The Weekly Breach Breakdown: Ransomware Groups Are Beefing — And Defenders Are Winning

Summary 

• Two rival ransomware groups, 0APT and KryBit, got into a public fight and ended up exposing each other’s dirty laundry in the process.
• Researchers discovered that more than 190 victims claimed by 0APT were completely made up. No data was ever actually stolen.
• KryBit retaliated by dumping 0APT’s entire operation online: source code, access logs, internal files, essentially blowing up their whole setup.
• Experts say this kind of criminal infighting between ransomware groups is actually good news for defenders. It exposes how these groups really operate.
• The ransomware landscape is evolving, and more ransomware groups are skipping encryption entirely and just threatening to leak your data instead.
• If you think you have been a victim of identity theft, fraud or a scam, you can speak with an expert Identity Theft Resource Center advisor on the phone, via text message or chat live on the web. Contact us via our toll-free phone number 888.400.5530 or on our company website. 

Full Transcript 

Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for June 5, 2026. I’m Tatiana Cuadras, Communications Assistant for the ITRC. Thanks to Sentilink for their continued support of the podcast and the ITRC. Each week, we break down the latest in data security and privacy, and this week, we have a story that’s a little different. It’s not about criminals targeting everyday people or businesses. It’s about ransomware groups targeting each other. Grab your popcorn.

According to a blog published by the Halcyon Ransomware Research Center, two ransomware groups, 0APT and KryBit, got into a public feud. And when it was all over, both sides had exposed each other’s infrastructure, internal data and operational secrets to the entire security community. Defenders everywhere got a front-row seat.

Here’s the background. Ransomware groups typically operate by breaking into organizations, stealing sensitive data and then threatening to publish it unless a ransom is paid. They advertise their wins on dark web leak sites to pressure victims and build a reputation. It’s a criminal business model, and like most businesses, reputation matters.

That’s exactly what makes 0APT’s story stand out. Remember when I said reputation matters a few seconds ago? Well, back in January 2026, this ransomware group posted over 190 claimed victims on their leak site, which made it look like a busy and successful operation. There was just one problem: researchers confirmed that not a single one of those organizations had actually been breached. 0APT was basically bluffing their way to credibility. In the cybercrime world, that’s a bold move. It’s also, apparently, a terrible one.

KryBit, the other ransomware group, found out, and they were not impressed or happy. They fired back by dumping 0APT’s entire backend online, including internal files, operational records and the code behind their entire setup. All of it available to the public. The leaked access logs proved the victims were fabricated in the first place, which is a bad look for 0APT. 0APT’s leak site is now defaced and under KryBit’s control, and 0APT will have to start from the ground up, with new infrastructure and a new identity, just to have any real shot at getting back into the cybercriminal game.

Now, here is the real news for us: when ransomware groups turn on each other, defenders win. Pretty surprising, right? Intelligence analyst Erika Totaro from the Halcyon Ransomware Research Center put it this way: gang feuds like this are actually a net positive for the security community. Getting an inside, unfiltered look at how these groups actually operate is exactly the kind of edge that defenders don’t usually get to see.

To put this in relatable terms, imagine spending years trying to figure out how a magician pulled off a trick, searching everywhere and coming up empty, and then one day he posts a video breaking down every single secret. That’s essentially what happened here. Now, it’s clear that we can’t count on ransomware groups self-destructing on a consistent schedule or a magician leaking all of his famous tricks, but when it happens? Take note and use it to your advantage.

That said, let’s be honest, the ransomware problem isn’t going away anytime soon. If anything, it’s getting bigger and a whole lot more creative. Researchers are tracking a major shift in how these attacks actually work, and it’s worth paying attention to. More groups are dropping the “ransom” part altogether and going straight for your data, stealing it and threatening to leak it to the public with no encryption, no warning, just your data being taken from you and thrown out to the public eye.

And while this particular story had some wins for the good guys, the bigger picture is still concerning. Ransomware-as-a-service operations are still an active threat, with new groups spinning up quickly and experienced ones constantly evolving. KryBit, for example, launched in late March 2026 and within its first two weeks already had 10 legitimate victims. Don’t let the drama between these two ransomware groups distract you, as there are plenty more groups just like them that are waiting for their next attack.

The advice from researchers is this:

• Make sure you monitor for unusual data exfiltration activity within your network.
• Verify that your backups are tested and working.
• Make sure that you are strengthening your

If you want to know more about how to protect your business or personal information, or think you have been the victim of identity theft, fraud or a scam, you can speak with an expert ITRC advisor by phone or text at 888.400.5530, or live chat at www.idtheftcenter.org.

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to podcasts.

Next Friday, we will have an edition of our sister podcast, the Fraudian Slip, as our own Chief Operating & Programs Officer, Mona Terry, shares the highlights and key takeaways from our 2026 Trends in Identity Report. You can download the report beginning June 9 by visiting www.idtheftcenter.org/reports. We will return in two weeks with another episode of the Weekly Breach Breakdown. I’m Tatiana Cuadras. Until then, thanks for listening.