The Gentlemen Ransomware Group’s Internal Database Leak Exposes Admin and Affiliate Operations

Breaking: Internal Backend Database Leaked

May 4, 2026 — The administrator of The Gentlemen ransomware-as-a-service (RaaS) operation admitted on underground forums that the group’s internal backend database, codenamed “Rocket,” was leaked. The leak exposed nine accounts, including the master administrator “zeta88” (also known as “hastalamuerte”).

“This is a catastrophic operational security failure for The Gentlemen,” said a senior threat analyst at Check Point Research. “We now have a rare end-to-end view of their affiliate program, infrastructure, and negotiation tactics.”

Administrator’s Role Exposed

Zeta88 runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the program’s administrator. The leak reveals internal discussions that detail initial access paths—including Fortinet and Cisco edge appliances, NTLM relay, and OWA/M365 credential logs.

“The level of detail is remarkable,” added the analyst. “They actively track and evaluate modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.”

Ransom Negotiation Screenshots Leaked

Screenshots from ransom negotiations show a successful case where the group received 190,000 USD after starting with an initial demand (known as “anchor”) of 250,000 USD. The leak also includes chats indicating that stolen data from a UK software consultancy was later reused to attack a company in Turkey.

“This dual-pressure tactic is brutal,” noted a cybersecurity researcher at VulnCheck. “They portrayed the UK firm as the ‘access broker,’ providing ‘proof’ to the Turkish company that the intrusion originated from the UK side—encouraging legal action against the consultancy.”

Affiliate TOX IDs Revealed

By collecting all available ransomware samples, Check Point Research identified 8 distinct affiliate TOX IDs, including the administrator’s own TOX ID. This suggests that the admin not only manages the RaaS program but also actively participates in, or directly carries out, some of the infections.

“The admin is both a manager and an operator—rarely seen in such a clear light,” said a former FBI cybercrime investigator.

Background: A Rising RaaS Powerhouse

The Gentlemen ransomware-as-a-service operation emerged around mid-2025. Its operators advertise across multiple underground forums, inviting penetration testers and other technically skilled actors to join as affiliates.

In 2026, based on victims listed on the data leak site (DLS), The Gentlemen appears to be one of the most active RaaS programs, with approximately 332 published victims in just the first five months of 2026. This volume places the group as the second most productive RaaS operation in that period, at least among those that publicly list their victims.

During a prior publication, Check Point Research analyzed a specific infection carried out by an affiliate of this RaaS. In that case, the affiliate used SystemBC, and the associated command-and-control server revealed more than 1,570 victims.

What This Means

This leak provides an unprecedented window into the internal workings of a modern RaaS operation. Security teams can now study the group’s initial access methods, negotiation strategies, and cross-border data reuse tactics.

“Organizations should treat this as a wake-up call,” warned a spokesperson for Cyber Threat Alliance. “The dual-pressure tactic—using one victim’s data to attack another—shows how interconnected cybercrime has become. Legal action between victims is now part of the extortion playbook.”

The exposure of the admin’s direct involvement also complicates law enforcement efforts. “If the admin is hands-on in infections, taking down the leader alone won’t dismantle the network—affiliates will scatter,” added the former FBI investigator.