Inside The Gentlemen RaaS Operation: Leaked Database Reveals Affiliates, Tactics, and Negotiations

Introduction

The Gentlemen ransomware-as-a-service (RaaS) operation first surfaced around mid-2025, quickly making a name for itself on underground forums. By advertising a sophisticated ransomware platform, the group attracted penetration testers and technically adept individuals to join as affiliates. In 2026, based on victims listed on their data leak site (DLS), The Gentlemen became one of the most active RaaS programs, with roughly 332 victims in just the first five months. This volume placed them as the second most productive RaaS operation during that period, at least among those that publicly name their victims.

In a previous report, Check Point Research examined a specific infection carried out by a Gentlemen affiliate, which used the SystemBC malware and revealed over 1,570 victims via its command-and-control server. Now, a new development offers an unprecedented glimpse into the group's inner workings: a leaked internal database. On May 4, 2026, the program's administrator acknowledged the breach of their backend system, known as Rocket, exposing sensitive operational data about affiliates, infrastructure, and victims.

Leaked Internal Database Exposes Key Details

The leaked database contained information on nine accounts, including the administrator's own handle, zeta88 (also known as hastalamuerte). This individual is responsible for running the infrastructure, building the locker and RaaS panel, managing payouts, and effectively acting as the program's administrator. The leak provides a rare end-to-end view of how The Gentlemen operates, detailing initial access pathways such as Fortinet and Cisco edge appliances, NTLM relay attacks, and OWA/M365 credential logs. It also outlines the division of roles among affiliates, the shared toolkits, and the group's active tracking and assessment of modern vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.

Ransom Negotiations and Dual-Pressure Tactics

Among the leaked materials were screenshots from ransom negotiations, revealing a successful case where the group received $190,000 USD after initially demanding $250,000. This indicates a flexible negotiation strategy. More intriguingly, other chat logs show that stolen data from a UK software consultancy was later reused to target a company in Turkey. The Gentlemen employed a dual-pressure tactic: they portrayed the UK firm as an "access broker" while providing "proof" to the Turkish company that the intrusion originated from the UK side. They even encouraged the Turkish firm to consider legal action against the consultancy. For more on this approach, see our analysis in the conclusion.

Affiliate TOX IDs and the Administrator’s Dual Role

By collecting all available ransomware samples, Check Point Research identified eight distinct affiliate TOX IDs, including the administrator's. This discovery suggests that the admin not only manages the RaaS program but also actively participates in—or directly carries out—some infections. Such dual involvement blurs the line between developer and affiliate, potentially indicating a hands-on approach to ensure operational success or test new features. The TOX IDs serve as a fingerprint for affiliates using the Tox messaging protocol for communication.

Conclusion

The leak of The Gentlemen's internal database has pulled back the curtain on a highly active RaaS operation. From the detailed initial access methods to the creative use of stolen data for cross-border pressure, the group exhibits a level of sophistication that underscores the growing threat of ransomware-as-a-service. The administrator's active role in both managing and executing attacks suggests a tightly controlled program, while the list of tracked CVEs highlights a proactive effort to exploit emerging vulnerabilities. As ransomware groups continue to evolve, incidents like this serve as a crucial learning tool for defenders.