Inside The Gentlemen Ransomware: 8 Revelations from a Leaked Database
The Gentlemen ransomware-as-a-service (RaaS) operation, active since mid-2025, has quickly become one of the most prolific cybercrime groups. A significant database leak in May 2026 exposed its internal backend, revealing unprecedented details about its administrator, affiliates, tools, and tactics. This article distills the key findings from Check Point Research's analysis into eight numbered insights, each offering a close look at how this underground enterprise operates.
Jump to a specific insight:
- 1. The Leak That Exposed the Admin
- 2. End-to-End View of Operations
- 3. Ransom Negotiation Screenshots
- 4. Stolen Data Reused in Cross-Border Attacks
- 5. Affiliate IDs and Admin Involvement
- 6. Staggering Victim Volume
- 7. SystemBC Connection and 1,570 Victims
- 8. The RaaS Business Model
1. The Leak That Exposed the Admin
On May 4th, 2026, the administrator of The Gentlemen RaaS program acknowledged on an underground forum that their internal backend database, code-named Rocket, had been leaked. The breach exposed nine accounts, including that of the administrator himself, known by the alias zeta88 (also hastalamuerte). This individual is responsible for running the infrastructure, building the locker and RaaS panel, managing payouts, and effectively acting as the program's leader. The leak provided researchers with an unprecedented glimpse into the group's inner workings and the key figure behind its operations.
2. End-to-End View of Operations
The leaked internal discussions paint a complete picture of The Gentlemen's attack lifecycle. They reveal initial access methods such as exploiting vulnerabilities in Fortinet and Cisco edge appliances, using NTLM relay attacks, and harvesting credentials from OWA and Microsoft 365 logs. The chats also detail the division of roles among affiliates, shared toolkits, and the group's active monitoring of emerging CVEs—specifically CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. This level of transparency gives defenders rare insight into the group's technical playbook.
3. Ransom Negotiation Screenshots
Screenshots from actual ransom negotiations were also part of the leak. One particularly telling case shows a successful payment of 190,000 USD, even though the initial or anchor demand had been set at 250,000 USD. The documents reveal how affiliates communicated with victims, adjusted demands based on perceived ability to pay, and applied pressure to close deals. These records offer a rare look at the human side of extortion and the financial mechanics that drive the RaaS model.
4. Stolen Data Reused in Cross-Border Attacks
The Gentlemen demonstrated a sophisticated dual-pressure tactic by reusing stolen data from one victim to attack another. Leaked chats show that the group first targeted a UK software consultancy, exfiltrating sensitive data. They then leveraged that data to compromise a company in Turkey. During negotiations with the Turkish firm, the group portrayed the UK company as an access broker and offered to provide proof that the intrusion originated from the UK side. They even encouraged the Turkish victim to consider legal action against the consultancy, adding a layer of psychological manipulation.
5. Affiliate IDs and Admin Involvement
By collecting ransomware samples from various attacks, Check Point Research identified 8 distinct affiliate TOX IDs—including the administrator's own TOX ID. This suggests that the admin is not only managing the RaaS platform but also actively participates in, or directly carries out, some of the infections. Such dual involvement is relatively rare among RaaS operations, where administrators typically focus on development and support while affiliates handle breaches. This finding underscores the admin's hands-on role in growing the program's victim base.
6. Staggering Victim Volume
Based on victims listed on The Gentlemen's data leak site (DLS), the group appears to be one of the most active RaaS programs in 2026. In just the first five months of the year, approximately 332 victims were published. This volume places The Gentlemen as the second most productive RaaS operation during that period, at least among groups that publicly list their victims. The rapid growth signals effective recruitment, aggressive affiliate incentives, and a well-tuned operational pipeline.
7. SystemBC Connection and 1,570 Victims
In a previous analysis, Check Point Research examined a specific infection carried out by an affiliate of The Gentlemen. That affiliate used the SystemBC proxy bot as part of the attack chain. The associated command-and-control (C&C) server was observed handling more than 1,570 victims. This suggests that many victims may go unreported on the public leak site, and the actual scale of The Gentlemen's operations could be far higher. The pairing of ransomware with SystemBC highlights the group's reliance on established crimeware toolkits.
8. The RaaS Business Model
The Gentlemen operates as a classic ransomware-as-a-service model. Its administrator advertises the platform on multiple underground forums, targeting pentesters and technically skilled actors as affiliates. Affiliates are provided with the locker, the RaaS panel for managing attacks, and ongoing support. The leaked database confirms that the administrator retains oversight of payouts and infrastructure while affiliates focus on initial access and deployment. This collaborative yet centrally controlled structure has proven highly effective, as evidenced by the group's rapid rise in victim count and revenue.
Conclusion: The Rocket database leak has torn the veil off The Gentlemen RaaS operation, exposing its leadership, tactics, and affiliate network. From the administrator's dual role to the reuse of stolen data across borders, these revelations underscore the sophistication and adaptability of modern cybercrime enterprises. Security teams can use this intelligence to bolster defenses against the group's preferred methods, while law enforcement gains critical leads. As The Gentlemen continues to evolve, this leak serves as a stark reminder that even the most secretive criminal operations can be unmasked.