TWO ransomware groups are licking their wounds and rebuilding after leaking each other’s data online, according to Halcyon. The set-to began when 0APT claimed the scalps of KryBit and established players RansomHouse and Everest Group, exposing KryBit’s infrastructure and personnel and prompting claims that the group would likely rotate leaked components to limit impact.
KryBit’s leaked administrator panel included data for primary operators, affiliates and victim negotiation data, with activity spanning 28 March 2026 to 12 April 2026; at the time of the leak KryBit had two administrators, five affiliates and 20 potential victims, with data exfiltrated per victim ranging from 10–250GB and ransom demands between $40,000 and $100,000.
KryBit responded by hacking back at 0APT, stealing data and defacing its leak site with the message “Next time, don’t play with the big boys,” and the full 0APT operational data set was leaked the following day, including access logs, PHP source code and system files.
The access logs showed that the 190+ victims initially posted by 0APT in January 2026 were fabricated and no data was exfiltrated, while the site infrastructure ran on an AnLinux-Parrot OS and was pushed via an Android phone’s internal SD card, and 0APT has been unable to recover. Chainalysis data from 2025 revealed that crypto-payments to ransomware actors plummeted 8% annually to $820m, even as the number of attacks increased 50%.