## The Gentlemen RaaS Backend Leaked: Internal Operations, Affiliate Network, and $190K Ransom Payment Exposed
On May 4th, 2026, the administrator of The Gentlemen ransomware-as-a-service (RaaS) operation publicly acknowledged that the group's internal backend database—codenamed "Rocket"—had been compromised and leaked. The exposure revealed nine accounts, including credentials tied to the program's effective administrator, known by the alias zeta88. The breach stripped away operational anonymity from a group that has conducted high-impact attacks across multiple sectors, providing unprecedented visibility into the inner workings of a professionalized criminal enterprise.

The leaked database exposed internal communications detailing the group's initial access tradecraft. Investigators identified exploitation of Fortinet and Cisco edge appliances, NTLM relay techniques, and credential harvesting as primary intrusion vectors. The technical arsenal included evaluation of critical vulnerabilities such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Beyond infrastructure, the leak exposed organizational role divisions, toolset allocations, and negotiation strategies. Analysis of ransomware samples uncovered eight distinct affiliate TOX identifiers, indicating the administrator directly participates in victim infections alongside managing the RaaS franchise model.

Leaked negotiation transcripts revealed a confirmed ransom payment of $190,000 USD, validating the group's operational effectiveness. A case study embedded in the data showed the group repurposing stolen data from a UK software consultancy to pressure a Turkish target, deploying dual-pressure tactics combining data encryption with threatened data exposure. The breach signals significant pressure on The Gentlemen's operations, potentially disrupting affiliate trust, exposing ongoing victim relationships, and providing defenders with actionable indicators of compromise tied to specific CVEs, infrastructure patterns, and affiliate identifiers.
---
- **Source**: Mastodon:mastodon.social:#infosec
- **Sector**: The Vault
- **Tags**: ransomware, RaaS, data-leak, cybercrime, The Gentlemen
- **Credibility**: unverified
- **Published**: 2026-05-14 08:48:28
- **ID**: 82959
- **URL**: https://whisperx.ai/en/intel/82959