THE Gentlemen ransomware‑as‑a‑service group has suffered a major data leak that exposes the internal workings of its operation and details of 332 victims across the first five months of 2026.
The leaked Rocket backend database, shared on underground forums, contains chat logs, account credentials and ransom negotiation records that shed light on the group's affiliate model Check Point Research.
According to the analysis, the database shows nine user accounts and eight unique TOX identifiers, with the administrator often using the handles zeta88 or hastalamuerte to manage the panel, locker and payout functions.
The exposed material also references exploitation of CVE‑2024‑55591, a critical authentication bypass in Fortinet FortiOS and FortiProxy that carries a CVSS score of 9.6 and is listed in the KEV catalogue as actively exploited FortiGuard advisory CSA alert.
Additionally, the leak notes the use of CVE‑2025‑32433 (CVSS 10.0) and CVE‑2025‑33073 (CVSS 8.8), both flagged as known exploited vulnerabilities with patches available Arctic Wolf analysis SOC Prime detection guide.
The data shows that, between January and May 2026, the group claimed approximately 332 victims, positioning it among the most active RaaS programmes in that period DataBreaches.net.
Chat excerpts reveal a ransom demand that began at 250,000 USD before settling at a 190,000 USD payment, and they reference a breach of a UK‑based software consultancy as one of the early intrusions.
Organisations running FortiOS or FortiProxy should immediately apply the latest firmware releases that address CVE‑2024‑55591 and verify that the patch level is reflected in their inventory FortiGuard.
Patching the other KEV‑listed flaws, monitoring for the TOX IDs zeta88 and hastalamuerte in network traffic, and reviewing authentication logs for anomalous bypass attempts are also recommended SOC Prime.
Enforcing multi‑factor authentication on administrative interfaces and restricting exposure of management ports to trusted networks can reduce the chance of credential theft that led to the NAS compromise mentioned in the leak.
Security teams should also hunt for indicators of compromise such as unusual outbound connections to 4VPS hosts and unexpected use of Toxic chat applications within the environment.