The 0APT “Doxxing” Campaign That’s Tearing the Ransomware Underworld Apart

A rare internecine conflict has erupted within the dark web’s underbelly, as one ransomware syndicate has chosen to exert pressure not upon corporate entities, but upon its own rivals. This development is remarkably anomalous, even within a clandestine marketplace where cutthroat competition is the established norm.

The group designated as 0APT has issued a dire ultimatum to unmask the identities of those participating in the rival Krybit collective. Analysts observed the threatening missive on their platform this past Sunday. While the underlying motives for this coercion remain obscured, the rhetoric employed is strikingly contradictory.

0APT denounces Krybit as extortionists while simultaneously demanding a ransom of their own, threatening to publish photographs, legal names, and precise geographical coordinates of individuals associated with the group. In a parallel maneuver, the aggressors have offered complimentary decryption assistance to those who have fallen victim to Krybit’s predations.

Emulating the traditional “double extortion” stratagem, 0APT disseminated a modest fragment of purportedly stolen data to intensify the pressure. However, such tactics are often less efficacious when the target is a criminal peer rather than a commercial enterprise. The reputational stakes that compel corporations to comply carry negligible weight in the criminal demimonde. Nevertheless, the threat of exposure—doxing—remains a potent deterrent for individuals who traditionally rely on absolute anonymity to evade prosecution.

The investigative team at Barricade Cyber Solutions has meticulously analyzed the leaked files. According to CEO Erik Taylor, the cache contains plaintext credentials and several cryptocurrency wallet addresses, though notably, it lacks any evidence of successful ransom payments.

At the time of reporting, the Krybit platform remains incapacitated, displaying only a placeholder promising a swift restoration of services.

0APT emerged in January 2026 and has swiftly garnered notoriety. The Halcyon ransomware analysis center contends that while the group possesses significant technical aptitude, their earlier assertions regarding hundreds of victims appear to be hyperbolic. Significantly less is known about Krybit; specialized cybersecurity firms have yet to publish comprehensive dossiers, as the group’s activities seemingly commenced only a few weeks prior.

Such adversarial collisions between cybercriminals are not without precedent. In 2025, DragonForce launched assaults against competitors BlackLock and Mamona, and subsequently interfered with the operations of RansomHub, an intervention that ultimately precipitated the project’s dissolution following internal discord.