Introduction
In the ever-evolving landscape of ransomware threats, a relatively new player has emerged with alarming speed. The Gentlemen ransomware-as-a-service (RaaS) operation first appeared around mid-2025, quickly establishing a presence across underground forums by advertising its encryption platform and recruiting skilled affiliates—ranging from penetration testers to seasoned cybercriminals. By 2026, this group has become one of the most prolific RaaS programs, listing approximately 332 victims on its data leak site (DLS) within the first five months alone—making it the second most productive such operation during that period among those that publicly name their targets.
This article dives into the inner workings of The Gentlemen, based on a significant leak that its own administrator confirmed on May 4, 2026. The leak exposed an internal backend database known as Rocket, which contained detailed operational information about the group's infrastructure, affiliates, and victims. Our analysis, drawing from a partial leak obtained by Check Point Research, unveils the roles, tools, negotiation tactics, and technical methods that drive this threat actor.
The Leak: Inside the Rocket Database
On May 4, 2026, The Gentlemen’s administrator took to underground forums to acknowledge that an internal backend database—dubbed Rocket—had been leaked. This database contained sensitive information on nine accounts, including that of the administrator himself, known by the handle zeta88 (also hastalamuerte). The administrator is responsible for running the infrastructure, building both the locker and the RaaS panel, managing affiliate payouts, and effectively overseeing the entire program.
The leaked discussions provide a rare end-to-end view of how the operation functions. They detail initial access vectors, role divisions, shared toolkits, and the group’s active monitoring and evaluation of recent vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. This intelligence highlights the group’s agility in weaponizing newly disclosed exploits.
Initial Access and Affiliate Roles
The internal chats reveal that The Gentlemen’s affiliates commonly gain initial access through vulnerable edge appliances, specifically Fortinet and Cisco devices, leveraging NTLM relay attacks, and exploiting OWA (Outlook Web App) and M365 credential logs. This combination of techniques allows them to breach corporate networks with relative ease.
Role division is clear: while the administrator and a few core members handle the ransomware locker and payment platform, affiliates focus on penetration and network compromise. Shared tools are frequently discussed and updated across the group, ensuring consistency in infection chains.
Ransom Negotiations and Successes
Among the leaked materials were screenshots from actual ransom negotiations. One notable case shows a successful payment of $190,000 USD, after an initial demand of $250,000 USD (referred to as the "anchor"). The ability to secure such a sum—even after negotiation—demonstrates the group’s effectiveness in pressuring victims.
Data Reuse as a Dual-Pressure Tactic
Further chat logs illustrate a particularly cunning tactic: the reuse of stolen data from one target to attack another. In this instance, data stolen from a UK software consultancy was later employed against a company in Turkey. During negotiations with the Turkish firm, The Gentlemen portrayed the UK consultancy as an "access broker," providing "proof" that the intrusion originated from the UK side. They even encouraged the Turkish company to consider legal action against the consultancy, thereby creating distrust and applying dual pressure.
Affiliate Identities and Admin Activity
Check Point Research’s collection of all available ransomware samples identified 8 distinct affiliate TOX IDs, including the administrator’s own TOX ID. This finding suggests that the admin not only manages the RaaS program but also actively participates in—or directly carries out—some infections. Such hands-on involvement blurs the line between RaaS operator and affiliate, likely contributing to the group’s rapid growth and operational control.
Conclusion
The Gentlemen RaaS operation exemplifies the modern cybercrime ecosystem, where leaked databases and internal communications offer unprecedented insight into threat actor behavior. From exploiting edge devices to leveraging stolen data for secondary attacks, this group demonstrates a high level of coordination and technical sophistication. As of early 2026, with hundreds of victims already listed, The Gentlemen remains a serious threat that organizations should monitor closely. Understanding their tactics—shared tools, evolving CVE targets, and aggressive negotiation strategies—can help defenders better prepare and respond.
For further reading on related ransomware trends, see our analysis on RaaS operations and initial access techniques.