Menu
Browse

Cyber Incident Victim: 0APT

Date:

Apr 2026

Location:

Summary

0APT and KryBit engaged in a mutual data leak after it falsely claimed attacks on several ransomware groups and KryBit responded by exposing its infrastructure and leaking its operational files. The exchange revealed KryBit’s own administrators, affiliates and potential victims, while the initial victim list was shown to be fabricated and its leak site remained defaced by KryBit.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 2 motives 2 techniques
Threat Actors Type Location
2 actors Available to members Available to members

Description

0APT emerged in late January with a list of nearly 200 victims posted to its data leak blog over the course of a week. This list was widely regarded as fabricated because of a lack of evidence pointing toward victim compromises. Halcyon assessed that 0APT did use functioning encryptors despite the questionable victim claims. The actor failed to gain traction or affiliates and went quiet for months. In mid‑April, 0APT reemerged, deleting its previous list of fake victims while claiming ransomware attacks against ransomware operators including KryBit, Everest (active since 2020) and RansomHouse (active since 2021).

Cyber Incident Image

KryBit emerged in late March, offering ransomware‑as‑a‑service kits targeting Windows, Linux, ESXi and network‑attached storage devices. The group used an 80/20 affiliate model. In its first two weeks KryBit published ten legitimate victims. During the feud, 0APT exposed KryBit’s infrastructure and personnel. This exposure revealed two administrators, five affiliates, twenty potential victims and ransom demands ranging from forty thousand to one hundred thousand dollars.

In response, KryBit breached and exfiltrated 0APT’s infrastructure. KryBit listed 0APT as a victim on its own leak site. KryBit left a message on 0APT’s leak site reading “Next time, don’t play with the big boys.” Researchers determined that 0APT’s initial victim list was entirely fabricated, with no data exfiltrated. KryBit leaked 0APT’s operational data set, which included access logs, PHP source code and system files. 0APT has been unable to recover from the breach. KryBit continues to maintain defacement of the 0APT leak site.

Sources
Sources available to members
1 source