Inside The Gentlemen Ransomware Leak: When the Hunter Becomes the Hunted

Ransomware groups spend their days breaking into networks, stealing data, and pressuring victims into paying. They rarely find themselves on the other side of that equation. But in early May 2026, one of the most active ransomware operations in the world found out what it feels like.

The Gentlemen, a Ransomware-as-a-Service (RaaS) group that has been tearing through organizations globally since mid-2025, suffered a breach of its own backend infrastructure. Internal chat logs, affiliate rosters, ransom negotiation transcripts, operational tooling discussions, and server credentials were all exposed. The leak surfaced on underground forums, briefly went up for sale, and was eventually dumped publicly on a file-sharing platform before being taken down.

Leaks like this are a rare opportunity for defenders. They can see behind the curtain on how modern ransomware operations are structured, how they recruit, how they pick targets, and how they split the money. For The Gentlemen, it is an operational security failure that has laid their entire playbook bare.

Who Are The Gentlemen?

The Gentlemen is a RaaS operation that first appeared around mid-2025. The group runs a classic affiliate model: the core team builds and maintains the ransomware tooling, the infrastructure, and the negotiation platform, while affiliates carry out the actual intrusions in exchange for a cut of the ransom payments.

What makes The Gentlemen stand out is the speed at which they scaled. Within the first half of 2026, the group published approximately 330 victims on their data leak site.

The operation is led by a Russian-speaking threat actor who goes by the aliases hastalamuerte and zeta88. Before launching The Gentlemen, hastalamuerte ran an affiliate crew called ArmCorp under the Qilin Ransomware program.

In July 2025, he opened a public arbitration thread on the RAMP underground forum, accusing Qilin’s operators of withholding roughly $48,000 in unpaid commission from a corporate victim negotiation. That dispute was the public trigger for the split, but evidence suggests the move was already in the works.

The earliest known Gentlemen ransomware sample (51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2) was uploaded to VirusTotal on July 17, 2025, five days before the arbitration post went live. Building a multi-platform ransomware operation with custom infrastructure and a data leak site takes significant development time, which means hastalamuerte was building his own brand while still formally affiliated with Qilin.

The group uses a Go-based ransomware locker capable of targeting Windows, Linux, NAS, and BSD systems, with a dedicated C-based locker for ESXi hypervisors. They employ a double-extortion model: encrypting victim data while threatening to publish stolen files if payment is not made. Their geographic targeting is notably different from most ransomware groups. Only about 13% of their victims are based in the United States, with significant victim concentrations in Thailand, the United Kingdom, Brazil, Germany, and India. Consistent with Russian-speaking ransomware norms, the group’s rules explicitly prohibit targeting organizations in Russia and other CIS states.

One of the key factors in their rapid growth has been an aggressive affiliate model. The Gentlemen offer a 90/10 revenue split (90% to the affiliate, 10% to the operator), which is significantly generous and very helpful in attracting experienced operators.

The Leak: What Happened and How

The 4VPS Connection

On May 2, 2026, a hosting provider called 4VPS published a disclosure stating that its website and billing systems had been hit by an attack involving a proxy server swap. 4VPS claimed that core infrastructure and client data were not affected. This might have been a footnote in any other week, but 4VPS has a reputation as a hosting service used by underground actors. Allegedly part of The Gentlemen’s infrastructure was hosted on 4VPS and the attackers obtained NAS credentials during the breach.

The Data Goes Up for Sale

On May 5, 2026, a forum account operating under the handle n7778 posted a listing on Cracked forum with the subject line “The Gentlemen – Hacked Data for Sale.” The asking price was $10,000, payable in Bitcoin. Sample data was offered to potential buyers on request.

In the days that followed, n7778 posted MediaFire links containing proof files to support the claims.

The partial data obtained by researchers totaled around 44.4 MB, but a screenshot shared by n7778 on another forum showed a total dataset of approximately 16.22 GB, which likely represents the full scope of the breach.

What Was in the Leak

The leaked material provided an unusually detailed look at the inner workings of a modern ransomware operation. It included:

• Server shadow file: containing usernames and password hashes from The Gentlemen’s server. The file listed accounts such as 3NT3R, B1d3n, C0CA, d0wnloAd1, equal1z3r, F3N1X, Gblog88, JLL, LDW, n0n3, PRTGRS, W1Z and zeta88.

• Internal chat logs: conversations across multiple Rocket.Chat channels (general, INFO, PODBOR, TOOLS) where operators and affiliates coordinated ongoing intrusions, exchanged EDR-kill toolkits, discussed infrastructure, reviewed CVEs, and assigned targets.

• Ransom negotiation transcripts: including a documented case where the group started with an initial demand of $250,000 and ultimately received $190,000.

• Operational tooling discussions: details on exploit paths (Fortinet, Cisco edge appliances, NTLM relay), shared toolsets, and the group’s evaluation of recent vulnerabilities such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.

• Bitcoin wallet addresses: used internally for fund exchanges and equipment purchases.

• Evidence of chain-victimization: in April 2026, The Gentlemen breached a UK software consultancy, then used stolen credentials, infrastructure documentation, and client access information from that attack to compromise one of the consultancy’s clients in Turkiye. They then published both organizations on their leak site, explicitly labeling the UK firm as the “access broker” for the Turkish attack, which was a deliberate pressure tactic to trigger legal and reputational conflict between the two companies.

Inside the Organization

Roles and Structure

The leak revealed a compact but well-organized operation with clear role separation. Based on the chat data, we identified certain accounts: Kunder, qbit, JeLLy, Protagor, zeta88, Bl0ck, Wick, quant, donpakto, and mAst3r.

At the center is zeta88/hastalamuerte, who serves as both administrator and active operator. He builds and maintains the ransomware locker, the RaaS panel (which he reportedly constructed using AI coding assistants), the GPO-based deployment mechanism, and the backend infrastructure. He manages payouts and negotiations, assigns targets to teams, and, notably, also participates directly in encryption events. Leaked chats show him posting messages like “I’m locking”.

The rest of the operators are below:

Affiliate tooling:

Credential Harvesting

C2 Frameworks

Defensive Evasion Tools

Exfiltration Tools

Behavioral Patterns

The leaked chats also reveal how The Gentlemen actually work day to day.

• Initial access as an assembly line:

The group maintains a live HTML dashboard that tracks thousands of internet-facing FortiGate panels, showing which ones are reachable, their device names, and direct login links. Credential testing is distributed across dedicated hardware, and valid access is triaged by target value as soon as it is confirmed.

• Corporate-style affiliate management:

zeta88 runs the affiliate program the way a team lead runs a department. He assigns targets (referred to internally as “cases”), distributes tooling packages, sets revenue-share terms, purchases hardware for under-resourced members, and removes affiliates who do not perform. The group also draws a clear line between “advert” brokers who source network access and operators who execute the actual intrusions, which shows a layered internal supply chain.

• Living off the land by design:

The group has a deliberate preference for commercially signed and open-source tools over custom malware during post-exploitation. Velociraptor (with signed binaries), TailVNC, Rclone, and OpenConnect all show up in the chats. zeta88 specifically notes that signed Velociraptor builds do not trigger common AV/EDR solutions.

• The locker as a software product:

The ransomware itself is treated like a product under active development. A flag was added in February 2026, another deployment was developed separately, Linux support was on the roadmap, and the team evaluated integration with the Nyx forensics framework.

• Insurance-aware ransom pricing:

The group cross-references potential victims against ZoomInfo revenue data and calibrates demands accordingly. In one documented case, the group was aware that a victim carried a $10 million cyber insurance ceiling and set their demand to match it.

• Operational security and counterintelligence:

The chats show active awareness of insider threats. Sensitive credentials are exchanged over Tox rather than Rocket.Chat. The locker binary and panel source code are not distributed to all affiliates; only build access is granted through the panel. The group also maintains the ability to rotate their Tor address without losing their backend database.

• Geographic staging:

Initial access operations are concentrated in APAC. High-value monetization targets are then selectively pursued in the UK, US, and Western Europe. The pattern suggests that APAC compromises serve either as stepping stones for lateral movement into Western supply chains or as lower-value access to be sold to other actors.

• Internal knowledge transfer:

The group does not rely on every affiliate figuring things out independently. For example, Wick publishes multi-step tradecraft guides covering topics like Velociraptor deployment, browser session theft, and share mounting. zeta88 maintains shared tool libraries. Additionally, the Conti pentester guide is referenced as a training resource.

In Conclusion

Leaks alone do not stop these groups. Conti survived its leak for months. Black Basta reshuffled and carried on. The Gentlemen’s administrator responded to this breach with a dismissive tone and a list of planned upgrades. The affiliates, the tooling, and the access pipelines do not disappear because a chat log got dumped online.

What does matter is what defenders do with the information.

Organizations running unpatched FortiGate appliances, relying on MFA alone without monitoring for credential abuse, or neglecting Active Directory hardening now have documented proof that these gaps are being exploited at scale by a well-organized operation.

The intelligence is there. The question is whether it gets acted on before the next victim shows up on a leak site.

SOCRadar analyzed the leaked files and alerted the relevant parties. If you would like a more detailed report on this leak or require further threat intelligence, including IoCs and TTPs, contact [email protected].

Track Ransomware Groups Like The Gentlemen in Real Time

The intelligence from this leak is valuable, but it’s a snapshot. Ransomware operations restructure, rebrand, and keep moving after breaches like this one. Staying ahead of them requires continuous visibility, not one-time reports.

SOCRadar’s free Ransomware Intelligence dashboard gives security teams exactly that. The platform aggregates victim disclosures from ransomware leak sites, Dark Web forums, and SOCRadar’s own monitoring infrastructure into a continuously updated global view, refreshed every five seconds, with no account required.

With it, you can:

• Monitor active groups: The Gentlemen currently rank among the top five most active ransomware operators globally, with over 400 confirmed victims tracked on the platform. See which groups are surging in your region or sector right now.
• Search victims by country and industry: filter attacks by geography, sector, or threat actor to understand whether your organization’s profile overlaps with current targeting patterns.
• Review TTPs and IOCs: dedicated tabs surface the tactics, techniques, and indicators associated with active groups, giving your SOC team actionable data for detection and hunting.
• Catch early warnings: the live attack feed updates in real time as new victims are claimed, so you’re not learning about campaigns weeks after the fact.

The Gentlemen leak shows us exactly how a ransomware operation picks its targets, stages its intrusions, and monetizes access. The question now is whether defenders are watching as closely as the attackers are.