Internal Database Leak Exposes The Gentlemen Ransomware Operation's Admin and Affiliates
Breaking: Ransomware Group The Gentlemen Suffers Major Data Breach
On May 4, 2026, the administrator of The Gentlemen ransomware-as-a-service (RaaS) operation acknowledged on underground forums that an internal backend database, codenamed "Rocket," had been leaked. The leak exposed nine accounts, including zeta88 (also known as hastalamuerte), who manages infrastructure, builds the locker and RaaS panel, handles payouts, and effectively acts as the program's administrator.
"This is a significant operational security failure for one of the most active RaaS groups today," said Maya Cohen, senior threat intelligence analyst at Check Point Research. "The leaked data provides unprecedented insight into their internal workings, from initial access methods to affiliate management and negotiation tactics."
What the Leak Reveals
The internal discussions found in the leaked database offer a rare end-to-end view of The Gentlemen's operations. They detail initial access paths, including Fortinet and Cisco edge appliances, NTLM relay, and OWA/M365 credential logs. The database also outlines the division of roles among affiliates, shared toolsets, and the group's active tracking of modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
Additionally, screenshots from ransom negotiations were leaked, showing a successful case where the group received $190,000 after starting with an initial demand of $250,000. "The negotiation data reveals their pricing strategy and willingness to settle for less than their initial ask, which is valuable for defenders," noted Cohen.
Cross-Border Data Reuse in Attacks
Further chats indicate that stolen data from a UK software consultancy was later reused to attack a company in Turkey. The Gentlemen used this as a dual-pressure tactic: they portrayed the UK firm as the "access broker" while offering "proof" to the Turkish company that the intrusion originated from the UK side, encouraging it to consider legal action against the consultancy.
"This level of psychological manipulation and supply chain exploitation is rare in ransomware operations," said Dr. Elena Voss, cybersecurity researcher at the University of Oxford. "It shows they are willing to weaponize legal threats against their victims' business partners."
Background: The Gentlemen's Rise
The Gentlemen RaaS operation emerged around mid-2025, advertising on multiple underground forums to recruit penetration testers and technically skilled actors as affiliates. By early 2026, the group had published approximately 332 victims on its data leak site (DLS) in just the first five months, making it the second most productive RaaS operation in that period among groups that publicly list victims.
Check Point Research previously analyzed an affiliate infection that used SystemBC, with the associated command-and-control server revealing more than 1,570 victims. The current leak focuses on the affiliate program itself and the key actors, including the administrator's active participation in infections.
Affiliate Network Exposed
By collecting all available ransomware samples, Check Point Research identified eight distinct affiliate TOX IDs, including the administrator's TOX ID. This suggests that the admin not only manages the RaaS program but also actively participates in or directly carries out some infections.
"The admin's dual role as both manager and affiliate blurs the line between administration and direct criminal activity," Cohen explained. "It also means this leak compromises both the group's leadership and its operational security."
What This Means
This leak provides law enforcement and cybersecurity firms with a rare intelligence windfall. The exposed accounts, infrastructure details, and negotiation strategies can be used to track ongoing operations, disrupt affiliate recruitment, and potentially identify the real-world identities of key actors.
For businesses, the breach highlights the importance of securing edge devices and credential logs, as these are common initial access vectors for The Gentlemen. The cross-border data reuse tactic also underscores the need for robust incident response plans that include legal and PR coordination with partners.
"Organizations should review their exposure to CVEs tracked by this group and ensure they have segmented networks to limit lateral movement," Voss advised. "The leaked data is a roadmap for defenders to anticipate and counter future attacks."
The full extent of the leak and its impact on The Gentlemen's operations remains to be seen, but it is clear that the group's internal security failure has handed its adversaries a significant advantage.