FEUDING ransomware groups have leaked data from each other, with 0APT and KryBit exposing infrastructure and operational data that defenders can study. According to Halcyon Ransomware Research Center, 0APT emerged in late January and posted a list of nearly 200 victims, which was regarded as fabrications, though Halcyon noted 0APT used functioning encryptors.
In mid-April, 0APT reemerged, claiming attacks against KryBit, Everest, and RansomHouse, while KryBit, which operates an 80/20 affiliate model, published 10 legitimate victims in its first two weeks and later breached 0APT’s infrastructure, listing it as a victim. KryBit’s disclosure showed two administrators, five affiliates, 20 potential victims, and ransom demands between $40,000 and $100,000.
The researchers said KryBit leaked the full 0APT operational data set the next day, including full access logs and PHP source code, and that the 190+ victims 0APT had posted in January 2026 were fabricated. Totaro, an intelligence analyst quoted in the piece, notes that while the drama may seem chaotic, it provides a real and actionable intelligence window for defenders. 28 April 2026.