TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Attackers Weaponize RubyGems for Data Dead Drops Attackers Weaponize RubyGems for Data Dead Drops by Alexander Culafi May 13, 2026 4 Min Read Сloud Security LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly by Alexander Culafi May 13, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Cyber Risk Vulnerabilities & Threats Cybersecurity Operations News Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak An OPSEC failure provides a window into what helped the ransomware group rise: a generous affiliate model, opportunistic TTPs, and an effective organizational structure. Nate Nelson , Contributing Writer May 13, 2026 4 Min Read Source: Guy Corbishley via Alamy Stock Photo One of the world's most prolific ransomware operations has itself been breached, offering unique insight into its inner workings. In only the first five months of 2026, the Russian cybercriminal gang that calls itself " The Gentlemen " has published sensitive data belonging to around 332 different organizations. It has compromised many more organizations than that, surely, as its leak site does not include victims that pay their ransoms. According to Check Point Research, these numbers have made The Gentlemen the second most productive ransomware group on the planet this year, just short of Qilin. On or just before May 4, The Gentlemen got a taste of its own medicine when an anonymous group compromised its internal back-end database. Those hackers are now selling just over 16GB of The Gentlemen's internal communications, tooling, and other data for $10,000 in Bitcoin. "It is a reputational hit, but we do not expect it to significantly disrupt their operations or reduce their effectiveness," says Eli Smadja, Check Point's group manager for product R&D. Still, even the 44MB of stolen data the anonymous hackers leaked to prove the veracity of the rest of it has proven interesting. Check Point Research analyzed the sample, gaining new insight into The Gentlemen's operational structure , its tactics, techniques, and procedures (TTPs), and some of its quirks. Related: From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber How The Gentlemen Operate The head Gentleman goes by "zeta88" online. Zeta88 builds and maintains the group's locker malware, curates the tooling around it, runs all of the infrastructure, and more. They also select targets, assigns two or three fellow Gentlemen to attack those targets, and manage negotiations and payouts. Zeta88's operations guys are "qbit" and "quant." Qbit specializes in scanning for vulnerable edge devices, performing reconnaissance, and establishing persistence in targeted environments, and quant specializes in gaining access via logs and credentials. A tertiary group of seven grunts includes red teamers, an access broker, and even an advertising specialist. Though not evidenced in the leaked sample, presumably, some number of affiliates orbits around this circle of 10. Forcing a bunch of cybercriminals into a corporate pyramid might not sound like a bright idea, but the power structure is balanced by a generous payment model for lower-level collaborators. Every time The Gentlemen extorts a payment out of a victim, zeta88 enjoys 10% of it, but the other hackers involved get to split the other 90%. Related: Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability Smadja also attributes the group's success to its tight organizational structure. "The clear division of responsibilities within the group also plays a major role. Much like any well-run organization, having defined roles and workflows translates directly into higher productivity and, in their case, a higher volume of successful breaches," he says. Besides its tight ship, he adds, "One of the group's key strengths is the hands-on involvement of the main administrator, who came up as an affiliate and understands the operation from the ground up. Having the main RaaS administrator come from an affiliate background gave them a significant head start, helping them reach the top tier in a remarkably short period of time." What Else You Should Know About The Gentlemen The Gentlemen takes advantage of critical, known vulnerabilities and exploitation techniques to get into targeted systems and pair them with almost 30 different tools to support its locker. It uses a variety of scanners and VPNs, tools for gaining remote access to systems, and several techniques for evading endpoint detection and response (EDR) and antivirus programs, such as the bring-your-own-vulnerable-driver tactic . Check Point describes the toolset as "fairly mature," if not particularly unique. Related: Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error Members have toyed with more cutting-edge ideas, like developing an in-house large language model (LLM)-based program for some vague malicious purposes. They've already used LLMs to assist with code development , but while their dreams are bigger, the practical limitations of current artificial intelligence (AI) technology have gotten in the way. After reporting that they vibe-coded an admin panel in three days, zeta88 warned that "you have to understand everything and think like crazy even with [neural networks], because they're all dumb (even if smart)." The Gents also keeps up with its colleagues in the ransomware business, gossiping about them ( Dragon Force : cool; Chaos: meh) but also learning from them. In one leaked chat foreshadowing its own future, the gang discussed ways to benefit from last year's Black Basta leak . Their greatest interest was in their colleagues' approach to code signing. Smadja thinks it unlikely that The Gentlemen's own breach would much edify other hackers. "What they have built is the product of experience, and nothing disclosed in the leak reveals a secret formula or unique technical advantage," he says. "It is possible the leak could inspire other affiliates to spin up their own RaaS operations, but given that some established groups already offer a 90/10 payout split, building your own operation is not an obviously attractive proposition for most." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. See more from Nate Nelson Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars Editor's Choice Threat Intelligence From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber by Dark Reading Editorial Team May 6, 2026 31 Min Read Cyber Risk Physical Cargo Theft Gets a Boost From Cybercriminals Physical Cargo Theft Gets a Boost From Cybercriminals by Robert Lemos May 4, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? Wed, June 3, 2026 at 1pm EST Your Guide to Securing AI Adoption in Your Organization Tues, June 9, 2026 at 1pm EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Wed, June 24,2026 at 1pm EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems Tues, May 26, 2026, at 1pm EST Anatomy of a Data Breach: What to Do if it Happens to You June 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ET More Webinars Black Hat USA | Mandalay Bay, Las