Inside the Gentlemen RaaS: Leaked Database Reveals Inner Workings of a Prolific Ransomware Operation

The Gentlemen ransomware operation has rapidly become one of the most active threats in the cybersecurity landscape. Operating as a ransomware-as-a-service (RaaS) since mid-2025, the group has already claimed hundreds of victims. A recent leak of its internal backend database provides an unprecedented look at how this criminal enterprise functions—from its affiliate recruitment to attack techniques and negotiation strategies.

The Database Leak and Its Revelations

On May 4, 2026, the administrator of The Gentlemen RaaS confirmed on underground forums that a backend database called Rocket had been exposed. This leak compromised nine accounts, including that of zeta88 (also known as hastalamuerte), who oversees infrastructure, develops the locker and RaaS panel, manages payouts, and essentially acts as the program's administrator. The leaked data offers a rare end‑to‑end view of the operation.

Anatomy of an Attack

Internal discussions detail the initial access paths used by affiliates. These include exploiting vulnerabilities in Fortinet and Cisco edge appliances, conducting NTLM relay attacks, and harvesting credentials from OWA and Microsoft 365 login logs. The group actively tracks and evaluates modern CVEs, such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073, incorporating them into their toolset.

Affiliate Structure and Roles

The leak reveals a clear division of roles within the RaaS program. Affiliates share a common set of tools but operate independently, with the administrator managing the platform and payouts. This structure allows the group to scale quickly while maintaining centralized control over the locker and ransom negotiations.

Financial Impact and Negotiation Tactics

Leaked screenshots from ransom negotiations show a successful case where The Gentlemen received 190,000 USD after starting with an initial demand of 250,000 USD. This demonstrates the group's willingness to negotiate and the potential profits for affiliates.

Cross-Border Targeting and Pressure Techniques

Further chats indicate that stolen data from a UK software consultancy was later reused to attack a company in Turkey. The Gentlemen employed a dual‑pressure tactic: they portrayed the UK firm as an "access broker" and suggested to the Turkish company that the intrusion originated from the UK side, encouraging it to consider legal action against the consultancy. This cross‑border manipulation adds a new layer of intimidation to their extortion strategy.

Affiliate Network and Admin Involvement

By collecting all available ransomware samples, Check Point Research identified 8 distinct affiliate TOX IDs, including the administrator's own ID. This suggests that the admin not only manages the RaaS program but also actively participates in—or directly carries out—some infections. The line between operator and affiliate appears blurred, indicating a hands-on leadership style.

Scale of Operations

Based on victims listed on the group's data leak site (DLS), The Gentlemen appears to be one of the most active RaaS programs in early 2026, with approximately 332 published victims in just the first five months. This volume places the group as the second most productive RaaS operation in that period, at least among those that publicly list their victims. In a previous analysis, Check Point Research examined a specific infection carried out by an affiliate using SystemBC, whose command‑and‑control server revealed more than 1,570 victims—highlighting the far reach of individual affiliates.

The leak of The Gentlemen's internal database offers an invaluable glimpse into the mechanics of a modern ransomware operation. It underscores the importance of continuous monitoring, patch management, and employee cybersecurity training to defend against the ever‑evolving tactics employed by groups like The Gentlemen. As RaaS programs become more sophisticated, understanding their inner workings is crucial for defenders worldwide.