Published: 2026-04-13 | Updated: 2026-04-15
Classification: TLP:CLEAR
Prepared by: Eric Taylor
Source: 0APT leak, panel.sql database analysis, leaks_db.sql file inventory, 0APT server files leaked by Krybit, DLS screenshots, nginx access logs, bash history

Two Ransomware Groups Tore Each Other Apart — Here's What We Found Inside

On April 13, 2026, a threat actor calling itself 0APT published the complete database of the Krybit ransomware operation — victim records, plaintext credentials, Bitcoin wallets, encryption tokens, and a 56MB exfiltration file inventory. For the first time, 0APT had produced something real.

Krybit hit back hard. Within 48 hours, Krybit compromised 0APT's server, defaced their data leak site, and published everything: source code, bash history, nginx logs, system files. Then Krybit posted 0APT as victim #1 on their own leak site with the message:

> "HACKED BY KRYBIT — Next time, don't play with the big boys. The response will be fast."

The result is something rarely seen in threat intelligence — both sides of a ransomware conflict fully exposed at the same time. This report walks through what each leak reveals, what it means for defenders, and why one of these groups was never real to begin with.

Part 1: Inside Krybit's Operation

The leaked panel database gives us a complete view of a small, opportunistic RaaS operation that has been active since late March 2026.

The Team

Krybit has 7 registered users across two privilege levels:

Operators (Admin access):

- KRYBIT — Primary operator, 15 victims attributed, last active April 12, 2026
- GREP — Secondary admin, last active March 28, 2026. Limited activity suggests an infrastructure or technical role

Affiliates (Build and victim access):

- D9D938D9AC9 — Most active affiliate, 5 confirmed victims, last active April 11
- fsociety — Active late March, no confirmed victims
- M\*A\*R\*S — Brief activity (March 28–29), no confirmed victims
- 464D03CA2AF05 — Active April 6–10
- 753766EFA0462B — Single day of activity (April 6)

All accounts store passwords in plaintext. The `password` and `plain_password` fields contain identical values — zero hashing, zero salting, zero security.

The Victims

The panel contains 11 confirmed victim entries with ransom demands ranging from $40,000 to $100,000. Two are educational institutions targeting children. None of the records show a `paid_amount` or `paid_at` value — zero confirmed payments at the time of breach.

Cross-referencing the panel database with Krybit's own DLS source code (which was later leaked by Krybit themselves — more on that below) confirms 13 real victims plus the retaliatory 0APT posting, spanning 10+ countries. Several DLS links are marked inactive (suggesting payment or data removal), while others remain active with data available for download. This pattern is consistent with a functional ransomware operation.

The Infrastructure

Krybit runs 5 Tor hidden service domains, each assigned to different operators or affiliates. The backend is MariaDB 10.4.32, PHP 8.0.30, phpMyAdmin 5.2.1 — a standard XAMPP stack. Stolen data is stored at `/mnt/up/client_{id}/` paths organized by victim domain, hostname, and IP address.

The Ransomware

Each victim gets a custom build with 5 unique tokens — identifiers for Windows, ESXi, and NAS encryptors plus encryption keys and a decryptor. This confirms multi-platform capability across Windows, VMware, and NAS targets, typical of mid-tier RaaS operations.

The Money

5 Bitcoin wallet addresses are reused across all victims — a significant OPSEC failure that enables blockchain analysis to link all Krybit operations to a small number of cashout paths.

The Exfiltration Logs

The `leaks_db.sql` file (56MB) contains the complete file inventory from Krybit's exfiltration server. File paths expose internal Active Directory domains (e.g., NSC.local, crpnet.loc), internal IP addresses, employee names visible in file paths, volume shadow copy snapshots being targeted, and prioritized file types (PDFs, office documents, database files).

Part 2: The Escalation

Phase 1 — 0APT Strikes First (April 13, 2026)

0APT — a group that had previously posted dozens of victim claims with zero evidence — published Krybit's panel database and went further:

- Created a "Target Intel" page on their DLS featuring database screenshots and Krybit operator details
- Listed Krybit as victim ID `0APT-1001` on their "Operations Center" page, status "WAITING VICTIM"
- Deployed a dedicated file browser (`krybitkey.php`) on their server to distribute Krybit's decryption keys

For the first time, 0APT had done something credible.

Phase 2 — Krybit Retaliates (April 14–15, 2026)

Krybit's response was swift and comprehensive:

- Server compromise — Krybit gained access to 0APT's server, likely exploiting insecure 777 file permissions, an exposed admin panel (`admin9apt.php`), or other misconfigurations
- DLS defacement — Replaced 0APT's site with the "HACKED BY KRYBIT" message
- Complete exfiltration — Pulled everything: PHP source code, bash history (998 lines), nginx access logs (652,813 lines), and Linux system files (passwd, shadow, gshadow, hostname, nginx config)
- Public humiliation — Posted 0APT as victim #1 on Krybit's own DLS with all leaked files available for download

Phase 3 — 0APT Recovers

0APT's bash history shows a full site migration after the defacement: old site backed up to `html3/`, new panel code deployed from Android storage (`/sdcard/db/p/*`) to a clean directory, then renamed to the live web root. They were actively rebuilding — but the damage was done.

Part 3: What 0APT's Leaked Server Reveals

The files Krybit exfiltrated tell a story that goes beyond the escalation. They reveal that 0APT is not a credible ransomware operation — and arguably never was.

An Android Phone Running a Tor Hidden Service

0APT's entire data leak site runs on an Android phone using AnLinux-Parrot (Parrot OS deployed through Android's Linux compatibility layer). The server stack is Nginx on port 8080 → PHP 8.2-FPM → Tor hidden service, with all web content pushed from `/sdcard/` (Android internal storage) and services started manually each session. There is no systemd, no auto-start, no persistence — the operator manually types `service php8.2-fpm start && service nginx start && service tor start` every time.

This is a threat actor claiming to breach Mayo Clinic, Boeing, and Goldman Sachs — from a phone.

A Low-Skill Operator

The 998-line bash history paints a clear picture:

- Used `chmod +777` and `chmod -R +777` over 20 times — maximum-insecure permissions on the web root
- Failed to run an x86_64 binary on ARM architecture — tried `./server`, `bash server`, `chmod +x server` before eventually figuring out `qemu-x86_64`
- Basic navigation errors: `cd ..` then `cd var`, `cd www`, `cd html` instead of `cd /var/www/html`
- Frequent typos: `mamo` for `nano`, `cd..` without space, `vd` for `cd`, `cd suppory` for `cd support`
- No firewall, no SSH key management, no intrusion detection
- Paranoid but reactive log searching: `grep "/payloads"`, `grep "/admin/"`, `grep "sql"`, `grep "select"`
- Constant PHP-FPM memory crashes on the resource-constrained Android device — eventually resorted to a crude auto-restart loop: `while true; do pkill php-fpm; service php8.2-fpm start; sleep 600; done`

180+ Fabricated Victim Claims

Analysis of the leaked nginx access log (652,813 lines, Jan 28 – Feb 5, 2026) confirms that 0APT's victim claims are fabricated. Over 180 zip filenames referencing major organizations appear in the logs — every single one returns **HTTP 502 (Bad Gateway)** because no actual data exists:

- Mayo-Clinic.zip, Kaiser-Permanente.zip, Stryker-Corporation.zip
- BASF-SE.zip, Siemens-Energy.zip, Deutsche-Bank.zip
- Boeing-Company.zip, Lockheed-Martin.zip, Northrop-Grumman.zip
- Pfizer-Inc.zip, Johnson-Johnson.zip, Merck-Co.zip
- Goldman-Sachs.zip, JPMorgan-Chase.zip, Morgan-Stanley.zip
- And 150+ more spanning healthcare, defense, finance, energy, pharma, and technology

The `data.json` file that drives the DLS victim listing is manually edited. Victim cards display countdown timers and "DOWNLOAD DATA" buttons — but every link points to a file that doesn't exist.

The DLS Application

The source code reveals a polished-looking but hollow operation:

- "Operations Center" frontend branded "0APT SYNDICATE" with military-themed UI, glitch animations, and CRT scanline effects
- Proof-of-work entry — SHA-256 difficulty 4 (victims compute a hash starting with "0000" to access the chat)
- Negotiation chat with admin online/offline toggling, CSRF tokens, and flat-file storage in `/cochats/`
- Anti-spam rate limiting (6 messages in 7 seconds = 10-minute lockout)
- A commented-out popup teasing "Hellow Ransomhouse Group" as the next target — prepared but never launched
- Two RaaS affiliate directories with randomized IDs and `build_info.log` files — suggesting 0APT was attempting to run an affiliate program despite having no actual ransomware capability

Part 4: Comparative Assessment

This conflict provides a direct side-by-side comparison:

0APT — Low sophistication. Android-hosted infrastructure. Over 180 fabricated Fortune 500 victim claims with zero actual data. Operator cannot navigate a Linux terminal competently. Obtained Krybit's database (their only credible action) but couldn't defend their own server. The Krybit panel breach was real — everything else about 0APT is not.

Krybit — Small but functional RaaS operation. 13 real victims across 10+ countries with actual stolen data. Demonstrated offensive capability by compromising 0APT's server, executing a coordinated defacement, and performing complete data exfiltration. Technically superior in every measurable dimension — but still a small-time operation targeting SMBs with ransom demands under $100,000 and zero confirmed payments.

What This Means for Defenders

This dual breach gives defenders rare simultaneous visibility into both sides of a ransomware conflict:

- Proactive blocking of all 6 .onion domains (5 Krybit + 1 0APT) and associated infrastructure
- Blockchain tracing through 5 exposed BTC wallets to identify Krybit's cashout paths
- Attribution enrichment via 7 Tox messenger IDs — cross-reference against other RaaS operations for affiliate overlap
- Victim notification for organizations that may not know they've been compromised by Krybit
- Detection engineering from internal network paths, hostnames, and IPs visible in Krybit's exfiltration logs
- False positive elimination — flag all 0APT victim claims as fabricated to prevent intelligence pollution

---

Actionable Steps

For Threat Intelligence Teams

- Add all 6 .onion domains to blocklists and intelligence feeds
- Submit the 5 BTC wallet addresses to blockchain analysis platforms (Chainalysis, Crystal) for transaction tracing
- Cross-reference the Tox IDs against other ransomware operations — affiliate crossover between RaaS groups is common
- Monitor eCrime.ch and other trackers for Krybit operator activity under new aliases
- Flag all 0APT victim claims as fabricated — over 180 fabricated Fortune 500 entries confirmed through access log analysis. Do not treat 0APT postings as credible breach indicators
- Track both groups for infrastructure rotation — both are likely to rebuild under new .onion addresses after this mutual exposure

For Incident Response Teams

- If your organization appears in the Krybit victim list, initiate incident response immediately — even if you were unaware of a breach
- The encryption tokens in the builds table may assist decryption efforts for affected organizations
- The exfiltration file paths in leaks_db.sql can help identify exactly what data was stolen
- If your organization appears only on 0APT's DLS, verify independently before allocating IR resources — their claims are overwhelmingly fabricated

For Security Operations

- Block the clearnet domain incapt.su (referenced in Krybit ransom notes, though this appears to be from a different group's note template)
- Monitor for Bandicam screenshot artifacts — Krybit uses Bandicam to capture proof-of-access screenshots from victim networks
- Alert on phpMyAdmin and XAMPP indicators in your environment — the same stack used by Krybit's panel is common in attacker infrastructure
- 0APT uses SHA-256 proof-of-work (difficulty 4) as anti-bot protection — this pattern could fingerprint related infrastructure

---

What Happens If This Intel Is Ignored

- Organizations on the Krybit victim list may not know their data has been stolen and is staged for publication
- The BTC wallets will continue receiving payments from future victims if not flagged
- Krybit's affiliates will migrate to other RaaS platforms, carrying their access and tradecraft with them
- The exposed encryption tokens represent a time-limited opportunity to assist victims with recovery — this window closes when Krybit rotates infrastructure
- 0APT's fabricated claims will continue to pollute threat intelligence feeds if not flagged as false positives
- Both actors are likely to rebuild and re-emerge under new infrastructure after this mutual exposure

---

The Bottom Line

Two ransomware groups attacked each other and exposed everything in the process. One operation turned out to be real — small, opportunistic, but functional. The other turned out to be a fabrication running from a phone.

Organizations and intelligence teams that act on this report will block known infrastructure before reuse, trace ransom payments to identify operators, notify victims who may be unaware of the breach, and — critically — stop treating 0APT claims as real intelligence. This is a rare window where both sides' operational details are exposed simultaneously. Use it.