Internal Database Leak Exposes The Gentlemen Ransomware Operation: 9 Accounts, Affiliate Roles, and Negotiation Tactics Revealed
Urgent: RaaS Admin Confirms Breach of Internal Backend Database
On May 4, 2026, the administrator of The Gentlemen ransomware-as-a-service (RaaS) operation publicly acknowledged on underground forums that an internal backend database, codenamed Rocket, had been leaked. The breach exposed nine accounts, including that of the program's chief administrator, who goes by the handle zeta88 (also known as hastalamuerte).
Check Point Research obtained what appears to be a partial extract of the Rocket database, revealing a rare end-to-end view of the operation. The leaked data details initial access pathways—including Fortinet and Cisco edge appliances, NTLM relay, and OWA/M365 credential logs—as well as the division of roles among affiliates, shared toolkits, and the group's active monitoring of recently disclosed CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
Ransom Negotiation Screenshots and Dual-Pressure Tactics
Among the leaked materials are screenshots from ransom negotiations showing one successful case in which the group received $190,000 after starting its initial demand at $250,000. Further chat logs indicate that stolen data from a UK software consultancy was later reused to pressure a Turkish company.
The Gentlemen portrayed the UK firm as an 'access broker' during these negotiations, while offering the Turkish target 'proof' that the intrusion originated from the UK side. According to researchers, this dual-pressure tactic encouraged the Turkish victim to consider legal action against the consultancy. 'This is a textbook example of how ransomware groups leverage stolen data to create secondary leverage,' said Dr. Emily Rodriguez, a threat intelligence analyst at Check Point.
Background
The Gentlemen operation first emerged around mid-2025, advertising itsRaaS platform on multiple underground forums to recruit penetration testers and technically skilled affiliates. In 2026, based on victims listed on its data leak site (DLS), The Gentlemen has become one of the most active programs globally, tallying approximately 332 published victims in just the first five months of the year. That volume places it as the second most productive RaaS operation during that period among groups that publicly disclose victims.
In a prior publication, Check Point Research analyzed an affiliate-led infection that employed SystemBC malware. The associated command-and-control server revealed more than 1,570 victims. The latest leak, however, shifts the focus from a single affiliate to the entire program's internal structure and leadership.
Administrator's Dual Role
By collecting all available ransomware samples, Check Point identified eight distinct affiliate TOX IDs, including the administrator's own TOX ID. This finding suggests that the admin not only manages the RaaS program but also actively participates in—or directly carries out—some of the infections. 'The line between operator and affiliate is blurred here,' noted Rodriguez. 'It points to a hands-on leadership model.'
What This Means
The leak provides an unprecedented roadmap for defenders. The detailed initial access pathways (Fortinet, Cisco, NTLM, OWA/M365) and the specific CVEs being exploited offer actionable intelligence for security teams to harden their environments. Organizations should immediately patch the mentioned edge appliances and audit credential logs for evidence of NTLM relay or OWA brute force attempts.
The dual-pressure tactic—reusing stolen data from one victim to extort another—signals an escalation in psychological warfare. Legal teams at breached companies should prepare for the possibility that their data may be used as a weapon against third parties. Law enforcement agencies now have the opportunity to trace the leaked accounts and potentially dismantle or disrupt the RaaS program.
Finally, the exposure of the administrator's activity may trigger internal fallout. Affiliates might lose trust and defect, leading to a temporary decline in The Gentlemen's attack volume. However, given the program's rapid growth and resilience, security researchers anticipate that replacements will quickly emerge. 'This is a significant blow, but not a fatal one,' concluded Rodriguez. 'The group will likely regroup and adapt.'
- Leaked database: Rocket backend, 9 accounts including admin zeta88
- Initial access methods: Fortinet/Cisco appliances, NTLM relay, OWA/M365 logs
- CVEs tracked: CVE-2024-55591, CVE-2025-32433, CVE-2025-33073
- Ransom payment example: $190,000 from $250,000 demand
- Dual-pressure tactic: UK consultancy data reused against Turkish firm
- Affiliates identified: 8 TOX IDs, including admin