The World’s Second-Most Prolific Ransomware Gang Got Hacked: What The Gentlemen’s Leaked Internal Chats Reveal About How They Attack and How Much They Charge

Ransomware groups have spent years operating with the confidence that they are untouchable behind layers of anonymity, affiliates and hidden servers. That confidence took a severe blow in May 2026 when the group known as The Gentlemen — the second most active in the world in 2026 according to Check Point Research — suffered a breach of its own internal infrastructure. The result was a unique data dump: internal chats, affiliate rosters, ransom negotiation transcripts, server credentials and the source code of their RaaS panel. Check Point Research obtained part of that data before it was removed and published a comprehensive analysis offering the best window defenders have ever had into the inner workings of a professional ransomware operation. Here is what they found.

‍

What did The Gentlemen’s internal breach reveal?

The chain of events began on 2 May 2026, when hosting provider 4VPS published a notice stating that its website and billing systems had been attacked. 4VPS has a reputation as a hosting service used by underground ecosystem actors, and part of The Gentlemen’s infrastructure was hosted there. On 4 May, the group’s administrator acknowledged on underground forums that their internal database had been compromised. On 5 May, a user with the handle n7778 posted a listing on the Cracked forum offering the data for sale at $10,000 in Bitcoin. Days later, the same user published the dump for free on MediaFire before it was taken down. The key facts revealed by Check Point Research’s analysis are as follows:

• 1,570+ real victims, 332 published. The Gentlemen’s DLS showed 332 organisations. The internal dump revealed over 1,570 compromised victims. The difference is the organisations that paid the ransom in silence and were never published. In other words: over 78% of their victims paid and never appeared on any public list of affected parties.
• The administrator is a former Qilin affiliate. The central operator, identified as zeta88/hastalamuerte, comes from the Qilin ecosystem — the same group that attacked Ahorramas in Spain in May 2026. He learned the trade as an affiliate and built his own RaaS with that knowledge, constructing the entire platform using AI coding assistants (DeepSeek and Qwen).
• Corporate structure of ~9 operators. The group has perfectly defined roles: administrator, affiliate managers, credential specialists, infrastructure operators and an active development team. This is not an improvised operation.
• 90% commission for affiliates. The Gentlemen offers affiliates 90% of the ransom, versus the sector standard of 80–85%. This gives them a competitive edge in recruiting the best operators from the criminal ecosystem.
• Ransom calibrated to cyber insurance ceiling. The chats reveal that the group cross-references victim data with ZoomInfo to estimate revenues and calibrate the demand to the exact maximum limit of the company’s cyber insurance policy. In one documented case, they knew the victim had a $10 million ceiling and set their demand precisely at that figure.
• Documented chain-victimization. In April 2026, The Gentlemen breached a UK software consultancy and used the stolen data — client credentials, infrastructure documentation, access information — to launch an attack against one of that consultancy’s clients in Türkiye. They then published both organisations on their DLS, explicitly labelling the UK consultancy their “access broker” for the Turkish attack — a pressure tactic designed to trigger legal and reputational conflict between the victim and their supplier.
• Primary entry vector: infostealer credentials. The chats show that the initial access team systematically uses Snusbase and other infostealer log search engines to find valid employee credentials before launching the attack. They do not need complex exploits: they buy access to employee accounts because those credentials are already for sale on the underground market.
• Unpatched edge devices as a backdoor. VPN appliances, firewalls and remote access gateways without patches are the second most frequent vector. The group uses ~30 different tools once inside, including EDR-killers, NTLM relay and GPO-based ransomware deployment.

‍

Why The Gentlemen is one of the most dangerous groups for Spanish businesses

The Gentlemen is not a random actor in the Spanish threat landscape. Check Point Research ranks it as the second most active ransomware group globally in 2026, just behind Qilin — which already has a documented history of attacks in Spain (Ahorramas, Asefa, Maset, Autonomous City of Melilla). The fact that the global #2 was founded by a former Qilin affiliate, with direct knowledge of that ecosystem’s market and techniques, is not a minor coincidence.

Three factors make The Gentlemen a specific risk for the Spanish business fabric:

1. Systematic use of infostealers for initial access. Spain has a high infostealer infection rate (malware that steals credentials from browser sessions, VPN and corporate applications). Spanish employee credentials are available on the underground market. The Gentlemen’s operational model starts exactly there.
2. Cyber insurance calibration. Cyber insurance penetration among average Spanish businesses is lower than in the Anglo-Saxon market, but companies that hold it tend to do so for standardised and predictable amounts. The Gentlemen’s model of cross-referencing revenue data with ZoomInfo to set the ransom precisely at the insurance ceiling turns the policy into the reference point for extortion.
3. Chain-victimization as a strategic weapon. The Spanish technology provider ecosystem is highly interdependent. An IT consultancy, systems integrator or MSP can be the entry point for a chain attack that ultimately affects their end clients.

‍

How The Gentlemen operates: from initial access to the cyber-insurance-calibrated ransom

The internal breach allows the complete operational chain to be reconstructed at a level of detail rarely available to defenders:

1. Reconnaissance and access acquisition. The initial access team scours infostealer logs on platforms like Snusbase for valid corporate credentials. They also identify unpatched edge devices (VPN, firewalls, gateways) via Shodan scans.
2. Entry and initial persistence. Using the credentials or the edge device vulnerability, the attacker enters the network, establishes persistence via an additional administrative account or RDP access, and begins internal reconnaissance.
3. Internal reconnaissance and valuation. The group uses ~30 different tools to map the internal network, identify critical assets, locate domain controllers and estimate victim value. In parallel, they cross-reference the company’s data with ZoomInfo to calibrate the demand to their cyber insurance ceiling.
4. Data exfiltration. Before encrypting, The Gentlemen exfiltrate the most sensitive data. Double extortion is standard: “if you don’t pay, we publish.” Client data, commercial agreements, financial information and third-party contracts are prioritised.
5. Encryption and ransomware deployment. The ransomware is deployed via Group Policy Objects (GPO) to maximise coverage in the shortest time. It encrypts Windows, Linux, NAS and ESXi environments. EDR-killers disable detection solutions before encryption.
6. Negotiation and pressure. The demand is set at the cyber insurance ceiling. If the victim does not respond, their name is published on the DLS. If the attackers hold data on the victim’s clients, they threaten to use it in secondary attacks — as documented in the case of the UK consultancy and their client in Türkiye.

‍

Key lessons for executives, CISOs and SOC teams

The Gentlemen’s internal breach is one of the most valuable tactical intelligence sources defenders have ever had into the inner workings of a RaaS operation. The actionable lessons are direct:

• Your cyber insurance limit is not a secret. The Gentlemen cross-reference public revenue data with standard policy estimates to calibrate their demand. Disclosing your policy ceiling in a ransom negotiation is the biggest mistake you can make. Ideally, it should not appear in internal communications that could be exfiltrated either.
• Your employees’ infostealer credentials may already be on the market. If any employee has had an infostealer infection on a personal or corporate device, their VPN, email and corporate application credentials may be for sale right now. Monitoring the presence of corporate credentials on the underground market is a preventive defensive measure.
• Your security also depends on your suppliers’. The documented chain-victimization is not an isolated case: it is a tactic. If your IT consultancy, systems integrator or MSP is compromised, you are the next victim. Due diligence on the security posture of suppliers with access to your systems is no longer optional.
• Patch edge devices as if your data depended on it — because it does. Unpatched VPN appliances, firewalls and gateways are The Gentlemen’s second most frequent entry vector. This week we also covered the Exchange OWA zero-day: the pattern is the same.
• An EDR is not infallible without active monitoring. The Gentlemen use EDR-killers before deploying ransomware. Having an EDR installed is not enough if there is no active monitoring to detect attempts to disable it.
• 78% of victims paid and never appeared on any list. This figure is fundamental for any executive who thinks “paying the ransom is the quick fix.” Not only does it not guarantee data deletion — it turns the victim into a known, paying target for future attacks.

‍

Cybersecurity as a strategic priority

The Gentlemen’s internal breach is not just a story about a criminal group that received its own medicine. It is a manual on how the world’s most sophisticated ransomware groups operate: with corporate structures, role division, agile software development using AI, commercial intelligence on their victims, and psychological pressure tactics designed to maximise collection.

For Spanish organisations, the message is simple: these groups do not attack at random. They research, calibrate, use your data against you, and attack your suppliers to reach you. The defence must be equally systematic: monitored credentials, patched edge devices, audited suppliers, and a ransomware response plan that does not include “pay silently” as the first option.

‍

Apolo Cybersecurity: tactical intelligence and protection against RaaS groups like The Gentlemen

At Apolo Cybersecurity we help Spanish businesses protect themselves against the vectors The Gentlemen and similar groups use systematically: monitoring of compromised credentials on the underground market, auditing and hardening of edge devices, evaluation of critical suppliers’ security posture, EDR-killer and lateral movement detection, and ransomware response plans that address double extortion and the implications of cyber insurance.

If your organisation holds a cyber insurance policy and has not reviewed how it manages the confidentiality of that information, or if any supplier with access to your systems has not undergone a recent security assessment, The Gentlemen’s playbook already accounts for both of those gaps.

‍