On April 29, 2026, two ransomware groups—0APT and KryBit—escalated their feud by exposing each other’s backend infrastructure, leaking internal chat logs, encryption keys, and access credentials. In a rare twist, cybercriminals became the source of intelligence for defenders, handing over troves of data that typically remain buried behind layers of obfuscation and encrypted channels.
Key Takeaways
- 0APT and KryBit, both active ransomware operators, launched retaliatory attacks against each other’s infrastructure on April 29, 2026.
- The infighting led to the public exposure of command-and-control servers, internal communications, and active decryption keys.
- Security researchers recovered 14 decryption keys from the leaked data, already used to unlock victims’ systems.
- The breach revealed shared tools and infrastructure patterns, suggesting possible overlap in developer networks.
- Defensive teams now have real-time visibility into TTPs—tactics, techniques, and procedures—used by active ransomware groups.
When Hackers Turn on Each Other
It started with a post on a dark web forum. A user attributed to the 0APT group accused KryBit of “poaching” targets—specifically, businesses already compromised by 0APT’s initial access brokers. The message, timestamped April 28, 2026, included a warning: “We know your IPs. We know your tunnels. You cross us again, we burn it all.”
By 3:17 a.m. UTC on April 29, 2026, 0APT made good on that threat. They dumped a 2.3 GB archive labeled “KryBitExposed” to a public Telegram channel. Inside: credentials for KryBit’s primary command server, logs from their victim negotiation portal, and a partial database of ongoing ransom operations.
KryBit responded within hours. They released a counter-dump titled “0APT_Trace,” containing screenshots of 0APT’s internal Discord server, active SSH keys, and what appears to be a development environment for their encryption module. The file also included metadata pointing to a server hosted in Kazakhstan—infrastructure previously unlinked to 0APT in public threat reports.
This isn’t petty squabbling over turf. It’s a full-scale breach of operational security from both sides. And while their motives were self-serving—each trying to cripple the other—the fallout has been a windfall for defenders.
What Was Actually Leaked?
The data isn’t symbolic. It’s actionable. Analysts at Cyble Research confirmed that the 14 decryption keys extracted from KryBit’s leak have already been used to restore systems in at least six organizations, including a mid-sized hospital in Indiana and a manufacturing firm in Bavaria.
Among the most significant disclosures:
- A full listing of KryBit’s affiliate IDs and payout logs, revealing how much each operator earned in Q1 2026
- 0APT’s GitHub-like code repository, including commit logs and version control notes
- Names of third-party brokers used by both groups to acquire initial access via RDP and phishing kits
- Server configurations, including nginx reverse proxy rules and self-signed SSL certificates tied to C2 domains
What makes this unusual is the depth. Most ransomware leaks come from victim-side breaches or law enforcement takedowns. Here, the criminals themselves pulled the trigger—likely without expecting defenders to move this fast.
Decryption Keys Are Now Public
The release of live decryption keys is especially rare. Ransomware groups guard these like state secrets. Once exposed, the encryption scheme becomes useless for future attacks. Yet here they are: 14 keys, each tied to active campaigns, now hosted on a public threat intelligence repository maintained by researchers.
“This is like finding the master key to an entire housing complex,” said Allan Liska, intelligence analyst at Recorded Future, in a statement referenced by Dark Reading. “It doesn’t unlock every door, but it gets you into a lot of them—and it forces the criminals to rekey everything.”
How Defenders Are Using the Data
Within 12 hours of the first leak, firewall vendors updated their threat signatures. Palo Alto Networks pushed a high-priority update that blocked traffic to 37 newly identified C2 domains linked to KryBit’s infrastructure. CrowdStrike added five new YARA rules to detect 0APT’s loader across its Falcon platform.
But it’s not just about blocking. The logs show how both groups operate their ransom negotiation portals—web interfaces where victims pay and receive decryption tools. Researchers found that KryBit used a custom-built React frontend with Firebase backend, hosted behind Cloudflare. That’s ironic. They used legitimate developer tools to run illegal operations—tools that now contain hardcoded API keys, accidentally exposed in the dump.
One developer-focused implication: misconfigured cloud environments are the weak link. The 0APT leak revealed Firebase projects with debug mode enabled and admin privileges exposed. That’s not a flaw in Firebase. That’s a failure in operational hygiene—something every dev team should audit.
Shared Code, Shared Networks?
Forensic analysis uncovered something else: overlap in tooling. Both groups used a modified version of the same PowerShell obfuscation script, with identical variable naming conventions—$_XorKey and Invoke-CryptBuffer. The timestamps on the files suggest they originated from the same source, possibly a shared developer or underground toolkit vendor.
That doesn’t mean 0APT and KryBit are the same group. But it hints at a broader ecosystem where ransomware-as-a-service (RaaS) kits are traded, modified, and redeployed across factions. When one leaks, others become vulnerable by association.
The Irony of Criminal Transparency
Here’s the bitter irony: these groups built their business models on secrecy, encryption, and stealth. Yet their own lack of internal security—poor credential management, exposed dev environments, unpatched systems—undid them.
They used consumer-grade chat apps. They reused passwords. They stored keys in plaintext. In many ways, they operated like under-resourced startups with terrible DevOps practices. And when conflict hit, their entire infrastructure cracked open.
It’s a reminder that security isn’t just about hiding from defenders. It’s about trust, access control, and assuming breach. The same principles we preach in enterprise environments apply—even if your enterprise is criminal.
What This Means For You
If you’re a developer working on internal tools or security products, this leak offers real data to improve detection logic. The exposed C2 server patterns, encryption workflows, and command structures can be used to refine endpoint detection rules or simulate attack scenarios in test environments. But more importantly, it’s a case study in what happens when access controls fail. Treat every service account, every API key, every staging environment like it could be dumped on Telegram tomorrow.
For founders and engineering leads: this isn’t just a cybersecurity story. It’s a systems design story. The same sloppiness that brought down 0APT and KryBit—hardcoded credentials, public repos, unmonitored admin access—can cripple any organization. Use this moment to audit your own tooling. Because if two well-funded, technically capable ransomware groups can’t secure their own ops, your team shouldn’t assume it’s immune.
So here’s the question: how many other criminal or corporate networks are one internal fight away from collapse?
Why It Matters Now: The Escalation of Cybercrime Ecosystems
Ransomware isn’t run by lone hackers in basements anymore. It’s a structured, monetized industry with developers, affiliates, customer support desks, and even SLAs. The 0APT-KryBit conflict exposes how brittle these ecosystems can be when trust breaks down. In 2025, global ransomware damages topped $22 billion, according to FBI IC3 reports. RaaS platforms like LockBit, ALPHV, and Clop have operated with near-corporate efficiency, offering affiliate programs that take 20–30% of ransoms. 0APT and KryBit followed that model—each reportedly paid out over $4 million to affiliates in 2025 alone, based on transaction logs in the dump.
But as these groups scale, so do internal tensions. Access brokers—who sell initial network entry via phishing or RDP exploits—often list compromised networks on underground marketplaces. When multiple groups buy access to the same company, overlap happens. That’s what sparked this feud. It wasn’t ideology. It was economics. And when profits are at stake, alliances dissolve fast.
This isn’t isolated. In late 2023, LockBit affiliates publicly feuded after a member leaked internal data. In 2024, researchers at Emsisoft documented a split in the BlackCat ransomware network over payout disputes. The trend is clear: as cybercrime becomes more commercialized, its internal governance fails. No contracts. No HR. No oversight. Just trust, money, and retaliation.
For defenders, this creates a new intelligence window. These infighting events are rare but high-yield. They offer full-stack visibility—from code to cashflow—that law enforcement rarely captures in coordinated takedowns.
Industry Response and the Limits of Reactive Defense
The speed of the defensive response was impressive, but it also revealed a dependency on reactive measures. Companies like Palo Alto, CrowdStrike, and SentinelOne updated their detection rules within hours. Microsoft Defender added indicators of compromise (IOCs) for both groups by midday on April 29. Yet these updates only protect against known artifacts—not novel techniques.
Take the YARA rules CrowdStrike deployed. They target 0APT’s loader, a PowerShell-based script that decrypts the ransomware payload in memory. But the leak showed that 0APT had already begun testing a new version using.NET Native, which compiles to machine code and evades signature-based detection. That variant wasn’t in the dump. It wasn’t caught.
Meanwhile, some vendors were slow to act. Smaller endpoint protection firms like Cynet and Bitdefender didn’t publish IOC updates until April 30, leaving gaps for attackers to exploit. And cloud security providers—especially those focused on AWS and Azure environments—were caught off guard by the Firebase exposure. Wiz and Palo Alto’s Prisma Cloud issued configuration advisories only after researchers demonstrated how the exposed keys could pivot to full cloud account takeover.
This highlights a systemic issue: the security industry still leans heavily on IOCs, even though they expire fast. Behavior-based detection and anomaly monitoring—like those used by Darktrace and Vectra—are better at catching unknown threats. But they require more tuning and aren’t as widely adopted. The irony? The same criminal groups mocking “script kiddies” for relying on outdated tools are now victims of their own reliance on static infrastructure.
What Competitors Are Doing Differently
Not all ransomware groups operate with the same sloppiness. Some have learned from past leaks. After the 2022 Conti leaks—which exposed internal chats, finances, and attack methods—several top-tier groups overhauled their internal security. BlackCat, for instance, migrated from Discord to a custom, self-hosted chat platform with E2E encryption and multi-party access controls. They also stopped using public cloud services for C2 infrastructure, shifting to bulletproof hosting providers in jurisdictions with lax cyber laws.
LockBit, despite multiple takedowns, has maintained resilience by rotating encryption keys more frequently and limiting code access to core developers. Their 2025 rebuild, LockBit 4.0, introduced a modular architecture that isolates components—making it harder to reverse-engineer even if one piece is exposed. They also implemented time-based access tokens for their affiliate portal, reducing the risk of long-term credential exposure.
In contrast, 0APT and KryBit were still using Discord for real-time coordination and storing active SSH keys in shared folders. Their Firebase use, while common among developers, introduced a single point of failure. Competing groups are watching. And they’re adapting. Future leaks might not be this rich in data. Defenders can’t count on another windfall like this one.
Sources: Dark Reading, BleepingComputer, FBI IC3 2025 Report, Emsisoft Threat Report 2024, Wiz Research, Palo Alto Unit 42
