Share on X

ZeroFox Intelligence Profile - Krybit

This Threat Actor Profile is a baseline analysis for the ransomare-as-a-service collective Krybit, which has been active since early April 2026.

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

View the full report here

Krybit is a ransomware and digital extortion (R&DE) collective active since at least April 3, 2026, that publishes victim information on its dark-web hosted blog; the collective has claimed at least 19 victims so far.
Krybit is very likely financially motivated; neither its dark web leak site nor its public statements on dark web forums, social media, or covert communication channels indicate any political stance, ideological messaging, or affiliation with a specific cause.
Krybit employs a double extortion model, as indicated by the file encryption experienced by known victims, as well as the ransom note left behind in confirmed attacks.
On April 13, 2026, rival ransomware collective 0APT exploited a vulnerability in Krybit’s backend database, gaining access to Krybit’s victim data set, among other data. Subsequently, on April 15, 2026, Krybit revealed its own counterattack against 0APT, defacing 0APT’s leak site and publicly releasing its full source code and operational logs. This response likely indicates that, beyond its core financial objectives, Krybit is willing to allocate resources to retaliatory actions to safeguard its reputation.
ZeroFox assess Krybit is a low-to-medium sophistication, immature ransomware-as-a-service (RaaS) provider that warrants continued monitoring, given its expanding platform capabilities and infrastructure.