KRYBIT and 0APT ransomware groups engage in turf war exposing fabricated victim claims

A ransomware turf war erupted between the KRYBIT and 0APT groups in April 2026 when 0APT listed KryBit as a victim on its leak site and threatened to expose operator identities. KryBit responded by hacking 0APT's infrastructure, defacing its leak site, and publishing operational files including access logs and PHP source code. The leaked data revealed that 0APT's claimed 190+ victims were entirely fabricated — no data was ever exfiltrated. KryBit's leaked admin panel showed two administrators, five affiliates, and 20 potential victims with ransom demands between $40,000-$100,000 and data exfiltration ranging from 10-250GB per victim. Halcyon's ransomware research center noted both groups will likely need to rebuild infrastructure. The incident follows a pattern of criminal-on-criminal attacks, including DragonForce's 2025 attacks on BlackLock and Mamona.