THE Gentlemen, a RaaS group active since mid-2025, suffered a breach of its own backend in early May 2026, exposing internal chat logs, affiliate rosters, ransom negotiation transcripts, operational tooling discussions, and server credentials. The leak surfaced on underground forums, briefly went up for sale, and was dumped publicly on a file‑sharing platform before being taken down, offering defenders a rare behind‑the‑curtain view of a modern ransomware operation.
The operation is led by the Russian‑speaking threat actor known as hastalamuerte or zeta88, who previously ran an affiliate crew called ArmCorp under the Qilin Ransomware program. The data reveals a rapid growth, with the group publishing around 330 victims on their data leak site in early 2026, and a Go‑based locker capable of targeting Windows, Linux, NAS, and BSD systems, plus a dedicated C‑based locker for ESXi hypervisors.
The 4VPS hosting provider is noted as a point of ingress to the group’s infrastructure, and a May 5 listing on Cracked offered 44.4 MB of data with a full dataset thought to total about 16.22 GB, with a documented ransom of $190,000 for a case that began at $250,000.