Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCyber RiskVulnerabilities & ThreatsCybersecurity OperationsNewsTables Turn on 'The Gentlemen' RaaS Gang With Data LeakAn OPSEC failure provides a window into what helped the ransomware group rise: a generous affiliate model, opportunistic TTPs, and an effective organizational structure.Nate Nelson,Contributing WriterMay 13, 20264 Min ReadSource: Guy Corbishley via Alamy Stock PhotoOne of the world's most prolific ransomware operations has itself been breached, offering unique insight into its inner workings.In only the first five months of 2026, the Russian cybercriminal gang that calls itself "The Gentlemen" has published sensitive data belonging to around 332 different organizations. It has compromised many more organizations than that, surely, as its leak site does not include victims that pay their ransoms. According to Check Point Research, these numbers have made The Gentlemen the second most productive ransomware group on the planet this year, just short of Qilin.On or just before May 4, The Gentlemen got a taste of its own medicine when an anonymous group compromised its internal back-end database. Those hackers are now selling just over 16GB of The Gentlemen's internal communications, tooling, and other data for $10,000 in Bitcoin."It is a reputational hit, but we do not expect it to significantly disrupt their operations or reduce their effectiveness," says Eli Smadja, Check Point's group manager for product R&D. Still, even the 44MB of stolen data the anonymous hackers leaked to prove the veracity of the rest of it has proven interesting. Check Point Research analyzed the sample, gaining new insight into The Gentlemen's operational structure, its tactics, techniques, and procedures (TTPs), and some of its quirks.Related:From Stuxnet to ChatGPT: 20 News Events That Shaped CyberHow The Gentlemen OperateThe head Gentleman goes by "zeta88" online. Zeta88 builds and maintains the group's locker malware, curates the tooling around it, runs all of the infrastructure, and more. They also select targets, assigns two or three fellow Gentlemen to attack those targets, and manage negotiations and payouts.Zeta88's operations guys are "qbit" and "quant." Qbit specializes in scanning for vulnerable edge devices, performing reconnaissance, and establishing persistence in targeted environments, and quant specializes in gaining access via logs and credentials. A tertiary group of seven grunts includes red teamers, an access broker, and even an advertising specialist. Though not evidenced in the leaked sample, presumably, some number of affiliates orbits around this circle of 10.Forcing a bunch of cybercriminals into a corporate pyramid might not sound like a bright idea, but the power structure is balanced by a generous payment model for lower-level collaborators. Every time The Gentlemen extorts a payment out of a victim, zeta88 enjoys 10% of it, but the other hackers involved get to split the other 90%.Related:Exploit Cyber-Frenzy Threatens Millions via Critical cPanel VulnerabilitySmadja also attributes the group's success to its tight organizational structure. "The clear division of responsibilities within the group also plays a major role. Much like any well-run organization, having defined roles and workflows translates directly into higher productivity and, in their case, a higher volume of successful breaches," he says.Besides its tight ship, he adds, "One of the group's key strengths is the hands-on involvement of the main administrator, who came up as an affiliate and understands the operation from the ground up. Having the main RaaS administrator come from an affiliate background gave them a significant head start, helping them reach the top tier in a remarkably short period of time."What Else You Should Know About The GentlemenThe Gentlemen takes advantage of critical, known vulnerabilities and exploitation techniques to get into targeted systems and pair them with almost 30 different tools to support its locker. It uses a variety of scanners and VPNs, tools for gaining remote access to systems, and several techniques for evading endpoint detection and response (EDR) and antivirus programs, such as the bring-your-own-vulnerable-driver tactic. Check Point describes the toolset as "fairly mature," if not particularly unique.Related:Vect 2.0 Ransomware Acts as Wiper, Thanks to Design ErrorMembers have toyed with more cutting-edge ideas, like developing an in-house large language model (LLM)-based program for some vague malicious purposes. They've already used LLMs to assist with code development, but while their dreams are bigger, the practical limitations of current artificial intelligence (AI) technology have gotten in the way. After reporting that they vibe-coded an admin panel in three days, zeta88 warned that "you have to understand everything and think like crazy even with [neural networks], because they're all dumb (even if smart)."The Gents also keeps up with its colleagues in the ransomware business, gossiping about them (Dragon Force: cool; Chaos: meh) but also learning from them. In one leaked chat foreshadowing its own future, the gang discussed ways to benefit from last year's Black Basta leak. Their greatest interest was in their colleagues' approach to code signing.Smadja thinks it unlikely that The Gentlemen's own breach would much edify other hackers. "What they have built is the product of experience, and nothing disclosed in the leak reveals a secret formula or unique technical advantage," he says. "It is possible the leak could inspire other affiliates to spin up their own RaaS operations, but given that some established groups already offer a 90/10 payout split, building your own operation is not an obviously attractive proposition for most."About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Your Guide to Securing AI Adoption in Your OrganizationThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

An operational security failure within the ransomware group known as The Gentlemen provided significant insight into the factors that contributed to its rise, specifically detailing the generous affiliate payment model, the use of opportunistic tactics, and an effective organizational structure (Nelson). In the first five months of 2026, this organization leaked sensitive data belonging to approximately 332 distinct organizations, making The Gentlemen the second most productive ransomware group globally, second only to Qilin, according to Check Point Research. Furthermore, an anonymous group successfully compromised The Gentlemen’s internal backend database, obtaining over 16 gigabytes of internal communications, tooling, and other data, which they subsequently sold for $10,000 in Bitcoin.

Eli Smadja, group manager for product R&D at Check Point, indicated that while the data leak was a reputational setback, it is unlikely to materially impact the group's ongoing operations or effectiveness. However, the 44 megabytes of data that were leaked served to provide new insights into The Gentlemen’s operational structure, their tactics, techniques, and procedures (TTPs), and internal dynamics. The organizational effectiveness of the group is attributed to a clear division of responsibilities and workflows, which translates directly into higher productivity, allowing them to execute a greater volume of successful breaches. Smadja also noted that the primary administrator's background as an affiliate provided a significant advantage, giving the group a head start in achieving top-tier status rapidly.

The structure of The Gentlemen is centrally managed by an individual known online as zeta88, who is responsible for building and maintaining the locker malware, curating the necessary tooling, managing the infrastructure, selecting targets, coordinating fellow members for attacks, and handling negotiations and payouts. This central authority delegates specialized roles to subordinates, including qbit, who focuses on scanning for vulnerable edge devices and establishing persistence, and quant, who specializes in gaining access through logs and credentials. The remaining structure includes a tertiary group of seven grunts comprising red teamers, access brokers, and an advertising specialist, suggesting a larger network orbiting the core team. This hierarchical arrangement is supported by a payment model where zeta88 retains ten percent of any extortion payment, while the other hackers receive the remaining ninety percent, balancing the power structure through generous compensation for lower-level collaborators.

Operationally, The Gentlemen exploit known vulnerabilities and employ nearly thirty different tools to support their ransomware. Their toolkit includes various scanners, VPNs for remote access, and techniques for evading endpoint detection and response (EDR) and antivirus systems, such as the deployment of bring-your-own-vulnerable-driver tactics. While Check Point describes this toolset as fairly mature, the specific techniques used were not entirely unique. The group also engaged in experimentation with large language models for malicious purposes, though they acknowledged the practical limitations of current artificial intelligence technology. Despite this, the group actively learns from other actors, discussing approaches to code signing and other aspects of the ransomware business, indicating a commitment to continuous learning within the cybercriminal ecosystem. Although the leaked material did not reveal a unique technical advantage, it could potentially inspire other affiliates to establish their own Ransomware-as-a-Service (RaaS) operations, although current established payout structures suggest that starting a new operation is not an obviously attractive proposition for most potential recruits.