The Gentlemen, the #2 most active ransomware-as-a-service operation globally in 2026, had their infrastructure turned against them on May 4 when their internal backend database was breached and leaked. Check Point Research obtained a portion of the archive before it was removed — 8,200+ lines of internal communications, organizational rosters, ransom negotiation transcripts, infected-system screenshots, and tooling discussions. The data has been shared with law enforcement. An investigation is ongoing.

The group’s administrator acknowledged the breach on underground forums the same day, attributing the leak to a compromise of 4VPS, the hosting provider they used to run their RaaS panel infrastructure. For a group that has spent 2026 methodically targeting hospitals, energy companies, and government agencies across 50+ countries, the irony is complete: the hackers got hacked, and everything they were hiding is now in the hands of the researchers and agencies hunting them.

Who The Gentlemen Are

The Gentlemen emerged in 2025 and scaled faster than almost any RaaS operation in recent memory. By the end of Q1 2026, they had 320+ publicly listed victims and had claimed victims across more than 20 industries — manufacturing, healthcare, construction, energy, government, and insurance among them. They are the second-most productive RaaS operation by victim count behind only one other group, and they are accelerating.

The group’s competitive advantage in the affiliate recruitment market is straightforward: they offer a 90/10 revenue split in favor of affiliates, compared to the 80/20 industry standard that most competing operations use. Ten percentage points is a meaningful margin in a market where experienced ransomware operators have options. The offer has attracted affiliates who previously worked for Qilin and other established operations, and has driven the group’s rapid scaling in victim count.

The administrator behind the operation uses the handles zeta88 and hastalamuerte — assessed by Check Point to be the same individual. He built the entire RaaS admin panel in three days using AI coding assistants. He also works attacks personally rather than delegating entirely to affiliates, which is unusual at this level of operation scale. The rest of the core team consists of roughly nine named operators coordinating through at least eight distinct affiliate TOX IDs.

What the Leak Contains

The leaked archive is not a credential dump or a configuration file. It is the operational interior of a running ransomware organization: internal chat logs between operators and affiliates, timestamped negotiation transcripts showing how ransom demands are set and adjusted, organizational documents identifying roles and responsibilities within the group, and screenshots of compromised victim systems taken during active attacks.

The 8,200+ lines of material provide something threat researchers rarely obtain: a longitudinal record of how a modern RaaS operation makes decisions in real time. Ransom demand calculation, victim profiling, affiliate management, payment processing, and the internal debates around whether to publish victim data or continue negotiating — all of it documented in the operators’ own words.

Check Point Research secured a portion of this data before it was pulled from public access and published their analysis. The full archive’s current location and whether it circulated further in criminal markets before removal is not confirmed.

How They Get In

The Gentlemen’s preferred initial access methods, documented in the leaked data and corroborated by external incident response analysis, center on VPN and network appliance exploitation. The group has specifically targeted CVE-2024-55591 (a critical authentication bypass in Fortinet FortiOS) and CVE-2025-32433 (a remote code execution vulnerability in Erlang/OTP SSH). Both are high-severity vulnerabilities with publicly available proof-of-concept exploit code, which means the barrier to exploitation is low for any affiliate with basic technical competence.

Where direct exploitation isn’t the path in, The Gentlemen buy access. They are active purchasers on initial access broker markets and source credentials from infostealer log markets — the same underground marketplaces where stolen session tokens, VPN credentials, and corporate login data are sold in bulk. The combination gives affiliates multiple entry paths to the same target and reduces dependence on any single vulnerability.

The Supply Chain Move

The most tactically sophisticated operation documented in the leaked data is a supply chain pivot executed in April 2026. The Gentlemen first compromised a UK software consultancy, exfiltrating client infrastructure documentation, internal project files, and credentials the firm held for its customers. They then used that material — specifically, a migration document written in Turkish describing work the UK firm had performed for one of its clients — to infiltrate the Turkish client organization directly.

Both companies were subsequently published on The Gentlemen’s data leak site. The UK firm was listed not merely as a victim but explicitly as the “access broker” for the Turkish attack — a pressure tactic designed to encourage the Turkish company to pursue legal action against their British technology partner. The UK consultancy publicly stated that only “routine business data” had been accessed. The leaked chats tell a different story.

The tactic is notable for its psychological dimension. Publishing a managed service provider or consultancy as the named vector for a downstream attack weaponizes the victim’s own client relationships. The threat of litigation from a client that lost data through your infrastructure is a separate lever from the ransomware demand itself — and one that doesn’t require any additional technical capability to pull.

The Intelligence Value

For law enforcement and threat researchers, the May 4 leak is the most significant operational exposure of a currently active ransomware group since the Conti leaks of 2022, which similarly exposed internal chat logs and organizational structure and led to the group’s eventual dissolution. The parallel is imperfect — Conti was larger, more established, and the leak came from an ideologically motivated internal source rather than an external infrastructure breach. But the category of intelligence is the same: real-time operational data that identifies people, processes, and relationships that cannot be obtained through external observation alone.

Check Point’s decision to share the data with law enforcement rather than simply publish findings is the operationally significant choice here. Published threat intelligence informs defenders. Intelligence shared with law enforcement under proper handling can produce arrests, infrastructure seizures, and disruption operations. The group’s administrator and core operators are now known individuals with documented behavioral patterns, communication habits, and technical preferences. That is an actionable target package.

Whether law enforcement moves before The Gentlemen reconfigure their infrastructure and rebrand — the standard playbook after a major operational exposure — will determine whether the leak translates into accountability or merely into a temporary disruption. The Conti precedent is not encouraging on that front. But the intelligence exists, it is in the right hands, and the window is open.

What Organizations Should Do Now

The Gentlemen’s victim profile skews toward mid-market organizations in manufacturing, healthcare, and professional services — sectors with sensitive data, operational dependencies on IT infrastructure, and historically underinvested security postures. The group’s entry vectors are well-documented and patchable.

CVE-2024-55591 (Fortinet FortiOS authentication bypass) and CVE-2025-32433 (Erlang/OTP SSH RCE) should be patched immediately if not already. Both have been in active exploitation for months and have no legitimate reason to remain unpatched in any production environment.

Organizations using managed service providers or software consultancies should treat their vendors’ access as an extension of their own attack surface. The UK-to-Turkey supply chain pivot demonstrates that The Gentlemen actively mine MSP access for downstream targets. Credential hygiene for third-party integrations, MFA enforcement on all external-facing access, and periodic review of what credentials your technology partners hold against your infrastructure are not optional controls at this point.

The leak gives defenders something rare: a confirmed, detailed picture of how a top-tier ransomware group actually operates. Organizations that read the Check Point research and act on the TTPs documented there are meaningfully harder to hit than those that don’t.

Sources

  • Check Point Research: Thus Spoke… The Gentlemen (May 2026)
  • Check Point Blog: When the Ransomware Gang Gets Hacked: What the Gentlemen Leak Reveals About Modern Ransomware Risk
  • SC Media: The Gentlemen ransomware gang’s inner workings leaked
  • Infosecurity Magazine: The Gentlemen Ransomware Expands With Rapid Affiliate Growth
  • Industrial Cyber: ASEC warns of expanding Gentlemen ransomware campaigns hitting manufacturing and healthcare

Breached.Company covers state-sponsored cyber and hybrid threats, breach disclosures, and signals intelligence for the security community. For threat intelligence retainers and vCISO consulting, CISO Marketplace connects you with vetted advisors.