Decoding a RaaS Database Leak: A Practical Guide to Analyzing The Gentlemen Operation

Overview

What Is The Gentlemen RaaS?

The Gentlemen is a relatively young ransomware‑as‑a‑service (RaaS) group that surfaced around mid‑2025. Its operators actively recruit affiliates on underground forums, offering a custom locker, a management panel, and a share of the ransom proceeds. By early 2026, the group had become alarmingly prolific: its data leak site listed roughly 332 victims in just the first five months, making it the second most productive RaaS operation that publicly names its targets.

Why This Leak Matters

On May 4, 2026, the group’s administrator acknowledged that an internal backend database—nicknamed Rocket—had been leaked. This leak exposed nine accounts, including the admin’s own (zeta88 also known as hastalamuerte). The database contained operational chatter, initial access methods, tool lists, CVE tracking, and ransom negotiation transcripts. For security researchers and incident responders, this is a rare window into the real‑world mechanics of a modern RaaS operation.

Prerequisites

Knowledge Requirements

To follow this guide, you should be comfortable with:

• Basic concepts of Ransomware‑as‑a‑Service (affiliate models, profit splits).
• Familiarity with underground forum terminology (TOX IDs, C&C servers, initial access brokers).
• An understanding of common enterprise edge vulnerabilities (Fortinet, Cisco, OWA).

Tools and Resources

While you won’t need the actual leaked files, we will simulate analysis steps. Ideally, have access to:

• A threat intelligence platform (e.g., VirusTotal, Maltego) for mapping IPs and hashes.
• A text editor or Python environment for parsing logs.
• A copy of the group’s ransomware samples (available from sources like Check Point Research).

Step‑by‑Step Analysis of the Leak

Step 1: Identify the Leaked Database and Accounts

Start with the core artifact—the Rocket database leak. The administrator confirmed that nine accounts were exposed. One of them belongs to zeta88, who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the program’s administrator. Cross‑reference the leaked usernames with known forum handles. For example, hastalamuerte is the same individual as zeta88. Use this to establish a baseline threat actor profile.

Step 2: Understand Internal Operations

The leaked discussions reveal a complete end‑to‑end view of how The Gentlemen operates.

• Initial Access: Affiliates primarily exploit Fortinet and Cisco edge appliances, perform NTLM relay attacks, and steal credential logs from OWA/M365 platforms.
• Role Division: Clear separation exists between the RaaS provider (admin) and affiliates who perform the actual intrusions.
• Shared Toolset: Commonly used tools include SystemBC for C2 communication and custom scripts for lateral movement.
• CVE Tracking: The group actively monitors and evaluates CVEs, including CVE‑2024‑55591, CVE‑2025‑32433, and CVE‑2025‑33073.

As a concrete step, create a timeline of the CVEs discussed and map them to known patches. This helps you predict which unpatched systems are likely targets.

Step 3: Examine Ransom Negotiations

The leak includes screenshots from a successful ransom negotiation. The group initially demanded 250,000 USD and eventually settled for 190,000 USD. To simulate analysis:

1. Extract the negotiation script (or transcript) from the leak.
2. Note the anchor demand and the final payment.
3. Identify pressure tactics—timing, data leaks, and communication style.
4. Compare with other RaaS negotiation patterns (e.g., typical discount rates).

Step 4: Trace Dual‑Pressure Tactics

One of the most intriguing revelations is how stolen data from a UK software consultancy was reused to target a company in Turkey. The Gentlemen portrayed the UK firm as an “access broker” to the Turkish victim, encouraging legal action against the consultancy while simultaneously pressuring both sides.

• Map the flow: UK consultancy → data theft → Turkish company attack.
• Look for shared infrastructure (IPs, email addresses) connecting the two incidents.
• Assess how the group weaponized third‑party liability in negotiations.

Step 5: Map Affiliate IDs to Activities

Check Point Research collected all available ransomware samples and identified eight distinct affiliate TOX IDs, including the administrator’s own TOX ID. This suggests the admin not only manages the program but also actively participates in or directly carries out some infections.

1. Gather hashes of known The Gentlemen samples.
2. Decode the embedded TOX IDs (often found in ransom notes or binary strings).
3. Cluster samples by TOX ID to see which affiliates are most active.
4. Cross‑reference with leaked database accounts to confirm identities.

Common Mistakes

Underestimating the Admin’s Role

Many analysts assume RaaS administrators are purely backend operators. The Gentlemen’s admin, however, also uses his own TOX ID for infections—meaning he is both provider and affiliate. A mistake is to treat him as a passive figure. When building actor profiles, include his direct involvement.

Ignoring the Reuse of Stolen Data

The UK‑to‑Turkey campaign shows that stolen data can be recycled for secondary attacks. Analysts often focus only on the primary victim; here, the group turned one breach into leverage against another. Always check if stolen data from one incident appears in a different context.

Focusing Only on Technical Indicators

Leaked databases contain rich operational and social information. Overlooking negotiation tactics, affiliate management, and forum interactions leads to incomplete threat assessments. Combine technical IOCs with behavioral intelligence.

Summary

The Gentlemen RaaS leak is a goldmine for understanding a modern cybercrime operation from the inside. By systematically examining the exposed accounts, operational chatter, negotiation transcripts, and affiliate mappings, you can reconstruct the group’s modus operandi and anticipate future attacks. Remember to integrate technical indicators with human factors—this RaaS operation is as much about pressure tactics and data reuse as it is about exploiting CVEs.