When the Ransomware Gang Gets Hacked: What the Gentlemen Leak Reveals About Modern Ransomware Risk 

On May 4, 2026, The Gentlemen’s administrator acknowledged on underground forums that their internal backend database had been compromised and leaked, likely connected to a breach of 4VPS, a hosting provider the group used to run their infrastructure. Check Point Research obtained a portion of that data before it was removed: internal chat logs, organizational rosters, ransom negotiation transcripts, and tooling discussions. It is the kind of inside view of a ransomware operation that almost never becomes available to defenders. 

This blog distills what CPR found, building on their initial analysis published in April 2026. For the full technical breakdown, read the complete CPR research report. 

A Small, Professional Operation 

The Gentlemen is run by roughly nine named operators centered on a single administrator (zeta88, most likely the same person known elsewhere as hastalamuerte) who builds the ransomware, runs the RaaS panel, manages payouts, and personally participates in attacks. Leaked chats show him messaging “I’m locking” during a live encryption event. He also built the entire admin panel in three days using AI coding assistants. 

The group offers affiliates a 90/10 revenue split (versus the 80/20 industry standard) which has been instrumental in attracting experienced operators from competing programs, including from Qilin, where the administrator himself previously worked as an affiliate. 

How They Get In 

Entry is almost always through an unpatched internet-facing device. The Gentlemen specifically target VPNs and appliances, exploiting CVE-2024-55591 and CVE-2025-32433, buying access from third-party brokers, or using credentials harvested from infostealer log markets. Once inside, they move fast: Active Directory enumeration, NTLM relay attacks (CVE-2025-33073), EDR disablement, lateral movement via legitimate admin tools, browser session harvesting for Microsoft 365 and Okta access, and data exfiltration — all before a domain-wide ransomware deployment via Group Policy that hits every connected endpoint simultaneously. 

One Breach Leads to the Next 

Perhaps the most significant finding for business leaders: in April 2026, The Gentlemen breached a UK software consultancy and then used data stolen in that attack, infrastructure documentation, credentials, client access information, in a subsequent attack against one of the consultancy’s clients in Turkey. The UK firm publicly stated only routine business data had been accessed. The internal chats tell a different story. 

The group then published both companies on their data leak site, explicitly crediting the UK consultancy as their “access broker” for the Turkish attack, a pressure tactic designed to encourage the Turkish company to pursue legal action against their British partner. 

A breach of your organization can become the entry point to your customers. The data you hold on their behalf deserves the same protection as your own most sensitive assets. 

What Security Leaders Should Do 

The Gentlemen’s attack chain is sophisticated in execution but not in entry point. The defensive priorities are straightforward: 

1. Patch edge devices as a board-level priority: VPNs, firewalls, and remote access gateways are the front door. CVE-2024-55591 and CVE-2025-32433 are in active use by this group 

2. Assume credentials are already compromised: MFA is necessary but not sufficient. Monitor for anomalous authentication patterns across Microsoft 365, VPN panels, and identity systems 

3. Protect your Active Directory: NTLM relay attacks and AD Certificate Services misconfigurations are core to this group’s playbook. Regular AD security assessments are essential 

4. Detect at the lateral movement stage: By the time ransomware detonates, containment is nearly impossible. Behavioral analytics during the attacker’s movement through your environment is where the real detection opportunity lies 

5. Verify your backups are genuinely isolated: The group specifically targets NAS devices and backup systems. Offline, immutable backups separated from the domain are the difference between recovery and capitulation 

The Bigger Picture 

The Gentlemen exemplify the current state of professional ransomware: a small, organized crew executing a repeatable playbook with curated tooling and a business model designed to attract skilled operators. They haven’t invented new techniques, they’ve packaged existing ones into a scalable operation and priced their affiliate program to win. 

The breach of their own infrastructure is an unusually clear window into how that operation works. Check Point Research has shared the findings with law enforcement, and an investigation is ongoing.