A month after Check Point pried open The Gentlemen’s leaked backend infrastructure, the question that piece left hanging — who actually runs this thing? — now has a proposed answer. In a June 10 investigation, Brian Krebs identifies the alleged operator of one of 2026’s fastest-rising ransomware operations as a 36-year-old marketing professional from the Russian republic of Udmurtia.
His name, per Krebs: Alexander Andreevich Yapaev, of Izhevsk, Russia, allegedly the man behind the cybercrime persona Hastalamuerte.
From a payment dispute to a 90/10 empire
The Gentlemen surfaced in mid-2025 and wasted no time. Krebs reports the group is now the second most active ransomware operation by victim count this year, claiming at least 332 published victims since its inception and more than 240 in 2026 alone. (Other trackers running broader or later tallies cite even higher figures — The Hacker News counted 478 victims across 66 countries by mid-June — so the precise number depends on which leak-site snapshot you use. The 332/240 figures are Krebs’.)
Part of the explanation for that velocity is economic. Where most ransomware-as-a-service programs hand affiliates an 80% cut and keep 20% for the operator, The Gentlemen flipped the math: affiliates keep 90%, and the administrator takes just 10%. Krebs notes that split “is accelerating the group’s growth by attracting experienced operators from competing programs.” In a saturated RaaS market, undercutting your rivals on the affiliate split is a recruiting weapon, and it is working.
Independent researchers — Silent Push and Group-IB among them — trace the group’s lineage back further, to a high-volume Qilin affiliate crew known as ArmCorp that Hastalamuerte allegedly ran before a commission dispute (a reported ~$48,000 in unpaid earnings, aired on the RAMP forum in July 2025) prompted a split and the launch of an independent brand. That origin story is researcher attribution, not part of the Krebs piece — worth keeping the sourcing straight — but it fits the pattern of a skilled affiliate deciding he would rather keep the operator’s cut himself.
The breadcrumbs that led to a name
Krebs’ attribution rests on a chain of digital breadcrumbs assembled from threat-intel data and breach databases:
- Intel 471 tracked the Hastalamuerte persona’s registrations across Exploit, BreachForums, Raidforums, and Nulled back to Izhevsk IP addresses, dating to 2019.
- A ProtonMail address tied to the persona links, via OSINT tooling, to an Apple account and a phone number.
- A GitHub account associated with malware development connects to the same identity cluster.
- A Telegram account links to a Russian phone number that appears under Yapaev’s name in leaked Russian government databases.
- A LinkedIn profile for Yapaev lists him as a B2B marketing lead at a regional energy firm — the daytime cover for the alleged nighttime enterprise.
Yapaev did not respond to Krebs’ requests for comment. As with all such attributions, this is investigative reporting built on circumstantial linkage rather than an indictment — but the convergence of forum history, leaked-database records, and self-published profiles is the kind of evidence chain that has preceded more than one real-world arrest.
One detail in Krebs’ reporting lands squarely in 2026’s defining theme: the operator is said to lean on AI to help develop and maintain the ransomware and tooling, and to assist with post-exploitation. The Gentlemen’s locker is a Go-based, cross-platform binary; Microsoft tracks the actor as Storm-2697 and has documented a --spread mode that turns the encryptor into a self-propagating worm.
Still scaling, no badge in sight
The group has not slowed down. In the days around mid-June, its leak site churned through roughly 15 new victims in a 24-hour window, spanning manufacturing, technology, and healthcare across Malaysia, the U.S., Japan, Germany, and Brazil — only a small fraction of them American. A U.S. commercial real-estate REIT, Highwoods Properties, surfaced as a fresh Gentlemen victim on June 12 via breach trackers, though it had not been corroborated in press reporting at the time of writing.
Notably absent from the story: any sign of law enforcement. There is no public indictment, sanction, or takedown action against The Gentlemen or against Yapaev — only a journalist’s name-and-shame and a pile of researcher data. Whether that gap closes is the open question. The 2026 pattern, from BlackCat guilty pleas to the DOJ’s Disruption Week takedown, is that attribution increasingly precedes arrest. The Gentlemen’s operator may want to enjoy that 10% while it lasts.
