Inside The Gentlemen RaaS: Database Leak Reveals Affiliate Operations and Tactics

Introduction

The The Gentlemen ransomware‑as‑a‑service (RaaS) operation emerged around mid‑2025 and quickly gained notoriety. Its operators actively promote the service on various underground forums, recruiting penetration testers and other technically skilled actors as affiliates. By early 2026, the group had become one of the most prolific RaaS programs, listing approximately 332 victims on its data leak site (DLS) in the first five months alone—making it the second most productive RaaS operation during that period among publicly visible groups.

Inside The Gentlemen RaaS: Database Leak Reveals Affiliate Operations and Tactics
Source: research.checkpoint.com

In a previous analysis, Check Point Research examined a specific infection carried out by a The Gentlemen affiliate that used the SystemBC backdoor; the associated command‑and‑control (C&C) server revealed more than 1,570 victims. Now, a significant data breach has pulled back the curtain on the group's inner workings.

The Leak and Key Revelations

On May 4, 2026, the administrator of The Gentlemen acknowledged on underground forums that an internal backend database—dubbed Rocket—had been leaked. Check Point Research obtained what appears to be a partial copy of that leak, which exposes sensitive operational details about the group's infrastructure, affiliates, and victims.

The leaked data specifically revealed nine accounts, including the account of zeta88 (also known as hastalamuerte). This individual is the core administrator: responsible for running the infrastructure, building the locker and the RaaS panel, managing payouts, and effectively overseeing the entire affiliate program. The leak provides a rare end‑to‑end view of how the operation functions.

A Glimpse into Operations

The internal discussions captured in the leak shed light on initial access vectors, role division, shared tool sets, and the group's active tracking of vulnerabilities. Key details include:

  • Initial access methods: The affiliates commonly exploit Fortinet and Cisco edge appliances, perform NTLM relay attacks, and leverage logs from OWA and Microsoft 365 to steal credentials.
  • Toolset sharing: Affiliates share custom scripts, Cobalt Strike profiles, and evasion techniques.
  • CVE monitoring: The group closely tracks and evaluates modern vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.

This level of detail demonstrates a well‑organized, professional operation that continuously adapts to the threat landscape.

Ransom Negotiation Insights

Screenshots from ransom negotiations also surfaced in the leak. One case shows a successful payment of 190,000 USD, after the group initially demanded 250,000 USD. This indicates a willingness to negotiate, with a final amount nearly 24% lower than the anchor demand.

Affiliate Structure and Administrator Role

By collecting all available ransomware samples from the leak, researchers identified eight distinct affiliate TOX IDs, one of which belongs to the administrator. This suggests that the admin, as a leader of the RaaS, actively participates in or directly carries out some of the infections. The presence of multiple affiliates indicates a decentralized yet coordinated network, with the administrator serving as both manager and operator.

Inside The Gentlemen RaaS: Database Leak Reveals Affiliate Operations and Tactics
Source: research.checkpoint.com

The leaked database confirms that the administrative account (zeta88) has full access to victim data, payout logs, and infrastructure credentials. This centralized control helps maintain quality and consistency across the affiliate program, but also creates a single point of failure—as evidenced by the leak itself.

Dual‑Pressure Tactics

A particularly striking revelation from the chat logs involves a novel dual‑pressure tactic. The Gentlemen stole data from a UK software consultancy, then reused that same data during negotiations with a company in Turkey. The group portrayed the UK firm as an "access broker", while simultaneously providing "proof" to the Turkish victim that the intrusion originated from the UK side. The attackers encouraged the Turkish company to pursue legal action against the consultancy, thereby shifting blame and increasing coercion.

This tactic exemplifies a sophisticated psychological and operational strategy, weaponizing data from one victim to pressure another. It also blurs the lines between direct extortion and third‑party liability, making it harder for victims to respond.

Conclusion

The leak of The Gentlemen's internal database offers an unprecedented look into a modern RaaS operation. It reveals a tightly managed affiliate program with clear roles, advanced technical capabilities, and a flexible negotiation approach. The exposure of the admin's active involvement in infections, alongside the creative use of cross‑victim data coercion, paints a picture of a group that is both technically adept and strategically cunning. As ransomware continues to evolve, such insights are crucial for defenders to anticipate and counter emerging threats.

Tags:

Recommended

Discover More

Musk vs. Altman: OpenAI's Future Hangs in Balance as High-Stakes Trial UnfoldsUpgrading to Fedora Linux 44 on Silverblue: A Complete Step-by-Step Guide5 Core Principles for Creating Financial Products Users Love and KeepBridging the Design-Code Divide: A UX Professional’s Guide to AI-Enhanced Prototyping10 Essential Insights Into Google's Enhanced AI Search: What You Need to Know