: Defender Takeaways
The mutual exposure generates immediately actionable indicators. Security teams should prioritize:
Ingest and monitor the exposed IOCs. Submit the five KryBit Bitcoin wallet addresses to blockchain analysis platforms for transaction monitoring:
# Example: submit a BTC wallet address to Chainalysis for risk scoring
curl -s "https://api.chainalysis.com/api/risk/v2/entities" \
-H "Token: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"subject": {"asset": "BTC", "hash": "<wallet_address>"}}'
Add all six .onion domains from both operations to your threat intelligence platform and DNS/proxy blocklists. Cross-reference the exposed Tox IDs against your existing threat intelligence holdings — these handles often survive rebrands.
Hunt for 0APT’s admin panel naming convention in your web logs. The exposed path admin9apt.php follows a recognizable pattern. If your organization was targeted by 0APT or a reconstituted successor, this signature may appear in historical logs:
# Detect PHP admin panel naming patterns consistent with 0APT's structure
grep -E '(admin[0-9]+apt|admin9apt)\.php' /var/log/nginx/access.log | \
awk '{print $1, $7, $9}' | sort | uniq -c | sort -rn
Validate any existing ransomware victim listings against internal telemetry. 0APT’s fabricated victim list demonstrates that dark web leak site claims require independent verification before assuming a compromise occurred. If your organization appears on a ransomware leak site, cross-reference with EDR telemetry, DLP egress logs, and network traffic data before treating the listing as confirmed exfiltration. The 0APT case is not unique — inflated victim counts have been a known credibility tactic across multiple groups.
Monitor for TTP migration when affiliates reconstitute. KryBit affiliates will migrate when the operation rebuilds or rebrands. Their staging and exfiltration behavioral patterns — 10–250GB compressed archive staging, consistent victim negotiation timelines — can inform behavioral detections in EDR and DLP tooling. The specific ransom demand range ($40K–$100K) and per-victim data staging volumes are fingerprints that persist across operator rebrands.
Why Internecine Ransomware Conflicts Are a Defender’s Windfall
Ransomware groups hacking each other is uncommon, but the intelligence yield when it occurs is disproportionate to the drama involved. These leaks come from actors with privileged access to each other’s live systems — the data provenance is higher quality than most externally gathered samples, and the content arrives unredacted.
The KryBit panel breach exposed a complete RaaS backend — affiliate accounts, victim negotiations, data staging records — that no external researcher would have obtained through standard intelligence-gathering methods. The 0APT counter-leak proved victim fabrication at scale, effectively removing 190+ false positives from threat intelligence databases that had treated the 0APT listings as credible. Organizations that self-identified as 0APT victims can now close those incidents.
As Halcyon noted in its analysis: when operators reconstitute or affiliates migrate to a new service, their tactics, techniques, and procedures travel with them. The overlap between a defunct group’s TTPs and a new group’s early activity is precisely the signal defenders can alert on. Both groups will likely rebuild under new identities — the window between their current collapse and reconstitution is when threat intelligence teams should pay closest attention to newly emerging ransomware group activity.
Conclusion
The 0APT–KryBit feud produced a defensive intelligence windfall that neither group intended to provide. Plaintext credentials, five Bitcoin wallet addresses, affiliate payment structures, an Android-phone-as-C2-server, and 190+ provably fabricated victim claims are now part of the public threat intelligence record. The immediate actions are clear: ingest and monitor the IOCs, hunt for admin panel artifacts in historical logs, verify any existing listings against internal telemetry, and watch for reconstitution from both operators.
For context on how threat actors build the OPSEC frameworks designed to prevent exactly these kinds of exposures, see our breakdown → Threat Actors Publishing Structured OPSEC Playbooks to Systematically Evade Detection
For any query contact us at contact@cipherssecurity.com
