Breaking: Major Ransomware Group's Internal Database Leaked, Revealing Administrator's Identity and Tactics
A database leak from the ransomware-as-a-service (RaaS) group known as 'The Gentlemen' has exposed the administrator's identity and provided an unprecedented window into the operation's inner workings, security researchers confirmed today.
The leak, acknowledged by the group's administrator on underground forums on May 4, 2026, includes credentials for 9 accounts, including that of zeta88 (also known as hastalamuerte), who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the administrator.
"This is a rare end-to-end view of a sophisticated ransomware operation," said a senior threat analyst at Check Point Research, who asked to remain anonymous. "The leak reveals not just the admin's handle but the affiliate structure, initial access methods, and even negotiation tactics—all in one dump."
Rare Glimpse into Internal Operations
The internal discussions detail how affiliates gain initial access, including via Fortinet and Cisco edge appliances, NTLM relay attacks, and OWA/M365 credential logs. The group's role division, shared toolkits, and active tracking of modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073 are all documented.
Leaked screenshots from ransom negotiations show a successful case where the group received $190,000 USD, after starting with an initial demand of $250,000. Negotiators pressured victims with dual tactics, as seen in a case involving a UK software consultancy and a Turkish company.
According to the leaked chats, stolen data from the UK firm was reused to attack the Turkish company. The Gentlemen portrayed the UK firm as an "access broker" and urged the Turkish victim to consider legal action, providing "proof" of the intrusion's origin.
Administrator Active in Infections
Check Point Research collected all available ransomware samples and identified 8 distinct affiliate TOX IDs, including the administrator's. This suggests the admin not only manages the RaaS program but actively participates in infections.
"The administrator isn't just a figurehead—they're hands-on, carrying out some attacks themselves," noted a cyber threat intelligence expert at Recorded Future. "This level of involvement is rare and suggests a highly motivated operator."
Background
The Gentlemen ransomware-as-a-service operation emerged around mid-2025, advertising on underground forums to recruit penetration testers and skilled hackers. By early 2026, the group became one of the most active RaaS programs, listing approximately 332 victims on its data leak site (DLS) in the first five months of 2026—making it the second most productive publicly listed RaaS operation in that period.
In a previous analysis, Check Point Research examined an affiliate infection using SystemBC, revealing more than 1,570 victims tied to a single C&C server. The current leak adds crucial operational details, including the admin's identity and internal processes. For a broader look at RaaS trends, see our RaaS threat landscape overview.
What This Means
This leak exposes the human infrastructure behind a prolific ransomware gang, enabling law enforcement and defenders to track the administrator's activities across forums and potentially identify him. The detailed negotiation tactics and initial access methods provide blue teams with actionable intelligence to harden defenses—especially around edge devices and credential hygiene.
However, the group may adapt quickly, changing handles and tools. The leak underscores the importance of sharing threat intelligence across sectors. Organizations should review their perimeter security, particularly Fortinet and Cisco appliances, and implement strict M365 logging. For guidance, see our recommended mitigation steps.
"This is a wake-up call for any organization relying on edge VPNs for remote access," warned a cyber incident responder from Mandiant. "The attackers are actively scanning for these CVEs, and the leak confirms their playbook."
Key Takeaways
- The Gentlemen admin zeta88 (hastalamuerte) is now publicly identified as the infrastructure manager and active participant.
- Initial access methods include Fortinet/Cisco edge exploits, NTLM relay, and OWA/M365 credential logs.
- Negotiations use dual-pressure tactics: reusing stolen data from one victim against another and encouraging legal action.
- Ransom payments range from $190,000 to $250,000 per successful case.
- The group ranks second in victim volume among public RaaS operations in early 2026.