CyberXtron
Back to Blogs
The Gentlemen Ransomware Leak Breakdown-From Attackers to Victims
#CyberXtron#TheGentlemen#RaaS#Leaks

The Gentlemen Ransomware Leak Breakdown-From Attackers to Victims

Executive Summary 

In May 2026, The Gentlemen RaaS operation experienced an internal compromise likely linked to third-party hosting infrastructure, resulting in unauthorized access to backend systems and exfiltration of operational data. The leaked dataset exposed credential artifacts, Rocket.Chat communications, ransom negotiation records, and internal tooling discussions, providing direct visibility into the group’s attack workflows, infrastructure dependencies, and execution model. 

Analysis of the data indicates a credential-driven intrusion strategy leveraging exposed services, Active Directory abuse, and domain-wide deployment via GPO, alongside evaluation of vulnerabilities such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Despite confirmed data exposure and monetization, the group maintained operational continuity, acknowledged the breach, and continued affiliate-driven activity, highlighting both the resilience and structural maturity of its RaaS model. 

Key Insight 

  • Backend compromise → credential and internal data exposure  
  • Evidence of Active Directory abuse and GPO-based ransomware deployment  
  • Use of NTLM relay and credential-driven lateral movement  
  • Active tracking of Fortinet, SSH, and NTLM-related vulnerabilities  
  • RaaS model remained operational despite breach  
  • Continued affiliate-driven activity and ecosystem presence 

Threat Actor Profile : 

The Gentlemen is a ransomware-as-a-service (RaaS) group that emerged around February 2025 and has since evolved into a globally active threat actor with a consistent operational presence. As of 2026, the group has publicly listed over 430+ victims, reflecting sustained activity and a broad targeting scope. The group operates on a scalable affiliate-driven model, offering up to 90% of ransom payments to affiliates, which has significantly contributed to its growth and continued presence within the ransomware ecosystem.  

The Gentlemen utilizes a custom-developed Go-based ransomware locker capable of targeting Windows, Linux, NAS, and BSD systems, indicating a strong focus on enterprise and cross-platform environments. Its operations span more than 70 countries, with primary targeting observed in sectors such as manufacturing, technology, business services, healthcare, and consumer services. The group leverages a diverse tooling ecosystem for reconnaissance, credential access, lateral movement, and data exfiltration, along with TOR-based command-and-control infrastructure, reflecting a structured and repeatable attack model designed for high-volume ransomware campaigns. 

For more details visit: CyberXtron The Gentlemen blog 

Operational Characteristics: 

The Gentlemen operates a structured ransomware-as-a-service (RaaS) model designed for speed, scalability, and cross-platform impact. Its operations leverage automation, credential-driven access, and domain-wide deployment techniques to execute attacks efficiently. The following diagram outlines its core operational characteristics and end-to-end attack lifecycle. 

 

 

Internal Leak Overview: The Gentlemen RaaS 

Infrastructure Exposure and Entry Point 

In early May 2026, an incident involving the hosting provider 4VPS appears to have played a key role in exposing parts of The Gentlemen’s backend environment. The provider reported a compromise affecting its web-facing components, specifically through a proxy-related attack. While 4VPS stated that core systems and customer data remained unaffected, the context changes when considering its known use within underground infrastructure. 

Based on available evidence, segments of The Gentlemen’s infrastructure were hosted on this platform. During the compromise, attackers are believed to have gained access to credentials associated with NAS storage systems. This likely provided indirect access into internal resources used by the group, creating the conditions for a broader data exposure. 

Leak Monetization and Public Exposure: 

Shortly after the suspected compromise, the situation escalated when, on May 5, 2026, an actor using the alias n7778 publicly listed The Gentlemen’s data for sale on an underground forum. The dataset was priced at $10,000 in Bitcoin, with sample files provided to validate authenticity and demonstrate access to internal systems. 

The full dataset being offered is estimated at approximately 16.22 GB, containing internal communications, tooling references, and operational data. However, only a small subset (~44.4 MB) has been publicly released as proof, which was sufficient to validate the breach and provide insight into the group’s internal structure and activity. 

 

 

What Was Exposed in the Leak 

  • The leaked dataset offers a detailed view into how the operation actually runs behind the scenes, exposing both technical artifacts and day-to-day coordination between members. 
  • System credential data 
    A shadow file from one of their servers was included, containing usernames and password hashes. Several internal accounts appear in this file, including names like zeta88PRTGRSJLL, and others, which confirms that access went deep enough to expose system-level authentication data.  
  • Internal communications 
    Chat logs from Rocket.Chat channels such as generalINFOPODBOR, and TOOLS show how operators and affiliates coordinate in real time. These conversations cover everything from ongoing intrusions and tool sharing to infrastructure discussions and target assignment 
  • Ransom negotiations 
    The leak also contains actual negotiation records, giving insight into how the group handles payments. In one case, an initial demand that was eventually settled at some, showing a structured and flexible negotiation approach.  
  • Tooling and attack strategy 
    Discussions reveal how the group approaches exploitation, including targeting Fortinet devices, Erlang SSH, and NTLM relay paths. They also track and evaluate newer vulnerabilities like:  
    • CVE-2024-55591  
    • CVE-2025-32433  
    • CVE-2025-33073  
  • Cryptocurrency usage 
    Bitcoin wallets appear throughout the data, used for handling payments, distributing funds, and covering operational costs.  
  • Cross-target (chain) attacks 
    One of the more interesting patterns is how they reuse access. In April 2026, the group compromised a UK-based consultancy and then used data from that breach—credentials, internal docs, and access details—to target a client organization in Türkiye. Both were later published on their leak site, with the UK company labeled as the “access broker,” clearly intended to increase pressure and create legal friction between the two. 

 

Vulnerabilities and Exploitation Insights: 

CVE-2024-55591 (FortiOS) 

 

The log shows validation of a target as a FortiOS management interface, followed by confirmation that it is vulnerable to CVE-2024-55591, with a note indicating progression toward exploitation.    

CVE-2025-32433 (Erlang SSH) 

 

 

A GitHub proof-of-concept for CVE-2025-32433 is shared, followed by a remark questioning its relevance, specifically whether the vulnerability applies to environments where Cisco systems use Erlang-based SSH services. This reflects evaluation rather than confirmed usage. 

 

CVE-2025-33073 (NTLM Relay) 

 

 

The log shows use of a scanning tool (RelayKing) to identify systems exposed to NTLM relay vulnerabilities, including checks aligned with CVE-2025-33073. It also highlights enumeration across multiple services (SMB, LDAP/LDAPS, MSSQL, HTTPS, RPC, WinRM) and the generation of target lists for follow-up exploitation using tools like ntlmrelayx. 

Organizational Structure and Operational Roles: 

From the leaked chats, the group doesn’t appear very large, but it is clearly structured. A consistent set of accounts shows up across conversations, including zeta88, qbit, quant, Wick, mAst3r, ProtagorJeLLy, Bl0ck, Kunder, and donpakto, suggesting a core team working in coordination rather than a loose affiliate network. 

At the center of this setup is zeta88 (hastalamuerte), who plays a dual role as both administrator and active operator. His responsibilities go beyond just managing the platform—he is directly involved in building and maintaining the ransomware locker, running the RaaS panel, and handling backend infrastructure. He also oversees deployment mechanisms such as GPO-based spreading and is involved in assigning targets, managing negotiations, and distributing payments. 

Ecosystem Integration: BreachForums Partnership: 

By May 16, 2026, The Gentlemen were presented as an official partner within the ransomware ecosystem. This marked a clear shift from leak exposure to continued operational positioning, showing that the group remained active and unaffected at an operational level despite the incident. 

 

 

The published panel exposes key components of their RaaS offering, including cross-platform payload support (Windows, Linux, ESXi)indicating capability for both enterprise and virtualized environments. It also references locker functionality and deployment mechanisms, such as domain-wide execution via Group Policy Objects (GPO), which enables rapid propagation across compromised Active Directory environments. 

The content further highlights cryptographic implementation and execution features, along with recent updates focused on defense evasion, including modifications aimed at bypassing security controls and improving execution stability. In parallel, the inclusion of an affiliate section detailing revenue distribution and operational support reflects an active RaaS model designed to sustain intrusion operations and scale through external operators. 

Timeline Overview – The Gentlemen Leak: 

The leak surfaced and escalated rapidly across underground and public platforms.The data was listed, validated, and distributed in multiple stages, with The Gentlemen acknowledging the breach early in an attempt to control the narrative. 

 

 

First Contact of The Gentlemen: 

 

 

Conclusion: 

The Gentlemen leak provides a rare and detailed insight into the internal mechanics of a modern ransomware-as-a-service operation, exposing both its technical execution model and organizational structure. The data confirms that the group relies heavily on credential-driven access, Active Directory abuse, and automated deployment mechanisms such as GPO to achieve rapid, domain-wide impact, rather than depending on advanced zero-day exploits. At the same time, the exposure highlights critical weaknesses in the group’s own infrastructure and operational security, particularly in its reliance on third-party hosting and centralized backend systems. Despite this compromise, the group demonstrated clear operational resilience by maintaining activity, continuing affiliate-driven campaigns, and sustaining its presence within the ransomware ecosystem. Overall, the incident underscores the dual reality of modern RaaS groups—highly efficient and scalable in attack execution, yet still vulnerable to infrastructure-level failures that can expose their internal operations. 

 

 

 

 

Elevate your security—get curated threat insights in your inbox.

The Gentlemen Ransomware Leak Breakdown-From Attackers to Victims | CyberXTron Blog