Inside The Gentlemen RaaS: Database Leak Reveals Affiliate Operations

The Gentlemen RaaS (ransomware-as-a-service) operation has become one of the most prolific threats in the cybercrime landscape. A recent database leak has exposed internal workings, affiliate roles, and negotiation tactics, offering an unprecedented glimpse into its operations.

Introduction to The Gentlemen RaaS

Emerging around mid-2025, The Gentlemen markets its ransomware platform on underground forums, inviting penetration testers and skilled hackers to join as affiliates. By early 2026, the group had published approximately 332 victims on its data leak site (DLS) within the first five months—making it the second most active RaaS program during that period among those that publicly list victims.

In a previous analysis, Check Point Research studied an affiliate infection that used SystemBC malware, revealing a command-and-control server tied to over 1,570 victims. This new leak shifts focus to the affiliate program itself.

The Database Leak

On May 4, 2026, The Gentlemen’s administrator acknowledged on underground forums that an internal backend database called Rocket had been exposed. Check Point Research obtained what appears to be a partial leak containing operational data about infrastructure, affiliates, and victims.

The leak exposed 9 accounts, including the administrator's handle zeta88 (also known as hastalamuerte). This individual manages the infrastructure, builds the locker and RaaS panel, handles payouts, and effectively runs the entire program.

Internal Operations and Tools

The leaked internal discussions provide a rare end-to-end view of the operation. They detail:

• Initial access vectors: Fortinet and Cisco edge appliances, NTLM relay attacks, and OWA/M365 credential logs.
• Role division: Clear separation of responsibilities among affiliates, access brokers, and the administrator.
• Shared toolset: Standardized malware and scripts used across campaigns.
• CVE tracking: Active monitoring of vulnerabilities such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.

This reveals a mature and organized criminal enterprise that adapts quickly to new exploits.

Ransom Negotiation and Dual-Pressure Tactics

Leaked screenshots from ransom negotiations show a successful case where the group received 190,000 USD, starting from an initial demand of 250,000 USD. The negotiations demonstrate a calculated approach to maximize payments.

Further chats reveal a sophisticated dual-pressure tactic: stolen data from a UK software consultancy was reused to attack a company in Turkey. During negotiations, The Gentlemen portrayed the UK firm as an access broker, offering “proof” to the Turkish company that the intrusion originated from the UK side. They even encouraged the victim to pursue legal action against the consultancy, creating additional leverage.

Affiliate Network and Administrator Role

By collecting all available ransomware samples, Check Point Research identified 8 distinct affiliate TOX IDs, including the administrator’s own TOX ID. This suggests that the admin not only runs the RaaS program but also actively participates in, or directly carries out, some infections.

The affiliate network is built around mutual trust and technical skill, with the administrator providing the locker, panel, and payout infrastructure. Affiliates handle initial access and deployment, while the admin coordinates the broader strategy.

Conclusion

The Gentlemen RaaS database leak exposes a well-organized cybercrime operation with a clear hierarchy, advanced tooling, and aggressive negotiation tactics. The group’s high victim count—332 published victims in early 2026—underscores its threat level. This incident highlights the value of monitoring underground forums and the importance of proactive defenses against ransomware-as-a-service ecosystems.

For further reading, see our analysis of the SystemBC affiliate infection and the database leak details.