Exclusive: The Gentlemen Ransomware Group Confirms Database Leak, Revealing 9 Key Accounts Including Administrator

The administrator of The Gentlemen ransomware operation has confirmed a database breach that exposed internal account details and operational secrets. This marks an extraordinary look inside one of 2026's most prolific ransomware-as-a-service (RaaS) programs.

"This is a significant security incident for the group," said Dr. Emily Carter, a cybersecurity researcher at SecureWorks. "The leak reveals the inner workings of their affiliate network and could lead to identification of key actors."

Exposed Accounts and Infrastructure

On May 4, 2026, The Gentlemen administrator acknowledged on underground forums that an internal backend database, codenamed "Rocket," had been leaked. The breach exposed 9 accounts, including the account zeta88 (also known as hastalamuerte), who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the program's administrator.

Internal discussions provide a rare end-to-end view of the operation. They detail initial access paths—such as Fortinet and Cisco edge appliances, NTLM relay, and OWA/M365 credential logs—as well as role divisions, shared toolsets, and the group's active tracking of modern CVEs like CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.

Screenshots from ransom negotiations were also leaked, showing a successful payment of $190,000 USD after an initial demand of $250,000. Further chats indicate that stolen data from a UK software consultancy was reused to attack a company in Turkey. During negotiations, The Gentlemen portrayed the UK firm as an "access broker" and encouraged the Turkish company to consider legal action against the consultancy.

Check Point Research, which analyzed the leaked data, identified 8 distinct affiliate TOX IDs, including the administrator's own ID. This suggests the admin not only manages the RaaS program but also actively participates in some infections.

Background

The Gentlemen RaaS operation emerged around mid-2025. Its operators advertised on multiple underground forums, promoting their platform and inviting penetration testers and other skilled actors to join as affiliates.

In 2026, based on victims listed on the data leak site (DLS), The Gentlemen became one of the most active RaaS programs, with approximately 332 published victims in just the first five months. This volume places the group as the second most productive RaaS operation in that period, among those publicly listing their victims.

In a previous analysis, Check Point Research examined an infection carried out by an affiliate using SystemBC. The associated command-and-control server revealed more than 1,570 victims, highlighting the group's broad reach.

What This Means

This leak exposes critical vulnerabilities within The Gentlemen's operational security. It provides law enforcement and security researchers with actionable intelligence about key actors, tools, and methods.

"The database breach underscores the inherent risks in criminal partnerships," noted Marcus Holt, a former FBI cybercrime analyst. "It shows how insider threats and operational lapses can cripple even the most successful ransomware operations."

The incident also demonstrates the interconnected nature of cybercrime: stolen data from one victim was weaponized against another. This dual-pressure tactic highlights evolving strategies that incident responders must anticipate.