0APT Threatens to Dox Rival Ransomware Group Krybit in Unprecedented Cybercriminal Feud A new escalation in the ransomware underworld has emerged as the cybercriminal group 0APT publicly threatened to expose the identities of operators behind the rival Krybit ransomware operation. In a leaked blog post, 0APT issued an ultimatum: pay an undisclosed sum or face the release of personal details, including names, photos, and locations of Krybit affiliates. The group also extended an unusual offer to Krybit’s victims, promising decryption assistance an attempt to leverage its double-extortion tactics. However, cybersecurity experts note that such threats lose potency when directed at fellow criminals, who lack reputational concerns. Despite this, 0APT released a sample of allegedly stolen Krybit data as a warning, including plaintext credentials and five cryptocurrency wallet addresses. Analysis by Barricade Cyber Solutions found no evidence of paid ransoms to Krybit, contradicting the group’s public claims of success. Krybit’s website is currently offline, displaying a generic maintenance message. The conflict mirrors past intra-criminal disputes, such as DragonForce’s 2025 attacks on rivals BlackLock and Mamona, and its later takeover of RansomHub in 2024. Security firm Halcyon has acknowledged 0APT’s technical capabilities but noted that its initial victim list appeared inflated. For organizations encrypted by Krybit, the feud presents a rare but risky opportunity. While 0APT claims to offer decryption keys, its criminal nature makes such offers unreliable. Victims are advised to preserve forensic evidence, though engaging with either group remains hazardous. The incident underscores the volatile and unpredictable nature of ransomware rivalries.

The Akira Ransomware Group targeted an unnamed organization, initially blocked by its EDR solution. However, attackers exploited a vulnerable webcam discovered via a network scan to bypass EDR defenses and deploy ransomware. The breach highlights EDR/XDR blind spots in OT/IoT-IT convergence, where legitimate tools (e.g., RDP, PsExec) are weaponized to evade detection. The attack disrupted operations, demonstrating how ransomware groups leverage living-off-the-land (LotL) techniques and EDR killers (e.g., EDRSilencer) to disable protections. The incident aligns with broader trends: 48% of 2024 ransomware attacks successfully disabled EDR/XDR, and 57% of such attacks abuse utilities/tunnelers. The organization likely faced data encryption, operational downtime, and potential financial/legal repercussions, with attackers self-reporting the intrusion in nearly 50% of cases rather than being detected proactively.