Overview of The Gentlemen RaaS
The Gentlemen is a relatively new ransomware-as-a-service (RaaS) operation that emerged around mid-2025. The group actively markets its platform on underground forums, recruiting penetration testers and technically skilled actors as affiliates. By 2026, the operation had become one of the most prolific RaaS programs, with approximately 332 victims listed on its data leak site (DLS) in the first five months alone—making it the second most productive RaaS program during that period (among those that publicly name victims).
In a previous report, Check Point Research analyzed an infection carried out by a Gentlemen affiliate. That incident involved the SystemBC backdoor, and the associated command-and-control server revealed more than 1,570 victims linked to the affiliate. This new article focuses on the affiliate program itself and the actors behind it, following a significant data leak that exposed internal operations.
The Database Leak: A Rare Glimpse Inside
On May 4, 2026, The Gentlemen administrator acknowledged on underground forums that an internal backend database, code-named Rocket, had been leaked. Check Point Research obtained what appears to be a partial copy of that database, containing operational information about the group’s infrastructure, affiliates, and victims.
Key Accounts and the Administrator's Role
The leak exposed 9 accounts, including zeta88 (also known as hastalamuerte). This individual runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the administrator of the program. The database also contains internal discussions that provide an end-to-end view of the operation—detailing initial access paths, division of roles, shared toolkits, and even the group’s active evaluation of modern vulnerabilities.
Operational Tactics Revealed
Initial Access Vectors
The leaked chats show that affiliates commonly exploit Fortinet and Cisco edge appliances, use NTLM relay attacks, and leverage OWA/M365 credential logs to gain a foothold in target networks. These methods are combined with a shared arsenal of tools, indicating a coordinated approach to compromise.
Exploitation of CVEs
The group actively tracks and evaluates modern CVEs, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. This suggests a proactive stance on using the latest vulnerabilities for initial access or privilege escalation.
Negotiation Strategies and Victim Data Reuse
Screenshots from ransom negotiations were also part of the leak. In one successful case, the group received $190,000 USD after starting with an initial demand (anchor) of $250,000 USD—a typical negotiation pattern for ransomware groups.
Further chats reveal a more cunning tactic: stolen data from a UK software consultancy was reused to target a company in Turkey. During negotiations, The Gentlemen portrayed the UK firm as an “access broker” and encouraged the Turkish victim to pursue legal action against the consultancy. This dual-pressure technique—combining financial extortion with implied third-party liability—demonstrates the group’s sophistication in psychological manipulation.
Affiliate Network and Activity
By collecting all available ransomware samples, Check Point Research identified 8 distinct affiliate TOX IDs, including the administrator’s own ID. This suggests that the admin not only manages the RaaS program but also actively participates in, or directly carries out, some of the infections. The affiliate network appears tightly controlled yet operationally diverse.
As of mid-2026, The Gentlemen continues to be one of the most aggressive RaaS operations, driven by a mix of experienced penetration testers and opportunistic cybercriminals. The leak offers a rare window into how such groups organize, recruit, and execute their attacks.
Conclusion
The Gentlemen RaaS database leak provides invaluable intelligence for defenders. It exposes not only technical tactics—such as preferred edge device exploits and CVE prioritization—but also the human dynamics of affiliate management and negotiation. Understanding these internal workings helps cybersecurity teams better anticipate and counter similar threats.