The Gentlemen Ransomware Gang Suffers Internal Data Breach, Exposing Operations
An anonymous group breached the internal back-end database of the prolific 'The Gentlemen' ransomware gang, leaking 16GB of communications and tooling.
In a striking turn of events, one of the world's most prolific ransomware operations has itself been breached. The Russian cybercriminal gang known as 'The Gentlemen' suffered a compromise of its internal back-end database on or around May 4, 2026. An anonymous group is now selling over 16GB of the gang's internal communications, tooling, and other data for $10,000 in Bitcoin, according to a report from Dark Reading.
Check Point Research analyzed a 44MB sample of the stolen data, which was leaked to prove the veracity of the larger cache. The analysis revealed the gang's organizational structure, led by an individual known as 'zeta88,' who builds and maintains the locker malware, curates tooling, runs infrastructure, selects targets, and manages negotiations. Zeta88's operations are handled by two key members: 'qbit,' who specializes in scanning for vulnerable edge devices and establishing persistence, and 'quant,' who focuses on gaining access via logs and credentials. A tertiary group of seven grunts includes red teamers, an access broker, and an advertising specialist.
The breach provides unique insight into the gang's tactics, techniques, and procedures (TTPs). The Gentlemen exploit critical, known vulnerabilities and use nearly 30 different tools to support their locker, including scanners, VPNs, remote access tools, and techniques for evading endpoint detection and response (EDR) and antivirus programs, such as the bring-your-own-vulnerable-driver tactic. Check Point describes the toolset as 'fairly mature,' if not particularly unique.
Despite the reputational hit, experts do not expect the breach to significantly disrupt the gang's operations. 'It is a reputational hit, but we do not expect it to significantly disrupt their operations or reduce their effectiveness,' said Eli Smadja, Check Point's group manager for product R&D. The gang's success is attributed to its tight organizational structure and a generous payment model, where zeta88 takes 10% of extorted payments, and the other hackers involved split the remaining 90%.
The Gentlemen have been the second most productive ransomware group globally in 2026, just behind Qilin, having published sensitive data from around 332 organizations in the first five months of the year. The breach offers a rare glimpse into the inner workings of a major cybercriminal enterprise, but it is unlikely to provide a secret formula for other hackers. 'What they have built is the product of experience, and nothing disclosed in the leak reveals a secret formula or unique technical advantage,' Smadja added.