The Gentlemen RaaS: Inside the Leak and Operation
In May 2026, a significant leak exposed the inner workings of The Gentlemen ransomware-as-a-service (RaaS) operation. This leak included an internal database and chat logs, revealing how the group manages affiliates, tracks vulnerabilities, and executes attacks. Below, we answer key questions about this operation based on the leaked information.
What was leaked from The Gentlemen RaaS?
On May 4th, 2026, the administrator of The Gentlemen acknowledged that the group’s internal backend database, known as Rocket, had been compromised. This leak exposed nine accounts, including the administrator’s own account under the alias zeta88 (also known as hastalamuerte). The database contained operational details such as affiliate information, victim records, and technical infrastructure configurations. The leak also included screenshots from ransom negotiations and internal chat conversations, providing a rare end-to-end view of how the RaaS program functions. This transparency allowed researchers to understand the roles within the group, the tools they use, and their methods for initial access, such as exploiting Fortinet and Cisco edge appliances, NTLM relay attacks, and logging OWA/M365 credentials.
Who runs The Gentlemen RaaS?
The central figure in The Gentlemen operation is the user known as zeta88, who also goes by hastalamuerte. According to the leaked data, this individual manages nearly every critical aspect of the program: they build the ransomware locker and the RaaS panel, handle payouts to affiliates, and oversee the entire infrastructure. Effectively, zeta88 acts as the administrator of The Gentlemen. Check Point Research further identified eight distinct affiliate TOX IDs from collected ransomware samples, with the administrator’s own TOX ID among them. This suggests that zeta88 not only manages the program but also actively participates in some infections, either personally or through direct supervision.
How do The Gentlemen affiliates gain initial access?
The leaked internal discussions reveal the group’s preferred methods for breaching networks. Affiliates commonly exploit vulnerabilities in edge appliances from Fortinet and Cisco, such as through CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. They also use NTLM relay attacks to move laterally within compromised environments. Additionally, the group actively monitors logs from OWA and M365 to capture credentials that provide initial footholds. The chats indicate that affiliates share toolsets and coordinate on which CVEs are most effective, with the administrators tracking newly disclosed vulnerabilities in real time. This systematic approach allows The Gentlemen to maintain a high rate of successful intrusions.
What does a typical ransom negotiation look like for The Gentlemen?
Screenshots from a successful negotiation leaked from the internal database show a case where The Gentlemen started with an initial demand (called an "anchor") of $250,000 USD. After back-and-forth communication with the victim, the group ultimately accepted a payment of $190,000 USD. This demonstrates the group’s willingness to negotiate significantly below their initial ask, likely to secure a quick payout. The chats also reveal that The Gentlemen employ a dual-pressure tactic: in one incident, they reused stolen data from a UK software consultancy to pressure a company in Turkey. They portrayed the UK firm as an "access broker" and provided the Turkish company with evidence that the intrusion originated from the UK side, encouraging legal action against the consultancy. This strategy amplifies the psychological pressure on victims.
How active is The Gentlemen RaaS?
Based on victims listed on its data leak site (DLS), The Gentlemen has been extremely active since mid-2025. In just the first five months of 2026, the group published approximately 332 victims, making it the second most productive RaaS operation during that period among groups that publicly post victim lists. Previous analysis by Check Point Research of a specific affiliate’s infection, which used the SystemBC backdoor, uncovered a command-and-control server with over 1,570 victims. This volume underscores the scale of the operation and the efficiency of its affiliate model. The leaked database further confirms that the group continuously recruits new affiliates and tracks successful infections through their internal systems.
What role do affiliates play in The Gentlemen?
The Gentlemen operates as a classic RaaS program, where the core team provides the ransomware locker, panel, and infrastructure while affiliates carry out the actual intrusions. The leak revealed eight distinct affiliate TOX IDs, indicating a small but active core of affiliates. The administrator, zeta88, not only manages the program but also directly engages in some infections, blurring the line between developer and affiliate. The group primarily recruits penetration testers and technically skilled actors through underground forums, offering them a share of ransoms. The leaked internal chats show that affiliates share tools, discuss CVE exploitation strategies, and receive guidance from the admin on negotiation tactics. This collaborative yet hierarchical structure allows The Gentlemen to scale its operations efficiently.
Related Articles
- 8 Revelations About the Little Red Dots: JWST's Black Hole Star Enigma
- Navigating China's New Fossil Fuel Control Framework: A Comprehensive Guide
- Spain's Push for Synthetic Aviation Fuel: A New Path Amid Oil Volatility
- 6 Stellar NASA STEM Activities to Fuel Your Summer
- Rare Sunset Total Solar Eclipse: 10 Hidden Spanish Spots Revealed for August 12 Viewing
- Quantum Time Blur: How Spontaneous Collapse Theories Challenge Precision
- Unveiling the Cosmic 'Eyes': An Amateur Astronomer's Stunning Capture of the Virgo Cluster
- Navigating the Artemis 3 Delay: A Comprehensive Guide to NASA's Revised Lunar Timeline and the 2028 Moon Landing Outlook