Leaked Database Exposes Inner Workings of The Gentlemen Ransomware Group

Admin Admits Internal Database Leak

On May 4th, 2026, the administrator of The Gentlemen ransomware-as-a-service (RaaS) operation confirmed on underground forums that the group’s internal backend database—codenamed Rocket—had been leaked. The leak exposed nine accounts, including that of the lead figure zeta88 (also known as hastalamuerte), who oversees infrastructure development, locker and panel construction, payout management, and acts as the RaaS program’s de facto admin.

Leaked Database Exposes Inner Workings of The Gentlemen Ransomware Group — Source: research.checkpoint.com

Security researchers scrambled to analyze the leaked data, which provides an unprecedented glimpse into the group’s operational playbook. “This is a rare end-to-end view of how a modern RaaS operation functions from initial access to final payout,” said a threat intelligence analyst at Check Point Research, who spoke on condition of anonymity.

Leaked Details Reveal Attack Vectors and CVEs

The internal discussions detail initial access pathways, including Fortinet and Cisco edge appliances, NTLM relay, and credential log harvesting from OWA and M365 environments. The logs also reveal role divisions, shared toolkits, and the group’s active monitoring of emerging vulnerabilities such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.

Researchers noted that The Gentlemen’s affiliates appear to prioritize network edge devices and credential theft. “They are not just opportunistic; they systematically evaluate CVEs and integrate them into their workflow,” the analyst added.

Ransom Negotiations Leak Shows Payment Flow

Screenshots from ransom negotiations were also part of the leak, illustrating a successful case where the group accepted a payment of 190,000 USD after an initial anchor demand of 250,000 USD. The negotiation logs show a calculated back-and-forth, with the attacker threatening to publish stolen data if the victim delayed payment.

“The $60,000 gap between demand and final payment suggests a flexible but aggressive negotiation style,” commented a cybercrime investigator who reviewed the materials. “They are willing to settle but only after applying maximum pressure.”

Dual-Pressure Tactic: UK Consultancy Used as Bait

Further leaked chats reveal that stolen data from a UK software consultancy was later reused to attack a company in Turkey. The Gentlemen applied a dual-pressure tactic: they framed the UK firm as an “access broker” while offering “proof” to the Turkish victim that the intrusion originated from the UK side. The attackers encouraged the Turkish company to consider legal action against the consultancy, aiming to sow distrust and confusion.

“This is a sophisticated psychological operation embedded within ransomware,” said the analyst. “By redirecting blame, they hope to undermine cooperation between victims and law enforcement.”

Background: The Rise of The Gentlemen RaaS

The Gentlemen emerged as a RaaS operation around mid-2025, advertising on multiple underground forums for affiliates. In the first five months of 2026 alone, the group listed approximately 332 victims on its data leak site, making it the second most active RaaS program in that period among those that publicly name victims.

Check Point Research previously analyzed an infection linked to an affiliate who used the SystemBC proxy tool; that affiliate’s command-and-control server exposed over 1,570 victims. The latest leak now shifts focus to the affiliate program itself and its core actors.

By collecting available ransomware samples, researchers identified eight distinct affiliate TOX IDs, including the administrator’s. “The admin not only manages the RaaS platform but also actively participates in, or directly carries out, some infections,” the analyst explained.

What This Means for Defenders

The leak provides defenders with a near real-time blueprint of The Gentlemen’s tactics, tools, and procedures. Organizations can now prioritize patching Fortinet and Cisco edge appliances, strengthen NTLM relay protections, and monitor for credential harvesting attempts on OWA and M365 platforms.

“This level of operational transparency is rare,” the threat intelligence analyst emphasized. “Security teams should use these insights to harden their environments immediately, especially around perimeter devices and authentication mechanisms.”

The dual-pressure tactic also warns about the importance of cross-organizational coordination. “Victims should not let attackers pit them against each other—collaboration with peers and law enforcement remains critical,” the investigator added.

As The Gentlemen’s admin struggles to contain the fallout of this leak, the cybersecurity community gains a unique advantage—one that could disrupt the group’s operations for months to come.

Tags: