The Gentlemen ransomware-as-a-service (RaaS) group emerged around mid-2025, quickly becoming one of the most prolific operations by early 2026. A critical leak of their internal backend database in May 2026 exposed core operational details, including the administrator's identity, affiliate roles, technical methods, and negotiation tactics. This Q&A breaks down the key revelations from Check Point Research's analysis of the leak.
What was leaked from The Gentlemen RaaS database in May 2026?
On May 4, 2026, the administrator of The Gentlemen RaaS acknowledged on underground forums that an internal backend database named "Rocket" had been compromised. The leak exposed 9 accounts, including that of the administrator, who operates under the aliases zeta88 and hastalamuerte. This database contained operational information about the group's infrastructure, affiliate details, and victim data. Among the leaked material were internal discussions that offered an end-to-end view of the operation's workflow, from initial access to ransom negotiations. The leak provided researchers with rare insight into how the RaaS program manages affiliates, tracks exploit development, and coordinates attacks. Check Point Research obtained a partial copy of this leaked data, which formed the basis for their analysis of the group's internal dynamics.
Who is the administrator of The Gentlemen RaaS and what role do they play?
The administrator, known online as zeta88 (also hastalamuerte), is the central figure in The Gentlemen RaaS. According to the leaked database, this individual runs the infrastructure, builds the locker and the RaaS panel, manages payouts to affiliates, and effectively acts as the program's overall administrator. Beyond administrative duties, the data suggests the admin also actively participates in or directly carries out some infections. Analysis of ransomware samples revealed 8 distinct affiliate TOX IDs, one of which belonged to the admin. This dual role—both managing the platform and conducting attacks—is unusual and indicates a hands-on leadership style. The admin's involvement in attacks may allow them to test tools, vet affiliates, or simply augment the group's victim count. The leak of zeta88's account details exposed their central role, making them a high-value target for law enforcement.
What operational details did the leaked discussions reveal about attack methods?
The internal discussions from the leak provided a rare, detailed view of The Gentlemen's operational playbook. Affiliates shared initial access paths that included exploiting vulnerabilities in Fortinet and Cisco edge appliances, using NTLM relay attacks, and leveraging OWA (Outlook Web App) and M365 credential logs. The group also maintained a shared toolset and defined clear role divisions among affiliates. Notably, the discussions showed active tracking and evaluation of modern CVEs, such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. This indicates a proactive approach to exploiting recently disclosed vulnerabilities. The group's ability to quickly operationalize new CVEs contributes to their high victim count—332 published victims in the first five months of 2026—and positions them as a second most productive RaaS operation in that period. The technical depth of the discussions confirms that The Gentlemen attracts skilled penetration testers as affiliates.
How did The Gentlemen use ransom negotiations to pressure victims?
Leaked screenshots from ransom negotiations revealed specific tactics. In one successful case, the group initially demanded an anchor sum of $250,000 USD from a victim but ultimately accepted $190,000 USD. The negotiations demonstrate flexibility, likely to ensure payment while maintaining credibility. More manipulative was a dual-pressure tactic uncovered in separate chats. The group had stolen data from a UK software consultancy and later reused that data to attack a company in Turkey. During negotiations with the Turkish victim, The Gentlemen portrayed the UK firm as an "access broker," claiming the intrusion originated from the UK side. They encouraged the Turkish company to consider legal action against the consultancy, simultaneously pressuring both entities. This strategy weaponizes third-party data and legal threats to amplify leverage, showing the group's sophistication in psychological and operational coercion.
What did the leak reveal about the affiliate network and identity tracking?
By collecting all available ransomware samples, Check Point Research identified 8 distinct affiliate TOX IDs, with the administrator's own ID among them. This discovery suggests that the admin not only manages the RaaS program but also participates in or directly conducts some infections. The fact that only 8 unique TOX IDs were found for a group that claims hundreds of victims indicates either a small, tight-knit affiliate circle or that many affiliates reuse credentials. The leak of the Rocket database exposed 9 accounts, further confirming a limited number of core operators. Understanding affiliate identity and behavior helps researchers track attack patterns, link disparate incidents, and estimate the true scale of the operation. The presence of the admin's TOX ID in active infections underscores the hands-on nature of the leadership and blurs the line between administrator and operator.
How active has The Gentlemen RaaS been in 2026, and what previous research exists?
According to victims listed on the group's data leak site (DLS), The Gentlemen published approximately 332 victims in just the first five months of 2026, making it the second most productive RaaS operation in that period among those that publicly list victims. This high volume indicates aggressive recruitment of affiliates and efficient exploitation campaigns. Prior to the leak, Check Point Research analyzed a specific infection by an affiliate that used the SystemBC malware; the associated command-and-control server revealed more than 1,570 victims. That earlier work focused on a single affiliate's infection chain, while this publication shifts to the affiliate program and its actors. The combination of the large victim count and the detailed leak shows that The Gentlemen is not only prolific but also operationally complex, with a well-documented internal structure that researchers can now dissect.
What are the broader implications of the Rocket database leak for cybersecurity?
The leak of The Gentlemen's internal database provides an unprecedented window into a modern RaaS operation, exposing the intersection of technical exploitation, social engineering, and business management. It reveals that ransomware groups are increasingly organized, with clear role divisions, shared tool repositories, and active CVE tracking. The leak also demonstrates the value of insider threats—whether from a disgruntled member, a competitor, or an external breach—in disrupting cybercriminal enterprises. For defenders, the leaked data offers intelligence on initial access vectors (Fortinet, Cisco, NTLM, OWA) and negotiation tactics that can be used to harden defenses and train incident response teams. Additionally, the dual-pressure tactic highlights the need for cross-border cooperation and legal preparedness. The exposure of the admin's identity may lead to law enforcement action, demonstrating that even careful operators can be unmasked.