Leaked Database Exposes Inner Workings of The Gentlemen Ransomware Operation
A leaked internal database from The Gentlemen ransomware-as-a-service operation reveals nine accounts, initial access methods, and a $190,000 ransom payment.
On May 4, 2026, the administrator of The Gentlemen ransomware-as-a-service (RaaS) operation acknowledged on underground forums that an internal backend database had been leaked. Check Point Research obtained and analyzed the leaked material, which provides an unprecedented end-to-end view of one of the most active ransomware programs in 2026. The leak exposed nine accounts, including the administrator known as zeta88 (also hastalamuerte), who manages infrastructure, builds the locker and RaaS panel, handles payouts, and actively participates in infections.
The leaked internal chats detail the group's operational playbook. Affiliates discussed initial access paths exploiting Fortinet and Cisco edge appliances, NTLM relay attacks, and credential logs from Outlook Web Access and Microsoft 365. The group actively tracks and evaluates modern CVEs, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073, to identify exploitable vulnerabilities. The database also contained shared toolsets, EDR-kill packages, and discussions about infrastructure components like the Rocket database and NAS storage.
Screenshots from ransom negotiations were also part of the leak, showing a successful case where the group received $190,000 after starting with an initial demand of $250,000. Further chats revealed that stolen data from a UK software consultancy was later reused to attack a company in Turkey. The Gentlemen used this as a dual-pressure tactic, portraying the UK firm as an "access broker" while encouraging the Turkish company to consider legal action against the consultancy.
By collecting available ransomware samples, Check Point Research identified eight distinct affiliate TOX IDs, including the administrator's own TOX ID. This suggests the admin not only manages the RaaS program but also actively participates in or directly carries out some infections. The group has published approximately 332 victims on its data leak site in the first five months of 2026, making it the second most productive RaaS operation in that period.
The Gentlemen RaaS emerged around mid-2025 and aggressively recruited affiliates with a profit-sharing model of 90% for affiliates and 10% for the operator. The administrator, using the account Zeta88, promoted the service on underground forums and shared a TOX ID that appears consistently across recruitment posts, the data leak site, and internal screenshots. This leak provides rare visibility into the group's structure, tactics, and scale, highlighting the ongoing threat posed by RaaS operations.
The leak underscores the importance of monitoring underground forums and securing edge devices, as initial access often exploits vulnerabilities in Fortinet and Cisco appliances. Organizations should prioritize patching known CVEs and implementing multi-factor authentication to mitigate NTLM relay and credential theft. The reuse of stolen data across victims also emphasizes the need for robust incident response and data breach notification procedures.