On May 4, 2026, the administrator of a ransomware-as-a-service operation called The Gentlemen acknowledged on underground forums that its internal backend had been breached. A seller using the handle n7778 had put the group's "Rocket" database up for sale for 10,000 USD in Bitcoin, posting file-sharing links with proof samples. Check Point Research subsequently analyzed the leaked material, turning an embarrassment for one criminal crew into one of the more detailed public looks at a modern RaaS operation's internals that defenders have had in some time.
The Gentlemen are not a fringe outfit. By Check Point's count they published roughly 332 victims in the first five months of 2026, making them one of the most active RaaS programs of the period and, by that measure, the second most productive operation. A leak of this group's backend is therefore not a curiosity; it is a rare, evidence-grade map of how a high-volume extortion business actually runs, from affiliate payouts to the specific tools operators reach for on the keyboard.
This post summarizes what the leak revealed, grounds the tradecraft in concrete detection guidance, and avoids the temptation to over-read partial data. Where the leaked dataset is incomplete or where attribution is probabilistic, we flag it. The aim is to convert a competitor's bad day into your detection backlog.
TL;DR
- What happened: On May 4, 2026, The Gentlemen's admin confirmed a breach of the group's "Rocket" backend after a forum seller (
n7778) listed it for ~10,000 USD in Bitcoin. Check Point Research analyzed the leak. - Scope of the leak: Server shadow file with password hashes, internal chat channels (INFO, general, TOOLS, PODBOR), infrastructure and affiliate details, victim data, and negotiation screenshots. A ~44.4 MB partial of an estimated ~16.22 GB dataset circulated.
- The operation: ~332 published victims in five months of 2026. Nine named members, eight distinct affiliate identities, and a 90/10 affiliate-favorable payout split.
- Initial access: Exposed Fortinet/Cisco edge appliances, VPN credential brute-forcing, known-CVE exploitation, access-broker purchases, and NTLM relay.
- CVEs in active use: CVE-2024-55591 (FortiOS), CVE-2025-32433 (Erlang/OTP SSH), CVE-2025-33073 (Windows NTLM reflection/relay).
- Tradecraft: Go-based Windows and Linux lockers, extensive EDR-evasion tooling, and a documented willingness to reuse one victim's stolen data as pressure against the next.
- Key action: Patch and harden internet-facing edge devices, kill NTLM relay paths, and treat exposed VPN/management interfaces as the front door this crew actually uses.
What happened
The chain of events is straightforward and confirmed by the leaked artifacts plus Check Point's analysis.
On or before May 4, 2026: A forum account named n7778 advertised The Gentlemen's "Rocket" backend database for sale at roughly 10,000 USD in Bitcoin, sharing proof files via MediaFire links. The leaked material includes a server shadow file (usernames and password hashes), internal chat logs across multiple channels, infrastructure and affiliate information, victim records, and screenshots of ransom negotiations. A partial sample of about 44.4 MB circulated against an estimated full dataset of roughly 16.22 GB.
May 4, 2026: The Gentlemen administrator acknowledged the breach.
The leak's authenticity is supported by internal consistency across the artifacts (chat logs referencing the same operators, infrastructure, and victims), but as with any criminal-sourced dump, some contents may be partial, stale, or selectively curated by the seller. Read the specifics as high-confidence-but-not-certified.
Inside the operation
What makes this leak valuable is the organizational detail, which is normally invisible.
Structure. The dataset points to a core administrator operating under the handle Zeta88 (with a probable real-world alias), who runs infrastructure, builds the locker, manages the RaaS panel, curates toolsets, assigns targets, and handles payouts and negotiations. Check Point identified nine active members (handles include Kunder, qbit, JeLLy, Protagor, zeta88, Bl0ck, Wick, quant, and mAst3r) and eight distinct affiliate identities running independent campaigns, with one affiliate responsible for the majority of observed activity.
Economics. The payout split is reported at 90% to affiliates and 10% to the operator, which is among the most affiliate-favorable in the market. That generosity is a recruiting tool: a high split attracts skilled operators away from competing programs, which is exactly how a relatively young brand reaches 332 victims in five months.
Specialization. The leaked roles read like a small offensive-security firm. One operator (qbit) focused on reconnaissance, Fortinet/Cisco targeting, EDR evasion, and persistence. Another (quant) specialized in Outlook Web Access and Microsoft 365 credential harvesting and built a custom log-parsing tool referenced as "buildx641." Division of labor at this granularity is a hallmark of a mature operation.
Notably, the chats discuss using AI coding assistants (references to DeepSeek and Qwen models) for code-assisted development, monitoring competitor programs (LockBit, Black Basta, DragonForce, HelloKitty), and laundering proceeds via exchange chains and peer-to-peer OTC arrangements. The "AI-assisted ransomware development" line is increasingly common in these dumps and worth treating soberly: it accelerates iteration, it does not conjure novel capability.
How the attack worked
The Gentlemen's intrusion model, as documented in the leak and Check Point's analysis, is edge-first and identity-centric.
1. Initial access
- Exposed Fortinet FortiGate / Cisco edge appliances
- VPN credential brute-forcing
- Known-CVE exploitation (see list below)
- Access purchased from initial-access brokers
- NTLM relay
2. Foothold & evasion
- Disable / blind EDR (EDRStartupHinder, gfreeze, glinker,
ETW manipulation, DumpBrowserSecrets)
- C2 via ZeroPulse, Velociraptor, Cloudflare Zero Trust / Tunnels
3. Discovery & credentials
- NetExec, TaskHound, PrivHound, CertiHound, RelayKing
- Scanning: gogo.exe and port scanners
- Target ntds.dit, shadow copies (vssadmin)
4. Collection & exfiltration
- MANSPIDER for share crawling; custom "buildx641" log parser
- Steal data before encryption
5. Impact
- Go-based locker (Windows + Linux), "silent mode",
network-share encryption focus
- Drop README-GENTLEMEN.txt, set gentlemen.bmp wallpaper
The CVEs they actually use
The leak ties the group to specific, recent vulnerabilities in internet-facing infrastructure:
- CVE-2024-55591 — FortiOS authentication bypass on the management interface. Edge-device compromise is the front door.
- CVE-2025-32433 — Erlang/OTP SSH vulnerability, relevant to network gear and appliances that embed Erlang-based services.
- CVE-2025-33073 — Windows NTLM reflection/relay, used to escalate from a foothold to broader domain access.
The pattern is consistent: get in through an exposed appliance, then abuse NTLM relay to move toward domain dominance. None of these are exotic. All are patchable or mitigable today.
A defining double-extortion move
One operation in the leak is worth singling out because it shows where extortion is heading. Data extracted from a UK software consultancy was reused during a later attack on a Turkish company. The attackers leveraged this for dual-pressure extortion, framing the UK firm as their "access broker" and encouraging the Turkish victim to pursue legal action against it. The negotiation screenshots also show a real outcome: a payment of roughly 190,000 USD secured after the demand was negotiated down from 250,000 USD.
This cross-victim data reuse turns each compromise into ammunition for the next, and it deliberately drags third parties (your vendors, your customers) into the blast radius. It is the logical endpoint of double extortion: the data is not just leverage against the victim who lost it, but against everyone connected to them.
What detection looks like
The leak hands defenders a concrete signal list. Prioritize the edge and the identity plane.
- Edge-device exploitation: FortiGate/Cisco management-interface authentications from unexpected geographies, config changes on edge appliances, and exploitation attempts matching CVE-2024-55591. Watch for VPN logins immediately following brute-force patterns (many failures, then success).
- NTLM relay: SMB signing not enforced, anomalous machine-account authentications, and relay-tool signatures. CVE-2025-33073 activity manifests as unexpected NTLM authentication chains.
- EDR tampering: Attempts to stop, blind, or unload EDR agents; ETW provider manipulation; sudden gaps in agent telemetry. The Gentlemen's toolkit is heavy on this, so a telemetry blackout is itself a high-fidelity alert.
- Recon tooling: Execution of NetExec, gogo.exe, and credential-hunting tools (TaskHound, PrivHound, CertiHound). MANSPIDER-style mass share enumeration.
- AD database access: Reads or copies of ntds.dit,
vssadminshadow-copy creation/deletion on domain controllers. - C2 over trusted infra: Velociraptor used outside sanctioned IR engagements, and Cloudflare Tunnel / Zero Trust connectors appearing on servers that have no business running them.
- Ransom artifacts (late): README-GENTLEMEN.txt and the gentlemen.bmp wallpaper indicate you have already lost the race.
Because the group ships roughly 30 Windows and 3 Linux locker builds (by the leak's hash counts), prioritize behavioral detection over static hashes.
What to do Monday morning
- Patch the named CVEs first. CVE-2024-55591 (FortiOS), CVE-2025-32433 (Erlang/OTP SSH), and CVE-2025-33073 (Windows NTLM relay). If you run FortiGate or Cisco edge appliances exposed to the internet, treat this as urgent.
- Shrink the edge attack surface. Remove management interfaces from the public internet, enforce MFA on all VPN access, and alert on brute-force-then-success patterns. This is the group's primary front door.
- Kill NTLM relay paths. Enforce SMB signing, enable Extended Protection for Authentication where supported, and move toward disabling NTLM. This directly disrupts the escalation step.
- Make EDR tamper-resistant. Enable tamper protection, alert on agent stop/uninstall and telemetry gaps, and treat a sudden EDR blackout on a server as an incident, not a glitch.
- Protect the AD database. Monitor ntds.dit access and abnormal
vssadminuse on domain controllers. These are unmistakable late-stage indicators. - Map your third-party exposure. Given the cross-victim data-reuse tactic, inventory which vendors and customers hold your data and which hold theirs in your environment. Decide now how you would respond if your data surfaced in someone else's breach negotiation.
Why this keeps happening
The Gentlemen leak is, in miniature, a portrait of why RaaS is durable. The affiliate model decouples skill from infrastructure: a generous split lets an operator rent the talents of specialists who never need to build a locker or run a panel. That liquidity in the criminal labor market is why takedowns of any single brand rarely dent the overall volume; the operators simply move.
The technical reasons are depressingly familiar. Internet-facing edge appliances remain the most reliable entry point, and the CVEs in the leak are months old, not zero-days. NTLM persists in enterprise networks despite years of guidance to retire it, handing attackers a dependable escalation primitive. And EDR, while valuable, is not tamper-proof by default in many deployments, so a crew with a mature evasion toolkit can often blind it long enough to finish the job.
The cross-victim extortion pattern adds a structural wrinkle: as crews accumulate stolen data, each new victim inherits leverage built from prior ones. The marginal cost of an extra extortion angle keeps falling.
The structural fix
You cannot dismantle the affiliate market, but you can make yourself a worse target and shorten the time attackers have inside. The leak's CVE list is the obvious starting point: knowing which of those vulnerabilities are actually present and reachable in your environment, rather than chasing a flat list, is what turns a sprawling patch backlog into a short, prioritized one. Safeguard's reachability analysis and CVE/EPSS/KEV context exist to do exactly that triage, and auto-fix shortens the window between "known exploited" and "remediated." For the edge appliances and known-exploited bugs in this leak, faster, evidence-based prioritization is the honest value: shorter exposure, not magic prevention.
On the response side, the group's reliance on edge-CVE-then-NTLM-relay is a well-understood kill chain, and practiced incident-response and policy-as-code controls that block exposed management interfaces and unsigned-SMB conditions reduce the blast radius if a foothold is achieved. The goal is to compress dwell time from weeks to hours.
What we know we don't know
- Completeness of the leak. The ~44.4 MB partial against a ~16.22 GB whole means most of the dataset was not public at analysis time. Conclusions drawn from the sample may not generalize.
- Real-world identities. Operator handles and a probable alias for the admin are noted, but attribution to specific individuals is not law-enforcement-confirmed.
- Whether the breach disrupts operations. A backend leak embarrasses and exposes a crew but does not necessarily stop it. Whether The Gentlemen rebrand, rebuild, or continue under the same name is unresolved.
- Victim verification. The ~332 published-victim count reflects leak-site postings, which can include unconfirmed or recycled claims.
References
- Thus Spoke…The Gentlemen — Check Point Research (2026)
- The State of Ransomware — Q1 2026 — Check Point Research
- 10 New Ransomware Groups of 2025 and Threat Trends for 2026 — Cyble
- Reviewing the trends in ransomware attacks in 2026 — Securelist (Kaspersky)
Internal reading: