All incidents

Gentlemen RaaS internal database leak exposes member accounts and chats

incidentclosedMay 11, 2026 — May 13, 2026

THE Gentlemen ransomware‑as‑a‑service group saw its internal Rocket chat database exposed on 4 May 2026, according to Check Point Research and DataBreaches.net. The leak disclosed member accounts, TOX identifiers and chat logs that revealed the group's administrative structure.

The exposed data shows nine user accounts and eight unique TOX IDs linked to the operation, with the administrator frequently identified as zeta88/hastalamuerte who controls the panel, locker and payout functions. Chat extracts indicate that the group uses a Rocket server for internal coordination and that the administrator often directs affiliate activity.

CVE‑2024-55591 affects Fortinet FortiOS and FortiProxy with a CVSS score of 9.6, allowing unauthenticated remote code execution via the SSL‑VPN portal. CVE‑2025-32433 impacts Erlang/OTP with a CVSS score of 10, permitting remote code execution through an unsafe distribution protocol. CVE‑2025-33073 is a Windows privilege‑escalation flaw in the Print Spooler service rated CVSS 8.8 that can be abused to gain SYSTEM rights.

The leak shows approximately 332 victims in the first five months of 2026, positioning The Gentlemen among the most active RaaS operations in that period. Chat extracts detail a ransom negotiation where an initial demand of 250,000 USD was settled at 190,000 USD after back‑and‑forth discussions. The data also references a breach of a UK software consultancy used to test the group's encryptor.

Leaked conversations indicate that the group’s administrators discussed exploiting the aforementioned Fortinet, Erlang and Windows flaws to gain initial footholds in target networks. They also described attempts to exfiltrate data from a NAS device hosted on 4VPS, noting that the effort failed because the attackers lacked the required IP address. The gang has since announced an overhaul of its communication channels to prevent further exposure.

Defenders should prioritise applying the latest patches for Fortinet FortiOS and FortiProxy, Erlang/OTP and Microsoft Windows, especially those listed in the KEV catalogue. They should also monitor SSL‑VPN portals for anomalous authentication attempts and restrict management interfaces to trusted networks. Enabling multi‑factor authentication on remote access services reduces the chance of credential theft leading to exploitation.

Network segmentation limits lateral movement even if an attacker succeeds in breaching perimeter defences. Reviewing logs for unusual TOX‑based traffic or unexpected outbound connections to known threat infrastructure can help detect compromise early. Finally, disabling unnecessary services such as the Print Spooler where not required removes a common avenue for privilege escalation.

Intelligence briefing updated Jun 10, 2026

CVE-2025-32433 10.0 KEV CVE-2024-55591 9.6 KEV CVE-2025-33073 8.8 KEV The Gentlemen
Timeline Coverage

Swipe to explore timeline