Rival Ransomware Groups 0APT and Krybit Trade Hacks, Exposing Fake Victims and Stolen Data

Two ransomware gangs, OAPT and Krybit, just went to war with each other. Shockingly, it turned out OAPT is a total fraud running its operation from a mobile device. For now, the reason for starting the fight remains unclear.

Criminals Turning on Criminals

Two cybercriminal gangs on each other’s throats, rather than targeting victims, is definitely something we don’t see every day.

A ransomware group named 0APT decided to extort another cybercrime outfit called Krybit. They posted a threat on their dark web leak site this past Sunday. 0APT demanded payment and promised to release identities, photos, and locations if Krybit refused.

The irony is hard to miss. 0APT called Krybit a dangerous ransomware group that threatens global cybersecurity. Then attempted to blackmail the gang using the same double-extortion tactics.

Ransomware operators often threaten victims with reputational damage to coerce them into paying ransom. At least that makes sense since the target usually has a reputation to protect in the first place. But the same tactics aimed at criminals?

That is almost laughable. But cybercrooks do fear exposure. So the threat still carried some weight.

What 0APT Stole From Krybit

Security researcher Eric Taylor from Barricade Cyber Solutions downloaded the leaked Krybit files. His team found plaintext credentials for Krybit operators and affiliates. They also uncovered five cryptocurrency wallet addresses. And they saw zero evidence that Krybit had ever collected a single ransom payment.

Krybit’s website went offline quickly. A simple splash page appeared saying: “Everything will return to work shortly. We apologize for this.” But the real chaos had just started.

Krybit Strikes Back Hard

Krybit did not pay up. Instead, they fought back within 48 hours. They breached 0APT’s server, defaced their data leak site, and stole everything. We are talking PHP source code, bash history, nginx access logs, and system files.

Then Krybit posted 0APT as victim number one on their own leak site. The message read: “HACKED BY KRYBIT, Next time, don’t play with the big boys. The response will be fast.”

Running a Dark Web Empire from an Android Phone

Interestingly, Krybit’s leak exposed the truth about 0APT. The group ran its entire operation from an Android phone using AnLinux-Parrot. The operator manually typed startup commands each session. No auto-start, no persistence. Just a person on a phone pretending to be a major cyber threat.

The bash history showed constant mistakes. The user typed chmod 777 over 20 times. They could not run a basic binary. They made typos like mamo for nano and cd.. without a space. Their server kept crashing due to memory limits. So they wrote a crude loop to restart PHP-FPM every ten minutes.

Hundreds of Fake Victim Claims

The nginx access logs told the real story. Over 180 zip filenames referenced major organizations like Boeing, Goldman Sachs, and Mayo Clinic. Every single download returned a 502 error. No data existed. 0APT had simply fabricated everything. Their fancy dark web site with countdown timers and download buttons was a complete illusion.

However, Krybit is no better either. Their actual victims were just 13 in number across 10 different countries, often demanding $40,000 to $100,000 dollars as ransom. And none of the records showed any victim ever paid up. But they did prove they could hack back. And they exposed 0APT as a low-skill fake running from a phone.

So here we are, two criminal groups tore each other apart online. One turned out to be real but small-time. The other was never real to begin with. And defenders now have a rare gift: full visibility into both sides of a ransomware war. Use it before they rebuild.

The exposure of mental health data from Android therapy apps is a different kind of crisis, affecting tens of millions of ordinary users who trusted these apps with their most private thoughts, and serves as a reminder that privacy breaches can happen anywhere, not just in criminal enterprises.