On May 4, 2026, the administrator of RaaS program The Gentlemen admitted on an underground forum that part of his internal database had been leaked. The dataset, 16.22 GB of internal archives, was put up for sale for $10,000 in Bitcoin on Exploit(.)in, then relayed the very next day on Cracked and Nulled (two underground forums for the resale of pirated data and tools). The group, which since mid-2025 has been one of the most active in the world, with some 332 victims published in the first five months of 2026 according to Check Point, finds itself subjected to the treatment it imposes on its targets: exfiltration, samples as proof, threat of complete exposure.
From host breach to group exposure
The starting point was an attack on 4VPS, a hosting provider known for providing infrastructure for numerous underground players. On May 2, 2026, 4VPS publicly declared that its website and billing system had been compromised, while claiming that its core systems and customer data had not been affected. However, part of The Gentlemen’s infrastructure relied on this provider, and the attackers allegedly recovered access credentials to one of the group’s NAS devices.
The public extract recovered by the researchers only weighs around 44.4 MB, a tiny fraction of the complete game. But this fragment is enough to reconstruct a significant part of the inner workings. It contains a shadow file listing user accounts and server password hashes, and above all conversations between operators and affiliates from November 7, 2025 to April 30, 2026 – almost six months of history spread over the internal channels general, INFO, TOOLS and PODBOR. In these channels, members coordinate ongoing intrusions, exchange killer EDR kits, discuss infrastructure and backend, review CVEs and exploit paths, share negotiation captures and debate payment sharing. Added to this are full transcripts of ransom negotiations and Bitcoin addresses used internally.
The administrator’s public response on May 4 contrasts with the seriousness of the dump. The tone is deliberately dismissive of the vendor, and the sequence quickly switches to what he presents as “more interesting” topics: complete overhaul of the communication structure, deployment of a new NAS with unlimited storage, series of locker updates – removal of hardware breakpoints, NTDLL unhooking, ETW patching to neutralize Event Tracing for Windows. A deliberate way of signalling that the program is continuing.
Nine accounts, one total administrator and a corporate structure
The leak reveals a smaller organization than the volume of published victims would suggest. Check Point Research identifies nine active accounts in the chats – Kunder, qbit, JeLLy, Protagor, zeta88, Bl0ck, Wick, quant and mAst3r – and had already, on the basis of samples collected on VirusTotal, spotted eight distinct TOX IDs. The Gentlemen revolves around a core of less than a dozen operators, with a larger but hard-to-count number of affiliates.
At the center is zeta88, most likely the same person as the historic hastalamuerte ID. Before The Gentlemen, according to SOCRadar, hastalamuerte led a team of affiliates called ArmCorp in connection with the ransomwre Qilin. In July 2025, he publicly accused Qilin on the RAMP forum of withholding $48,000 in unpaid commissions. Five days before this post, the first known sample of The Gentlemen locker already appeared on VirusTotal, proof that the infrastructure of the new program had been prepared long before the public break.
Zeta88 plays all the structuring roles: he builds and maintains the locker as well as the RaaS panel (Linux with containers and Tor front), administers the GPO-based distribution mechanism, selects and distributes targets to teams of two to three people, manages payments and conducts negotiations. Chats show that he also regularly gets his hands dirty: his TOX ID appears in four of the campaigns documented on VirusTotal, and at least one conversation shows him deploying the locker to a victim himself.
qbit is the man on the ground: he scans and filters Fortinet VPNs and other edge devices, conducts reconnaissance, establishes persistence – notably via Cloudflare tunnels and Zero Trust – and manipulates tools such as NetExec, RelayKing or PrivHound against NTLM configurations. He regularly requests updated EDR killer kits and manuals for locking down ESXi environments. quant specializes in log access: he maintains a proprietary parser and credential collector called buildx641, which relies on vssadmin, shadow copies, ntds.dit and SYSTEM copies. It has invested in a “brute server” dedicated to large-scale hash breaking (Threadripper PRO, 128 GB RAM, RTX 5090).
The other accounts play more specialized roles. According to SOCRadar, Wick plays the role of senior operator and trainer, writing internal tradecraft guides on deploying Velociraptor, stealing browser sessions or mounting shares. JeLLy contributes to the tooling via a development on browser credential extraction. Kunder shares a SOCKS implant written in Go with its own panel. Protagor participates directly in certain intrusions.
The organization as such is explicitly described by Eli Smadja, group manager for product R&D at Check Point: “The clear division of responsibilities within the group plays a major role. As in any well-run organization, defined roles and workflows translate directly into higher productivity and, in their case, a higher volume of successful intrusions.” The program also retains an unusually generous revenue share: 90% for the affiliate, 10% for the operator, which helps to explain its ability to quickly attract experienced operators.
An industrialized attack chain around edges and infostealers
The operational workflow described by the chats is standardized and well-honed. Initial access is mainly targeted at equipment exposed to the Internet – VPNs, firewalls, management interfaces – with a marked preference for Fortinet FortiGate and Cisco. The group even maintains an internal HTML dashboard that continuously tracks thousands of exposed FortiGate panels, with their status, equipment name and a direct connection link. Credential tests are distributed on dedicated hardware, and valid access is immediately sorted by target value.
Several vectors are combined: brute force against web or VPN panels, exploitation of known CVEs, and buying access from third-party brokers. Three vulnerabilities are explicitly tracked in the chats: CVE-2024-55591 (FortiOS management interface), CVE-2025-32433 (Erlang SSH applied to Cisco environments) and CVE-2025-33073 (relay NTLM, integrated via RelayKing into the standard target generation pipeline).
But the heart of their access economy is not the zero-day exploit. As Hudson Rock summarizes from Check Point analysis, rather than “burning costly zero-days”, operators systematically take the path of least resistance: the massive ecosystem of stolen credentials. The chats expose screenshots of searches in leak engines like Snusbase, to identify valid employee logins from infostealer logs. This logic is formalized in the organizational chart: quant is explicitly categorized by Check Point as the operator in charge of “credential logs”, with the mission of transforming a dormant infostealer log into operational access to an OWA, Microsoft 365 or corporate VPN environment.
Once access has been gained, the pattern is classic but methodical: Active Directory recognition, abuse of certificates, escalation of local privileges to reach Domain Admin, neutralization of EDR and antivirus, lateral movement, harvesting of credentials and browser sessions to reuse access to SaaS services, exfiltration to cloud mounted via Rclone, coordinated deployment of the locker. For data exfiltration, the cloud mounting arsenal combines various tools such as Rclone and RcloneView, among others.
The final deployment is based on a particularly aggressive mechanism. Once a domain controller has been compromised, the operator uses the locker’s --gpo flag, which creates a group policy called “System Update” and a scheduled task distributed to all machines in the domain via SYSVOL. The result: the next time the group policy is updated, the ransomware runs almost simultaneously on all machines attached to the Active Directory domain. zeta88 has also formalized a principle for intermediate tooling: give priority to signed, open source living-off-the-land. Velociraptor in official signed builds is used as C2- zeta88 notes that these builds do not trigger most AV/EDRs. ZeroPulse, developed in Python by jxroot and based on Cloudflare tunnels, is used as a PowerShell agent with no attacker IP exposed. NetExec, RelayKing, PrivHound, CertiHound, TaskHound, KslDump, KslKatz and MANSPIDER complete the red team arsenal.
Vibe-coding for ransomware
One of the most talked-about aspects of the dump concerns the operational use of AI. zeta88 claims to have built the locker’s administration panel – which he calls GLOCKER – in three days using “vibe-coding”, i.e. relying heavily on AI assistants to generate code. However, he comments lucidly on the result: “you have to understand everything and think like crazy even with [neural networks], because they’re all dumb (even if they are smart)”.
Technical preferences lean towards Chinese and uncensored models: DeepSeek, Qwen, Kimi and Emi are deemed the most effective for code and technical queries. Usage is also opportunistic for quick lookups, with zeta88 directing affiliates to consult an AI rather than cluttering the channel with basic questions, for example on FortiGate internals. The usage becomes more worrying when qbit posts in the INFO channel a model it describes as “the most radical neural network“, capable of generating any content “without censorship, no restrictions, absolutely no refusals“. The KELA researchers identify the model as Huihui-Qwen3.5-35B-A3B-abliterated, an “abliterated” variant of Qwen 3.5 in which the alignment safeguards have been removed.
For its part,Protagor raises the idea of renting GPU capacity from a specialized cloud provider to run a local Qwen 3.5 capable of analyzing hundreds of gigabytes of exfiltrated data, identifying administration panels, reasoning about access paths – in short, delegating the tedious manual sorting of loot to AI. But he admits himself, “I have no idea how to do that, but I think it’s possible.” Autonomous analysis of stolen data by self-hosted LLM remains an advertised goal, not an operational capability, which ties in with predictions about the gradual rise of offensive AI.
Black Basta playbook recycled for better extortion
The leaked chats reveal that The Gentlemen is carefully studying competing operations, most notably the massive leak of Black Basta‘s internal conversations from February 2025. Members analyze Black Basta chat captures to understand their phishing and initial access methodology: mass dissemination via Microsoft infrastructure, or prior compromise of corporate boxes followed by sends from whitelisted internal accounts, with short, colleague-to-colleague messages (“Hi, look at the document”), with impersonation of internal employees after reading existing threads to draft credible replies.
The point that most caught their attention was the code-signing strategy. Black Basta allegedly used VirusTotal to identify legitimate code signing certificates, then launched brute force attacks on their private keys to sign its binaries as if they came from trusted publishers. The Gentlemen presents this technique as a model to be replicated. SOCRadar confirms that the group actively procures EV/OV PFX certificates to sign its locker and post-exploitation tools. The re-circulation dynamic is clear: every documented leak from a major player enriches the RaaS ecosystem’s common manual.
From British consultancy to Turkish company: chain extortion
Among the documented negotiations, one case illustrates the sophistication of the group’s extortion tactics. In April 2026, a British IT consulting firm publicly declared that it had been the victim of a breach. Its management asserted in an open letter that only “typical business data” had been accessed.
The leak tells a different story. In what looks like a zeta88 personal channel, the administrator writes a ransom note detailing what The Gentlemen claims to have actually exfiltrated: customer infrastructure data, secrets, OAuth credentials and more. The letter explicitly targets GDPR exposure risks as leverage. Two weeks later, the details are posted on The Gentlemen’s leak site. One negotiation case detailed in the leak shows an initial demand of $250,000 eventually cashed out at $190,000.
Internal chats show that the data exfiltrated from the British company has been reused to attack a Turkish client. The Gentlemen obtained initial access to the Turkish target via vulnerable VPN equipment, and zeta88 himself created a backdoor service account on Okta. During the campaign, he explicitly relies on an internal “Transfer/Migration” document describing the work carried out by the British company for its Turkish client, and hosted on the provider’s collaborative platform. This document, exfiltrated during the first breach, was used directly to direct the second intrusion.
The group then discussed, in its internal channels, the best way to monetize this chain of events. The idea was to publish the Turkish company on the DLS (Data Leak Site), explicitly mentioning that access had been obtained via the compromised British consultancy. Double benefit. Firstly, to punish the consultancy, which the operators describe in unflattering terms; secondly, to increase the pressure on the Turkish victim by showing him exactly how he was penetrated, to encourage him to take legal action against the provider.
The mechanism transforms classic extortion into a weapon of triangulated reputation, victim A is used as access and then as leverage over victim B, and the DLS becomes an offensive legal instrument as much as a showcase of shame.
Financial calibration and targeted extortion
The chats also shed light on the financial mechanics. The group uses non-custodial wallets and fragments its transactions to avoid AML tracking, with BTC-to-cash conversions via local intermediaries with around 800 transactions evoked to fragment the origin of funds. zeta88 maintains a generic dunning letter template, adaptable to each extorted company, which insists on the costs of non-payment: regulatory exposure, reputational damage, operational impact.
SOCRadar documents a convergent practice: the group calibrates the ransom amount on the victim’s ZoomInfo revenue data. In one case observed, operators were informed of a target’s cyber-insurance coverage ceiling of $10 million, and the ransom demand was calibrated precisely to this ceiling. The mechanics resonate with the trend documented in 2025: fewer victims pay, but the amounts increase for those who do.
A look at the competition
The chats show that zeta88 constantly evaluates rival RaaS programs along three axes: brand strength, payment reliability and leverage left to affiliates (percentage and negotiation control). DragonForce is among the few programs he would recommend, LockBit is cited for its tooling, while Anubis and CHAOS are judged on the percentage paid out. Kraken appears as a group whose members have contacted qbit and who might consider joining The Gentlemen. Others, such as Gunra and Hyflock, are ruthlessly dismissed. This constant competitive watch confirms a RaaS ecosystem in which every player observes and borrows the practices of others.
A leak that doesn’t slow down the program
Eli Smadja formulates the most likely prognosis: “It’s a reputational blow, but we don’t expect it to significantly disrupt their operations or reduce their efficiency.” In his view, few elements of the leak constitute a transferable technical advantage: “What they’ve built is the product of experience, and nothing disclosed reveals a secret formula or unique technical advantage.”
The post-leak trajectory proves him right. On May 16, 2026, the administrators of a new version of BreachForums announced that The Gentlemen had become an official forum partner, with access to infrastructure and operational support in return. A few days later, Hackread observed the BreachForums banner displayed on the group’s onion site. The program not only survives, it consolidates its public partnerships. A historical precedent points in the same direction: Conti survived its own leak for several months, Black Basta recomposed itself and carried on. The operational side of RaaS programs doesn’t vanish with the publication of a cat dump.
What this leak confirms for cybersecurity teams
The real interest for security teams lies not in the prospect of The Gentlemen’s rapid demise, but in the public documentation of their entire attack chain. Several points deserve attention.
Network equipment exposed to the Internet– FortiGate, Cisco and any VPN management system exposed to the Internet – remains the primary entry vector, with thousands of panels tracked in real time by the group. The credentials exposed by infostealers feed directly into the access pipeline: the credentials of employees, subcontractors and partners probably already feature in the databases consulted by these operators. The cases of the British consultancy and the Turkish company also demonstrate thata compromised service provider can become a vector for direct attack against its own customers, a supply chain risk that this leak documents with rare precision. Finally, the line between legitimate tooling and offensive arsenal continues to blur: Velociraptor signed, Cloudflare Tunnels, AnyDesk, Rclone, these tools are not malicious in themselves, but their sudden presence in an environment where they are not intended to exist is a signal. Blocking the unknown is no longer enough; we need to inventory the known and warn of the appearance of the admissible-but-not-expected.
Sources :
Check Point Research: Thus Spoke…The Gentlemen
Check Point Research : DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
Hackread: The Gentlemen Ransomware Gang Hit by Internal Breach, Operations Exposed
SOCRadar: Inside The Gentlemen Ransomware Leak: When the Hunter Becomes the Hunted
KELA Cyber: Inside The Gentlemen Leak: How a New RaaS Captured 10% of 2026’s Global Ransomware Victims
InfoStealers (Hudson Rock): How The Gentlemen Ransomware Group Operates: A Blueprint Built on Infostealer Credentials
