Two ransomware groups are licking their wounds and rebuilding their infrastructure after leaking each other’s operational data online, according to Halcyon.
The set-to began when 0APT claimed the scalps of three ransomware groups on its leak site: newcomer KryBit and established players RansomHouse and Everest Group.
The leak exposed KryBit infrastructure and personnel and the group will likely need to “rotate leaked operational components to ensure impact on their activities is limited,” Halcyon explained.
“KryBit’s leaked administrator panel included data for KryBit’s primary operators, affiliates, and victim negotiation data. The activity spanned between 28 March 2026 and 12 April 2026. At the time of the leak, KryBit had two administrators and five affiliates along with 20 potential victims. The data exfiltrated for each victim ranged between 10-250GB and ransom demands between $40,000-$100,000.”
Read more on ransomware: Conti Group Suffers Massive Data Breach.
KryBit responded by hacking back at 0APT, stealing data and defacing its leak site with the message: “Next time, don’t play with the big boys,” according to the report.
“KryBit leaked the full 0APT operational data set the following day, which included full access logs, PHP source code, and system files. The access logs revealed that the 190+ victims initially posted by 0APT in January 2026 were entirely fabricated and no data was ever exfiltrated from any of the listed victims,” Halcyon explained.
“Additionally, the infrastructure for the ransomware data leak site was operating on an AnLinux-Parrot OS and pushing all content via an Android phone’s internal SD card. 0APT has been unable to recover, and KryBit maintains defacement of the 0APT leak site.”
0APT Aggression Backfires
The aggressor in this case, 0APT, appears to have been trying to garner some notoriety for itself after previous attempts to drum up affiliate interest in its business failed. However, that seems to have backfired after KryBit responded in kind.
Everest Group thus far has not hit back at 0APT, despite having its encoded and hashed publication and user data leaked by the group.
“Due to the extensive leaks of both KryBit and 0APT, the operators will likely have to rebuild, rebrand, and spin up new infrastructure over the next few weeks to months to remain active,” Halcyon concluded.
Former Barclays CISO and Halcyon chief strategy officer, Oliver Newbury, said the tit for tat is a sign of the financial pressure that ransomware groups are under.
“These groups depend on credibility to survive, so when that starts to crack, rivals move fast to expose it,” he added.
“We’re now seeing them disrupt each other’s operations, taking over infrastructure and undermining campaigns in real time. It creates instability, but not safety. The ecosystem doesn’t shrink, it reshapes, often becoming harder to predict in the process.”
Chainalysis data from 2025 revealed that crypto-payments to ransomware actors plummeted 8% annually to $820m, even as the number of attacks increased 50%.
