Ransomware Group The Gentlemen Admits Internal Database Leak, Exposing Operations and Affiliates

Breaking: The Gentlemen RaaS Database Leak Exposes Internal Operations

The administrator of The Gentlemen ransomware-as-a-service (RaaS) operation acknowledged on underground forums on May 4, 2026, that their internal backend database, codenamed "Rocket," had been leaked. The leak exposed nine accounts, including that of the group's administrator, known as zeta88 or hastalamuerte.

Ransomware Group The Gentlemen Admits Internal Database Leak, Exposing Operations and Affiliates — Source: research.checkpoint.com

According to cybersecurity firm Check Point Research, which obtained a partial leak of the database, the compromised accounts reveal the full structure of the operation. The administrator zeta88 is responsible for managing infrastructure, building the locker and RaaS panel, handling payouts, and effectively running the entire program.

"This leak provides an unprecedented end-to-end view of a highly active RaaS operation," said a Check Point Research spokesperson. "It reveals initial access paths, division of roles, shared toolsets, and active tracking of modern vulnerabilities."

Key Details from the Leak

Access Methods and CVE Tracking

Internal discussions show the group uses initial access paths including Fortinet and Cisco edge appliances, NTLM relay attacks, and OWA/M365 credential logs. The gang actively tracks and evaluates emerging CVEs, such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.

These discussions illustrate how the group prioritizes vulnerabilities that provide quick entry points into corporate networks. The shared toolset includes custom scripts and commercial penetration testing tools.

Ransom Negotiation and Payment

Leaked screenshots from ransom negotiations show a successful case where The Gentlemen received $190,000 USD after starting with an initial demand of $250,000. This demonstrates the group's flexibility in negotiations and their ability to secure substantial payouts.

"The negotiation tactics observed in the leak are sophisticated, combining financial pressure with reputational threats," noted a cyber threat intelligence analyst at Check Point. The group uses a dual-pressure model, threatening both data encryption and public exposure.

Dual-Pressure Tactic Using Stolen Data

Further chats indicate that stolen data from a UK software consultancy was reused to attack a company in Turkey. The Gentlemen portrayed the UK firm as an "access broker" during negotiations with the Turkish target, providing "proof" of the intrusion originating from the UK side and encouraging the Turkish company to consider legal action against the consultancy.

This tactic amplifies pressure on victims and creates distrust between business partners. The leak shows the group's willingness to manipulate relationships to maximize ransom chances.

Affiliate Network Revealed

Check Point Research identified 8 distinct affiliate TOX IDs from collected ransomware samples, including the administrator's own TOX ID. This suggests the admin not only manages the RaaS program but also actively participates in or directly carries out some infections.

The affiliate network appears tightly controlled, with the admin involved in vetting and monitoring affiliates. The leak provides a rare glimpse into the hierarchy and operational security of a RaaS group.

Background

The Gentlemen ransomware-as-a-service operation emerged around mid-2025, advertising on multiple underground forums to recruit penetration testers and skilled actors. According to the group's data leak site, it has published approximately 332 victims in just the first five months of 2026, making it the second most productive RaaS operation publicly listing victims during that period.

Check Point's previous analysis of an affiliate infection revealed the use of SystemBC malware, with a command-and-control server linked to over 1,570 victims. This new leak focuses on the affiliate program and the actors behind it, providing context for the group's rapid rise.

The database leak occurred on May 4, 2026, when the administrator acknowledged the breach on underground forums. Check Point Research obtained what appears to be a partial leak of the group's operational data.

What This Means

This leak is a significant intelligence windfall for cybersecurity defenders. It exposes the inner workings of a dangerous RaaS operation, including their technical methods, affiliate structure, and negotiation tactics.

"Organizations can now better defend against The Gentlemen by understanding their preferred initial access vectors and tooling," the Check Point analyst stated. The disclosed CVE tracking also helps prioritize patching efforts for the most exploited vulnerabilities.

The dual-pressure tactic involving stolen data reuse highlights the need for robust incident response and legal frameworks to handle cross-border cyber extortion. The leak may also lead to increased scrutiny of the group by law enforcement agencies worldwide.

As ransomware groups continue to evolve, the exposure of The Gentlemen's operations serves as a stark reminder of the persistent threat. Security teams should monitor for any changes in tactics following this unprecedented breach of operational security.

Tags: