CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

The Gentlemen RaaS group breached, internal data leaked exposing operations and TTPs

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The Russian ransomware-as-a-service (RaaS) operation known as The Gentlemen suffered a data breach of its internal infrastructure, resulting in the theft and public sale of 16 GB of sensitive data including communications, tooling, and operational documentation. The anonymous threat actors leaked a 44 MB sample proving authenticity, which Check Point Research analyzed to reveal detailed operational structure, tactics, techniques, and procedures (TTPs), payment models, and leadership dynamics of The Gentlemen. The group, led by a figure identified as "zeta88," has executed over 332 confirmed attacks in 2026 alone, making it the second most active ransomware group globally. The breach represents a significant reputational and operational risk, though immediate disruption to ongoing activities is not expected.

Timeline

  1. 13.05.2026 23:47 1 articles · 2h ago

    The Gentlemen RaaS group breached; internal data leaked and analyzed

    On or before May 4, 2026, an anonymous threat actor breached The Gentlemen RaaS group, exfiltrating 16 GB of internal data including communications, tooling, and operational documentation. A 44 MB subset was leaked publicly for verification and analyzed by Check Point Research, revealing the group’s hierarchical structure led by "zeta88," core operational roles (qbit and quant), affiliate model with a 90/10 revenue split, and technical toolset including approximately 30 utilities and EDR evasion techniques. Internal communications also highlighted experimentation with in-house LLM tools and interest in code signing practices following the Black Basta leak.

    Show sources
    Open in new tab

Information Snippets

  • The Gentlemen RaaS gang was breached by an anonymous group on or before May 4, 2026, resulting in the theft of 16 GB of internal data including communications, tooling, and infrastructure details.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources

  • A 44 MB subset of the stolen data was leaked publicly to verify authenticity, which Check Point Research analyzed to reveal operational details and technical artifacts.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources

  • The Gentlemen has been responsible for 332 confirmed ransomware attacks in the first five months of 2026, positioning it as the second most active ransomware group after Qilin, according to Check Point Research.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources

  • Leadership of The Gentlemen is attributed to "zeta88," who handles malware development, infrastructure management, target selection, negotiation, and payouts.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources

  • The group’s operational team includes two core members: "qbit" for reconnaissance, vulnerability scanning, and persistence, and "quant" for access via logs and credentials, alongside a tertiary group of seven affiliates with specialized roles.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources

  • The Gentlemen employs a 90/10 revenue split model favoring lower-tier collaborators, with zeta88 retaining 10% of each ransom payment.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources

  • The group leverages approximately 30 tools, including scanners, VPNs, remote access utilities, and techniques such as bring-your-own-vulnerable-driver (BYOVD) to evade endpoint detection and response (EDR) and antivirus systems.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources

  • Internal communications revealed experimentation with in-house large language model (LLM)-based tools for malicious purposes, including code generation, though practical limitations were acknowledged by leadership.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources

  • The Gentlemen has shown interest in code signing practices following the Black Basta leak, indicating cross-group knowledge sharing within the ransomware ecosystem.

    First reported: 13.05.2026 23:47
    1 source, 1 article
    Show sources