Inside The Gentlemen RaaS: Q&A on the 2026 Database Leak

The Gentlemen ransomware-as-a-service (RaaS) operation, active since mid-2025, gained notoriety in 2026 after an internal database leak exposed operational details. The leak revealed the administrator’s identity, affiliate roles, attack methods, and negotiation tactics. Below, we answer key questions about this group based on Check Point Research’s findings.

What was leaked from The Gentlemen’s backend database and what did it reveal?

On May 4, 2026, the administrator of The Gentlemen RaaS acknowledged on underground forums that the group’s internal backend database, codenamed “Rocket,” had been compromised. The leak exposed nine affiliate accounts, including that of zeta88 (also known as hastalamuerte). This account belonged to the person who manages the entire operation: building the locker, maintaining the RaaS panel, handling payouts, and acting as the program’s administrator. Beyond account details, the leak provided a rare end-to-end view of how the group operates, documenting initial access methods, role divisions, shared toolsets, and even chats from ransom negotiations.

Inside The Gentlemen RaaS: Q&A on the 2026 Database Leak
Source: research.checkpoint.com

Who is the administrator of The Gentlemen RaaS and what are their responsibilities?

The administrator uses the alias zeta88 (or hastalamuerte) and is the central figure behind The Gentlemen RaaS. Based on the leaked database, this individual is responsible for running the infrastructure, developing the ransomware locker and the RaaS panel, managing affiliate payouts, and overseeing the entire program. Affiliates join the platform to carry out attacks, but the admin retains control over the technical core. The leak also indicated that the admin actively participates in infections themselves, as evidenced by the identification of 8 distinct affiliate TOX IDs, with zeta88’s own TOX ID among them. This suggests a hands-on approach beyond just management.

How does The Gentlemen gain initial access to victims?

The leak detailed several preferred initial access paths used by The Gentlemen’s affiliates. These include exploiting edge appliances from Fortinet and Cisco, performing NTLM relay attacks, and harvesting credentials from OWA/M365 logs. The group’s internal discussions show they actively evaluate and weaponize recent CVEs. For example, they tracked CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073 for potential exploitation. This focus on edge devices and credential theft highlights a strategic approach to breaching corporate networks quickly, often before patches are applied.

What does a typical ransom negotiation look like for The Gentlemen?

Leaked screenshots from ransom negotiations provide a concrete example. In one successful case, the group demanded an initial amount (referred to as an “anchor”) of 250,000 USD but ultimately settled for 190,000 USD. The negotiations show a willingness to lower demands after pressure from the victim. The leak also included chat logs where affiliates discussed tactics such as applying psychological pressure and demonstrating proof of data exfiltration. This case illustrates that even with a substantial anchor demand, the group accepts compromises, likely to guarantee a payout and avoid prolonged deadlock.

Inside The Gentlemen RaaS: Q&A on the 2026 Database Leak
Source: research.checkpoint.com

How did The Gentlemen use a dual-pressure tactic involving a UK consultancy and a Turkish company?

In a notable incident, The Gentlemen reused stolen data from a UK software consultancy to attack a company in Turkey. During negotiations with the Turkish victim, they employed a dual-pressure tactic: they portrayed the UK firm as an “access broker” that had originally supplied the breach vector. To amplify the pressure, The Gentlemen offered “proof” that the intrusion originated from the UK side and encouraged the Turkish company to consider legal action against the consultancy. This approach not only distracted the victim but also created distrust between two organizations, potentially increasing the likelihood of ransom payment or further exploitation.

How active is The Gentlemen RaaS and how many affiliates have been identified?

In 2026, The Gentlemen appears as one of the most prolific RaaS programs. Their data leak site (DLS) listed approximately 332 victims in just the first five months of the year, making them the second most productive RaaS operation in that period among those that publicly list victims. Check Point Research collected all available ransomware samples and identified 8 distinct affiliate TOX IDs, including the administrator’s. This low number of affiliates suggests a tightly controlled, small group of highly trusted operators, with the admin directly involved in infections. The high victim count relative to the affiliate base indicates each affiliate is highly active or uses automated targeting techniques.

Recommended

Discover More

Turning Your Codebase into a Roguelike Dungeon: A Guide to Procedural Generation with GitHub Copilot CLILenovo’s Flagship RTX 5090 Gaming Tower Slashes Price by Over $2,000 in Limited-Time DealFacebook and Instagram Face User Exodus Amid Growing Dissatisfaction with Feed QualityFree Open-Source Tool Finally Fixes Bluetooth MIDI Issue on Windows 11Nintendo Surprise Unveils First Star Fox Game in Over a Decade – Launching Next Month on Switch 2