10 Revelations from The Gentlemen RaaS Leak: What Cybersecurity Pros Need to Know

In the ever-evolving landscape of ransomware, a recent leak has pulled back the curtain on one of the most active RaaS operations of 2026: The Gentlemen. On May 4, 2026, the group’s administrator acknowledged that an internal backend database—dubbed Rocket—had been compromised, exposing sensitive operational details. Check Point Research obtained the partial leak, revealing affiliate identities, negotiation tactics, and technical playbooks. This listicle distills the ten most critical findings from that exposure, offering an unprecedented look inside a modern cybercrime enterprise.

1. Internal Database Leak Exposes Operations

The breach of the Rocket database marks the first confirmed leak from The Gentlemen’s internal infrastructure. It revealed nine accounts, including the administrator’s personal profile (zeta88, also known as hastalamuerte). These accounts contained logs of affiliate communications, victim lists, and payment records. The leak is believed to be partial, but even this fragment provides a rare, unfiltered view of how a RaaS program manages its supply chain—from initial access to final ransom collection.

2. Administrator Profile: The Man Behind the Curtain

The admin account zeta88 was linked to multiple responsibilities: infrastructure maintenance, building the locker and RaaS panel, managing affiliate payouts, and serving as the program’s public face. This level of centralization is unusual for a RaaS that claims to be decentralized. The admin’s dual role—both operator and active participant in infections—blurs the line between coordinator and perpetrator. Understanding this hierarchy is crucial for law enforcement targeting the group’s leadership.

3. End-to-End Operational Playbook Revealed

The leaked internal discussions offered a step-by-step view of The Gentlemen’s attack lifecycle. Affiliates shared specific techniques for gaining initial access: exploiting Fortinet and Cisco edge appliances, performing NTLM relay attacks, and harvesting credentials from OWA or Microsoft 365 logs. The playbook also detailed how affiliates divide roles—some focus on network penetration, others on data exfiltration and encryption. This granular detail helps defenders anticipate their next moves.

4. Active CVE Tracking and Exploitation

The group actively monitors and exploits recent vulnerabilities. Across chats, affiliates referenced three key CVEs: CVE-2024-55591 (a critical firewall flaw), CVE-2025-32433 (an edge device bug), and CVE-2025-33073 (a remote code execution in enterprise software). The admin even provided a ranking of which CVEs were most useful for access. This shows that The Gentlemen prioritizes zero-day or near-zero-day exploits, making patching a priority for defenders.

5. Ransom Negotiations: A Case Study in Pressure Tactics

Screenshots from actual ransom negotiations leaked alongside the database. In one example, the group demanded an initial anchor amount of $250,000 from a victim but ultimately settled for $190,000—a discount of 24%. The chats show calculated negotiation strategies, including artificial deadlines and threats to release data. This single case illustrates the group’s flexibility and willingness to negotiate, which is common in professional RaaS operations.

6. Cross-Border Data Reuse for Dual Pressure

A particularly striking tactic involved stolen data from a UK software consultancy. The Gentlemen reused that data to pressure a Turkish company, claiming the UK firm was an “access broker.” They suggested the Turkish victim sue the consultancy, creating a second front of stress. This dual-pressure approach—combining legal threats with ransom demands—shows an evolved psychological strategy that multiplies the impact on victims.

7. Affiliate TOX IDs Confirm Active Membership

By collecting available ransomware samples across multiple sources, researchers identified eight distinct affiliate TOX IDs, including the admin’s own ID. This discovery confirms that the administrator does not merely run the platform but actively participates in or directly carries out infections. The affiliate count also suggests a relatively small but tightly knit network, which may make the group more resilient to infiltration.

8. High Victim Volume in 2026

The Gentlemen’s data leak site lists approximately 332 published victims in the first five months of 2026. This volume places it as the second most productive RaaS operation during that period among groups that publicly list victims. The group’s rapid growth—emerging in mid-2025 and escalating within a year—underscores the scalability of RaaS models and the challenge of tracking them.

9. SystemBC Connection Unveils Wider Network

A prior Check Point analysis linked one affiliate infection to the SystemBC proxy botnet, whose command-and-control server indicated over 1,570 victims. This suggests that some Gentlemen affiliates are experienced cybercriminals with access to larger infrastructure. The use of SystemBC also indicates a preference for stealthy, multi-channel communication that complicates detection.

10. Implications for Defenders and Law Enforcement

The leak provides actionable intelligence: from specific CVE priorities to negotiation language. Security teams should prioritize patching the three CVEs mentioned, monitor for SystemBC traffic, and incorporate the group’s negotiation tactics into incident response training. For law enforcement, the admin’s public-facing role and the reuse of data across borders offer potential leads to dismantle the operation. The Gentlemen’s rise serves as a stark reminder that no RaaS can stay hidden forever.

The revelations from The Gentlemen leak offer more than just curiosity—they provide a roadmap for defense. By understanding how this RaaS recruits, operates, and negotiates, organizations can better prepare for the next wave of attacks. As the cybersecurity community continues to peel back the layers, one thing is clear: even the most secretive groups leave traces. The key is knowing where to look.