10 Critical Revelations from The Gentlemen RaaS Database Leak
In a rare and unprecedented event, the internal workings of a prominent ransomware-as-a-service (RaaS) operation were exposed when an administrator of The Gentlemen acknowledged the leak of their backend database on May 4th, 2026. This leak offers a unique glimpse into the group's infrastructure, affiliate management, and operational tactics. Here are the 10 key insights from the leaked data.
1. The Database Leak That Exposed the Operation
On May 4th, 2026, an administrator of the RaaS program The Gentlemen confirmed on underground forums that their internal backend database, codenamed Rocket, had been leaked. The leak exposed nine accounts, including that of zeta88 (also known as hastalamuerte), who oversees the entire operation. This acknowledgment itself is a significant event, as RaaS groups rarely admit to security breaches. The leaked database provided Check Point Research with a rare, end-to-end view of how this cybercriminal enterprise functions, from recruitment to ransom collection.
2. The Administrator’s Role: More Than a Manager
The account zeta88 is not just any affiliate—he is the central figure behind The Gentlemen. According to the leak, zeta88 runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the program’s administrator. This suggests that the admin is deeply involved in both the technical and financial aspects of the operation. Furthermore, by collecting ransomware samples, researchers identified eight distinct affiliate TOX IDs, including the admin’s own. This indicates that the administrator not only manages the program but also actively participates in or directly carries out some infections, blurring the line between leadership and field work.
3. End-to-End Operational View: From Initial Access to Payout
The internal discussions leaked from the Rocket database provide a comprehensive view of The Gentlemen’s operations. They detail initial access paths using Fortinet and Cisco edge appliances, NTLM relay attacks, and OWA/M365 credential logs. The chats also reveal a clear division of roles among affiliates, shared toolkits, and active tracking of modern vulnerabilities. The group monitors and evaluates CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073 for potential exploitation. This level of detail offers cybersecurity professionals a valuable playbook of the group’s modus operandi.
4. The Affiliate Network: 8 Distinct TOX IDs Identified
Through meticulous analysis of ransomware samples, Check Point Research identified eight unique TOX IDs associated with The Gentlemen affiliates, including the administrator’s own TOX ID. This suggests a relatively small but highly active affiliate network. The presence of the admin’s TOX ID in multiple samples reinforces the idea that the administrator is directly involved in attacks. The leak also exposes discussions about affiliate performance, payout structures, and recruitment strategies, painting a picture of a tightly managed but distributed crime group.
5. The Ransom Negotiation: A Case Study in Pressure Tactics
Leaked screenshots from ransom negotiations offer a rare look at The Gentlemen’s negotiation tactics. In one successful case, the group initially demanded $250,000 but eventually settled for $190,000. This 24% reduction shows that negotiations are a dynamic process. The screenshots reveal standard bargaining techniques, deadlines, and the use of data exfiltration as leverage. Understanding these patterns can help organizations prepare their own negotiation strategies, though paying ransoms remains strongly discouraged by law enforcement.
6. Data Reuse and Dual-Pressure Strategy
One of the most disturbing revelations from the leak is the group’s use of dual-pressure tactics. In one case, stolen data from a UK software consultancy was reused to attack a company in Turkey. During negotiations, The Gentlemen portrayed the UK firm as an “access broker” and provided evidence to the Turkish company that the intrusion originated from the UK side. They even encouraged the Turkish company to consider legal action against the consultancy. This innovative approach not only adds psychological pressure but also attempts to create discord between victims, potentially reducing the likelihood of coordinated defense.
7. The Group’s Rapid Rise: Second Most Productive RaaS in 2026
The Gentlemen emerged around mid-2025 but has quickly become one of the most active RaaS programs. By the end of May 2026, their data leak site listed approximately 332 victims, making them the second most productive RaaS operation in that five-month period among groups that publicly list victims. This rapid growth highlights the effectiveness of their affiliate program, their exploitation of modern vulnerabilities, and the increasing professionalization of ransomware operations. The leak provides insight into how they achieved this scale through efficient recruitment and support.
8. Previous Infection Analysis: SystemBC and 1,570+ Victims
In earlier research, Check Point analyzed a specific infection carried out by a The Gentlemen affiliate. The affiliate used SystemBC, a known proxy tool, for command-and-control communication. The associated C&C server revealed more than 1,570 victims across multiple countries. This single affiliate’s footprint underscores the extensive reach of the RaaS model. The leaked database now helps contextualize these infections within the larger operation, showing how affiliates are trained, equipped, and monitored by the admin.
9. Tracking Modern Vulnerabilities: CVE Exploitation in Real Time
The internal chats show that The Gentlemen actively track and evaluate emerging vulnerabilities. Specific CVEs mentioned include CVE-2024-55591 (a Fortinet SSL VPN flaw), CVE-2025-32433 (likely a remote code execution), and CVE-2025-33073. This demonstrates that the group prioritizes edge devices and commonly exploited services for initial access. By monitoring such vulnerability discussions, organizations can anticipate which attack vectors the group is likely to use and prioritize patching accordingly.
10. Implications for Cybersecurity: A Rare Window into RaaS Economics
The leak of The Gentlemen’s database is a significant event for the cybersecurity community. It provides a rare, unfiltered look at the internal economics of a RaaS operation, including affiliate payouts, victim data, and operational security. This information can help law enforcement track proceeds, disrupt infrastructure, and develop countermeasures. For defenders, the detailed descriptions of initial access techniques and toolkits serve as a checklist for hardening networks. The leak also highlights that even cybercriminal groups are not immune to data breaches, reminding us that trust within the underground is fragile.
The Gentlemen’s database leak is a treasure trove of intelligence, revealing the inner workings of a modern RaaS operation. As the group continues to innovate and grow, this leak offers critical insights that can help organizations defend against similar threats. Understanding these 10 key points is a step toward staying one step ahead in the ongoing battle against ransomware.