Cyber Incident Victim: KryBit

0APT emerged in late January 2026 and posted a list of nearly 200 victims to its data leak blog over the course of a week. The list was widely regarded as fabricated due to a lack of evidence of actual compromises, although Halcyon assessed that 0APT used functioning encryptors. After the initial posting, 0APT went quiet for several months. KryBit emerged in late March 2026, offering ransomware‑as‑a‑service kits that targeted Windows, Linux, ESXi and network‑attached storage devices under an 80/20 affiliate model and published ten legitimate victims in its first two weeks.

In mid‑April 2026, 0APT deleted its previous victim list and claimed to have launched ransomware attacks against ransomware operators, naming KryBit, Everest and RansomHouse as targets. Responding to the claim, KryBit breached 0APT’s infrastructure, exfiltrated operational data including access logs, PHP source code and system files, and listed 0APT as a victim on its own leak site. KryBit left a message on the defaced 0APT leak site stating “Next time, don't play with the big boys.” The exposure revealed two administrators, five affiliates, twenty potential victims associated with KryBit and showed ransom demands ranging from forty thousand to one hundred thousand dollars.

0APT has been unable to recover from the leak and its leak site remains defaced by KryBit. KryBit retained access to the exfiltrated 0APT data and continued to display the compromised information. The feud provided defenders with rare insight into the internal operations of both ransomware‑as‑a‑service groups.