The Gentlemen ransomware-as-a-service (RaaS) group rose to prominence in mid-2025, advertising its platform on underground forums to recruit affiliates. By 2026, it had become one of the most active operations, with hundreds of victims. A critical leak in May 2026 exposed their internal database, shedding light on the admin, affiliates, technical methods, and negotiation strategies. Below are key questions and answers based on that leak and related research.
What was the May 2026 database leak and what did it reveal?
On May 4, 2026, the administrator of The Gentlemen RaaS acknowledged on underground forums that an internal backend database named Rocket had been leaked. This leak exposed 9 accounts, including the admin's own. The exposed information provided a rare end‑to‑end view of the operation: it detailed initial access paths (such as Fortinet and Cisco edge appliances, NTLM relay, and OWA/M365 credential logs), role divisions, shared toolsets, and the group’s active tracking of modern CVEs (CVE-2024-55591, CVE-2025-32433, CVE-2025-33073). Screenshots from ransom negotiations were also leaked, showing a successful case where the group received $190,000 after starting with a demand of $250,000.
Who is the administrator of The Gentlemen RaaS and what roles does he play?
The leaked database identified the account zeta88 (also known as hastalamuerte) as the administrator. This individual runs the entire infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the program's administrator. The leak further suggested that the admin not only manages the program but also actively participates in or directly carries out some infections. By collecting all available ransomware samples, researchers identified 8 distinct affiliate TOX IDs, including the admin's own TOX ID, reinforcing the admin's dual role as both manager and affiliate.
What technical details were exposed in the internal discussions?
The leaked internal discussions revealed an array of technical details about The Gentlemen's operations. These included the division of roles among affiliates, shared toolsets, and the specific initial access paths they favored. They focused on Fortinet and Cisco edge appliances, NTLM relay attacks, and logs from OWA and M365 credential harvesting. Additionally, the group actively tracked and evaluated modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073 for potential use in their attacks. This information provides a clear picture of how the group operates technically, from initial compromise to final execution.
How did the group use dual‑pressure tactics in ransom negotiations?
The leaked chats show The Gentlemen employed a sophisticated dual‑pressure tactic during negotiations. In one case, stolen data from a UK software consultancy was later reused to attack a company in Turkey. During negotiations with the Turkish firm, the group portrayed the UK consultancy as the access broker, claiming the intrusion originated from the UK side. They then encouraged the Turkish company to consider legal action against the consultancy, using this as proof of the breach's source. This tactic applied pressure on both parties: the Turkish firm faced extortion and potential legal costs, while the UK consultancy risked reputational damage and litigation. The dual‑pressure approach aimed to maximize the likelihood of payment and create friction between victims.
How many affiliates were identified and what does it say about the admin's activity?
By analyzing all available ransomware samples, Check Point Research identified 8 distinct affiliate TOX IDs, including the administrator's own TOX ID. This finding indicates that the admin not only manages the RaaS program but also actively participates in or directly carries out some of the infections. The presence of the admin's TOX ID among the affiliates suggests a hands‑on approach to building the group's reputation and ensuring operational success. With roughly 332 published victims in the first five months of 2026, placing The Gentlemen as the second most productive RaaS in that period, the admin's dual role likely contributes to the group's high activity level and efficient execution.
What specific CVEs were being tracked by the group, and why are they significant?
The leaked database revealed that The Gentlemen actively tracked and evaluated several modern CVEs: CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. These vulnerabilities are significant because they target widely‑used enterprise edge devices and software. CVE-2024-55591 affects certain Fortinet products, while CVE-2025-32433 and CVE-2025-33073 impact Cisco and other networking appliances. By monitoring these CVEs, The Gentlemen aimed to quickly exploit new weaknesses for initial access—a key component of their attack chain. Their ability to rapidly incorporate such vulnerabilities into their operations highlights their agility and technical sophistication, allowing them to compromise high‑value targets efficiently.