In a startling development, The Gentlemen ransomware-as-a-service (RaaS) administrator admitted on May 4th, 2026, that the group's internal backend database, codenamed 'Rocket,' had been leaked to the public. The leak exposed 9 accounts, including that of the administrator himself, known as 'zeta88' or 'hastalamuerte,' who oversees infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the program's chief operator.
This breach provides an unprecedented inside look at the group's operations, including initial access methods such as exploiting Fortinet and Cisco edge appliances, NTLM relay attacks, and stealing OWA/M365 credentials. The internal discussions also reveal the division of roles among affiliates, shared toolkits, and active tracking of vulnerabilities like CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
Ransom Payout Revealed
Further leaked screenshots from ransom negotiations show a successful case where The Gentlemen received $190,000 after initially demanding $250,000. This highlights the group's willingness to negotiate, even as they maintain high-pressure tactics.
In one notable instance, stolen data from a UK software consultancy was reused to target a company in Turkey. The attackers employed a dual-pressure strategy: they portrayed the UK firm as an 'access broker' while suggesting to the Turkish victim that it should pursue legal action against the consultancy, providing 'proof' of the intrusion's origin.
Check Point Research Analysis
Check Point Research has identified 8 distinct affiliate Tox IDs from available ransomware samples, including the administrator's own Tox ID. This suggests the admin not only manages the RaaS program but also actively participates in or conducts some infections themselves. A Check Point spokesperson stated, 'The leak confirms what we suspected: the line between admin and affiliate is blurred, and the inner workings of one of 2026's most active ransomware groups are now exposed.'
Background
The Gentlemen RaaS operation emerged around mid-2025 and quickly gained notoriety for its aggressive recruiting on underground forums. By May 2026, the group had published 332 victims on its data leak site, making it the second most productive RaaS operation in the first five months of 2026, trailing only LockBit. Check Point's previous research tied one affiliate infection to the use of SystemBC malware, which alone revealed over 1,570 victims.
The current leak, obtained by Check Point, consists of a partial database dump that includes operational details on infrastructure, affiliates, and victims. The admin's acknowledgment on forums confirms the breach's authenticity.
What This Means
This exposure represents a significant intelligence windfall for law enforcement and cybersecurity firms. The detailed operational data—from initial access techniques to affiliate identities—could lead to takedowns and arrests. 'We now have a roadmap of their methods and key players,' a senior incident responder noted. 'This will likely force The Gentlemen to restructure or risk further infiltration.'
For enterprises, the leaked information serves as a stark reminder: edge devices and credential theft remain primary vectors. The group's ability to pivot from a UK consultancy to a Turkish company underscores the global and interconnected nature of ransomware attacks. Organizations must ratchet up defenses against common entry points and monitor for indicators of compromise tied to the group's known tools, such as SystemBC and the revealed CVE exploits.
Internal friction may also intensify as affiliates realize their data is compromised, potentially leading to defections or conflicts within the group. The leaked ransom negotiation tactics provide a playbook for defenders on how to handle similar pressure, including verifying claims of data origin and not engaging with third-party 'brokers.' Overall, this breach may mark the beginning of the end for The Gentlemen, but it also highlights the persistent threat posed by RaaS programs.