The flickering cursor on an underground forum, a digital whisper in the dark corners of the internet, confirmed a major breach: The Gentlemen ransomware-as-a-service (RaaS) operation had its internal backend database, codenamed ‘Rocket,’ spilled onto the digital streets. This wasn’t just a minor glitch; it was a catastrophic exposure, on May 4th, 2026, revealing nine critical accounts, including that of zeta88, also known as hastalamuerte. This individual, far from being a mere cog in the machine, apparently calls the shots: they build the locker, manage the RaaS panel, oversee payouts, and, by all accounts, act as the de facto administrator. It’s a stark reminder that even in the shadow economy, leadership matters — and sometimes, that leadership is the weakest link.
A Window Into the Digital Syndicate
The sheer volume of data exfiltrated is what gives this leak its teeth. We’re not just talking about a few angry messages. The internal discussions provide an end-to-end view of the operation, detailing everything from initial access vectors—Fortinet and Cisco edge appliances, NTLM relay attacks, and compromised M365 credentials—to the granular division of labor among its operatives. They’re actively tracking and evaluating modern CVEs, names like CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073, indicating a sophisticated, forward-thinking approach to exploiting vulnerabilities.
And then there are the ransom negotiations, laid bare for all to see. One successful case yielded a cool $190,000, a significant haul after an initial demand of $250,000. It’s a business transaction, albeit a deeply illicit one, where the stakes are millions and the currency is fear.
The Art of the Double Pressure Tactic
What truly elevates this leak beyond a simple list of victims and technical minutiae is the insight into The Gentlemen’s psychological warfare. Chats indicate that data stolen from a UK software consultancy was then use to attack a company in Turkey. The RaaS operators shrewdly positioned the UK firm as the ‘access broker’ to the Turkish target, simultaneously implying that the intrusion originated from the UK side. This dual pressure tactic was designed to incite legal action against the consultancy, effectively turning victim against victim and sowing discord, a particularly nasty piece of strategic manipulation.
This level of strategic depth, combined with their operational tempo, is what’s truly alarming. By collecting all available ransomware samples, Check Point Research identified eight distinct affiliate TOX IDs, and remarkably, the administrator’s own TOX ID was among them. This suggests the admin isn’t just orchestrating from on high; they’re likely rolling up their sleeves and participating directly in some of the infections. It’s a hands-on leadership style, for better or worse, that permeates the entire organization.
The Gentlemen’s Rapid Ascent
The Gentlemen RaaS operation is a relatively new player, bursting onto the scene around mid-2025. They’ve been aggressive in their recruitment, advertising their services across multiple underground forums, actively soliciting penetration testers and other technically skilled actors to join their ranks as affiliates. The profit-sharing model—a staggering 90% for affiliates, a mere 10% for the operator—is a potent lure, designed to attract top talent in the illicit cybersecurity space.
Based on victims listed on their data leak site (DLS) in early 2026, The Gentlemen appears to be one of the most active RaaS programs, boasting approximately 332 published victims in just the first five months of the year. This volume positions them as the second most productive RaaS operation during that period, at least among those that publicly broadcast their conquests.
During previous analysis by Check Point Research, a specific infection carried out by one of The Gentlemen’s affiliates showcased the scale of their reach. That affiliate employed SystemBC, and the associated command-and-control (C&C) server pointed to over 1,570 victims. Now, with this latest leak, the focus shifts from individual infections to the engine driving them: the affiliate program itself and the actors who populate it.
The leaked material offers a comprehensive view of operational coordination, from sharing toolsets and EDR-kill packages to discussing infrastructure components like the ‘Rocket’ database and NAS storage. They meticulously review CVEs and exploit paths, demonstrating a constant hunt for new avenues of compromise. It’s a rare, unvarnished look at how a modern ransomware syndicate plans, executes, and scales its nefarious activities.
The Lure of the 90/10 Split
The Gentlemen RaaS administrator has been a remarkably vocal proponent of their service, actively engaging on various underground forums to woo potential affiliates. The aggressive profit-sharing model—90% for affiliates, 10% for the operator—is a critical component of their recruitment strategy. This extreme split is designed to incentivize affiliates, promising them the lion’s share of the ill-gotten gains, a stark contrast to the often more operator-centric models seen elsewhere.
As early as September 2025, the account Zeta88, likely the administrator, began posting messages inviting individual penetration testers to join. Later, the official RaaS posts started appearing under the account ‘The Gentlemen,’ with the administrator also sharing their TOX ID across forums. This same TOX ID is visible on their onion data leak site (DLS), used by affiliates or victims seeking to contact the operator. The profile page displayed when demonstrating how affiliates build the ransomware further confirms this, with the TOX ID prominently featured.
The internal discussions provide a rare end‑to‑end view of the operation: they detail initial access paths (Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential logs), the division of roles, the shared toolsets, and the group’s active tracking and evaluation of modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
This persistent online presence and clear communication channel underscore a professional, albeit criminal, approach to managing their RaaS operation. It’s a well-oiled machine, from initial exploit to final payout, and this leak provides the blueprint.
The Unseen Cost: What This Leak Means
The exposure of The Gentlemen’s internal database isn’t just a win for researchers; it’s a significant blow to their operational security and likely their ongoing efficacy. Knowing the identities of key personnel, the infrastructure they rely on, and their preferred exploitation methods equips defenders with invaluable intelligence. This data can be used to proactively patch vulnerable systems, develop more targeted detection mechanisms, and potentially disrupt their future operations. The market for RaaS is fiercely competitive, and a data breach of this magnitude can erode trust among affiliates, potentially fracturing the group or driving affiliates to seek more secure (read: less compromised) operations. The market dynamics here are clear: trust is currency, and The Gentlemen just saw their balance depleted significantly.
🧬 Related Insights
- Read more: Axios NPM Breach: North Korea’s Precision Strike on JS Devs
- Read more: Oracle Accelerates Security Patching with Monthly CSPUs
Frequently Asked Questions
What does The Gentlemen RaaS actually do?
The Gentlemen is a ransomware-as-a-service (RaaS) operation. They develop ransomware and allow other cybercriminals (affiliates) to use it to attack victims, sharing the profits.
Who is zeta88?
Zeta88 is identified as the administrator of The Gentlemen RaaS operation. They are reportedly responsible for building the ransomware, managing the backend systems, and overseeing financial payouts.
How active is The Gentlemen RaaS?
Based on victim lists from early 2026, The Gentlemen RaaS was one of the most active operations, with approximately 332 published victims in the first five months of that year, making it the second most productive RaaS program publicly known at that time.
