Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak

THREAT INTELLIGENCE CYBER RISK VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS NEWS Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak An OPSEC failure provides a window into what helped the ransomware group rise: a generous affiliate model, opportunistic TTPs, and an effective organizational structure. Nate Nelson,Contributing Writer May 13, 2026 4 Min Read SOURCE: GUY CORBISHLEY VIA ALAMY STOCK PHOTO One of the world's most prolific ransomware operations has itself been breached, offering unique insight into its inner workings. In only the first five months of 2026, the Russian cybercriminal gang that calls itself "The Gentlemen" has published sensitive data belonging to around 332 different organizations. It has compromised many more organizations than that, surely, as its leak site does not include victims that pay their ransoms. According to Check Point Research, these numbers have made The Gentlemen the second most productive ransomware group on the planet this year, just short of Qilin. On or just before May 4, The Gentlemen got a taste of its own medicine when an anonymous group compromised its internal back-end database. Those hackers are now selling just over 16GB of The Gentlemen's internal communications, tooling, and other data for $10,000 in Bitcoin. "It is a reputational hit, but we do not expect it to significantly disrupt their operations or reduce their effectiveness," says Eli Smadja, Check Point's group manager for product R&D. Still, even the 44MB of stolen data the anonymous hackers leaked to prove the veracity of the rest of it has proven interesting. Check Point Research analyzed the sample, gaining new insight into The Gentlemen's operational structure, its tactics, techniques, and procedures (TTPs), and some of its quirks. Related:From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber How The Gentlemen Operate The head Gentleman goes by "zeta88" online. Zeta88 builds and maintains the group's locker malware, curates the tooling around it, runs all of the infrastructure, and more. They also select targets, assigns two or three fellow Gentlemen to attack those targets, and manage negotiations and payouts. Zeta88's operations guys are "qbit" and "quant." Qbit specializes in scanning for vulnerable edge devices, performing reconnaissance, and establishing persistence in targeted environments, and quant specializes in gaining access via logs and credentials. A tertiary group of seven grunts includes red teamers, an access broker, and even an advertising specialist. Though not evidenced in the leaked sample, presumably, some number of affiliates orbits around this circle of 10. Forcing a bunch of cybercriminals into a corporate pyramid might not sound like a bright idea, but the power structure is balanced by a generous payment model for lower-level collaborators. Every time The Gentlemen extorts a payment out of a victim, zeta88 enjoys 10% of it, but the other hackers involved get to split the other 90%. Related:Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability Smadja also attributes the group's success to its tight organizational structure. "The clear division of responsibilities within the group also plays a major role. Much like any well-run organization, having defined roles and workflows translates directly into higher productivity and, in their case, a higher volume of successful breaches," he says. Besides its tight ship, he adds, "One of the group's key strengths is the hands-on involvement of the main administrator, who came up as an affiliate and understands the operation from the ground up. Having the main RaaS administrator come from an affiliate background gave them a significant head start, helping them reach the top tier in a remarkably short period of time." What Else You Should Know About The Gentlemen The Gentlemen takes advantage of critical, known vulnerabilities and exploitation techniques to get into targeted systems and pair them with almost 30 different tools to support its locker. It uses a variety of scanners and VPNs, tools for gaining remote access to systems, and several techniques for evading endpoint detection and response (EDR) and antivirus programs, such as the bring-your-own-vulnerable-driver tactic. Check Point describes the toolset as "fairly mature," if not particularly unique. Related:Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error Members have toyed with more cutting-edge ideas, like developing an in-house large language model (LLM)-based program for some vague malicious purposes. They've already used LLMs to assist with code development, but while their dreams are bigger, the practical limitations of current artificial intelligence (AI) technology have gotten in the way. After reporting that they vibe-coded an admin panel in three days, zeta88 warned that "you have to understand everything and think like crazy even with [neural networks], because they're all dumb (even if smart)." The Gents also keeps up with its colleagues in the ransomware business, gossiping about them (Dragon Force: cool; Chaos: meh) but also learning from them. In one leaked chat foreshadowing its own future, the gang discussed ways to benefit from last year's Black Basta leak. Their greatest interest was in their colleagues' approach to code signing. Smadja thinks it unlikely that The Gentlemen's own breach would much edify other hackers. "What they have built is the product of experience, and nothing disclosed in the leak reveals a secret formula or unique technical advantage," he says. "It is possible the leak could inspire other affiliates to spin up their own RaaS operations, but given that some established groups already offer a 90/10 payout split, building your own operation is not an obviously attractive proposition for most." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS