Breaking: Internal Database Leak Reveals Ransomware Group's Secrets
In a major security incident, the administrator of the ransomware-as-a-service (RaaS) group known as 'The Gentlemen' has confirmed that a critical internal backend database, codenamed 'Rocket,' was leaked on underground forums. Check Point Research obtained a partial copy of this leak, exposing nine accounts, including that of the group's administrator, zeta88 (also known as hastalamuerte).
The administrator's account revealed they are responsible for building the locker and RaaS panel, managing payouts, and running the infrastructure—effectively the program's leader. The leak provides an unprecedented look into the group's operations and affiliate network.
Operational Details and Affiliate Activity
The leaked internal discussions offer a rare end-to-end view of the group's methods. They detail initial access vectors, including exploitation of Fortinet and Cisco edge appliances, NTLM relay attacks, and credential harvesting from OWA and Microsoft 365 logs. Affiliates share toolsets and actively track modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
"This leak gives us a complete picture of how a modern RaaS group operates—from initial access to final extortion," said a Check Point Research spokesperson. "We see clear role division and a shared focus on exploiting the latest vulnerabilities."
Additionally, screenshots from ransom negotiations were included, showing a successful payout of 190,000 USD, down from an initial demand of 250,000 USD. This demonstrates the group's negotiation flexibility and financial success.
Dual-Pressure Tactic Exposed
Further chats reveal a sophisticated dual-pressure strategy. Stolen data from a UK software consultancy was reused to attack a company in Turkey. The Gentlemen portrayed the UK firm as an 'access broker' to the Turkish victim, even encouraging legal action against the consultancy while providing 'proof' of the intrusion's origin. This maneuver aimed to maximize leverage and confusion.
Background
'The Gentlemen' emerged around mid-2025, advertising their RaaS platform on multiple underground forums. By 2026, they became one of the most active groups, with approximately 332 victims published on their data leak site in just the first five months of 2026—ranking as the second most productive RaaS operation publicly listing victims. Earlier this year, Check Point Research analyzed an affiliate infection using SystemBC, revealing over 1,570 victims from a single command-and-control server.
Affiliate Structure and Administrator Involvement
Check Point Research identified eight distinct affiliate TOX IDs from collected ransomware samples, including the administrator's own ID. This suggests the admin not only manages the RaaS program but also actively participates in—or directly carries out—some infections. The leaked database confirms this, with detailed logs of affiliate activities and payouts.
What This Means
This leak is a significant blow to 'The Gentlemen' and provides law enforcement and cybersecurity firms with actionable intelligence. It highlights the group's technical sophistication and operational security flaws. "The exposure of internal communications and affiliate identities will likely lead to an increase in arrests and disruption of the group's infrastructure," the Check Point Research spokesperson added.
For the broader cybersecurity community, the leak underscores the importance of monitoring underground forums and sharing intelligence. It also reveals the evolving tactics of RaaS groups, including dual-pressure extortion and exploitation of edge devices. Organizations should prioritize patching Fortinet and Cisco appliances, enforcing multi-factor authentication, and monitoring for NTLM relay attempts.
The incident may also deter future affiliates from joining 'The Gentlemen,' as operational secrecy has been compromised. However, other groups may adopt similar tactics, making this a critical time for defensive measures.