One of the world’s most prolific ransomware operations has itself been breached, offering unique insight into its inner workings.
In only the first five months of 2026, the Russian cybercriminal gang that calls itself “The Gentlemen” has published sensitive data belonging to around 332 different organizations. It has compromised many more organizations than that, surely, as its leak site does not include victims that pay their ransoms. According to Check Point Research, these numbers have made The Gentlemen the second most productive ransomware group on the planet this year, just short of Qilin.
On or just before May 4, The Gentlemen got a taste of its own medicine when an anonymous group compromised its internal back-end database. Those hackers are now selling just over 16GB of The Gentlemen’s internal communications, tooling, and other data for $10,000 in Bitcoin.
“It is a reputational hit, but we do not expect it to significantly disrupt their operations or reduce their effectiveness,” says Eli Smadja, Check Point’s group manager for product R&D. Still, even the 44MB of stolen data the anonymous hackers leaked to prove the veracity of the rest of it has proven interesting. Check Point Research analyzed the sample, gaining new insight into The Gentlemen’s operational structure, its tactics, techniques, and procedures (TTPs), and some of its quirks.
How The Gentlemen Operate
The head Gentleman goes by “zeta88” online. Zeta88 builds and maintains the group’s locker malware, curates the tooling around it, runs all of the infrastructure, and more. They also select targets, assigns two or three fellow Gentlemen to attack those targets, and manage negotiations and payouts.
Zeta88’s operations guys are “qbit” and “quant.” Qbit specializes in scanning for vulnerable edge devices, performing reconnaissance, and establishing persistence in targeted environments, and quant specializes in gaining access via logs and credentials. A tertiary group of seven grunts includes red teamers, an access broker, and even an advertising specialist. Though not evidenced in the leaked sample, presumably, some number of affiliates orbits around this circle of 10.
Forcing a bunch of cybercriminals into a corporate pyramid might not sound like a bright idea, but the power structure is balanced by a generous payment model for lower-level collaborators. Every time The Gentlemen extorts a payment out of a victim, zeta88 enjoys 10% of it, but the other hackers involved get to split the other 90%.
Smadja also attributes the group’s success to its tight organizational structure. “The clear division of responsibilities within the group also plays a major role. Much like any well-run organization, having defined roles and workflows translates directly into higher productivity and, in their case, a higher volume of successful breaches,” he says.
Besides its tight ship, he adds, “One of the group’s key strengths is the hands-on involvement of the main administrator, who came up as an affiliate and understands the operation from the ground up. Having the main RaaS administrator come from an affiliate background gave them a significant head start, helping them reach the top tier in a remarkably short period of time.”
What Else You Should Know About The Gentlemen
The Gentlemen takes advantage of critical, known vulnerabilities and exploitation techniques to get into targeted systems and pair them with almost 30 different tools to support its locker. It uses a variety of scanners and VPNs, tools for gaining remote access to systems, and several techniques for evading endpoint detection and response (EDR) and antivirus programs, such as the bring-your-own-vulnerable-driver tactic. Check Point describes the toolset as “fairly mature,” if not particularly unique.
Members have toyed with more cutting-edge ideas, like developing an in-house large language model (LLM)-based program for some vague malicious purposes. They’ve already used LLMs to assist with code development, but while their dreams are bigger, the practical limitations of current artificial intelligence (AI) technology have gotten in the way. After reporting that they vibe-coded an admin panel in three days, zeta88 warned that “you have to understand everything and think like crazy even with [neural networks], because they’re all dumb (even if smart).”
The Gents also keeps up with its colleagues in the ransomware business, gossiping about them (Dragon Force: cool; Chaos: meh) but also learning from them. In one leaked chat foreshadowing its own future, the gang discussed ways to benefit from last year’s Black Basta leak. Their greatest interest was in their colleagues’ approach to code signing.
Smadja thinks it unlikely that The Gentlemen’s own breach would much edify other hackers. “What they have built is the product of experience, and nothing disclosed in the leak reveals a secret formula or unique technical advantage,” he says. “It is possible the leak could inspire other affiliates to spin up their own RaaS operations, but given that some established groups already offer a 90/10 payout split, building your own operation is not an obviously attractive proposition for most.”
