The Gentlemen, a rapidly rising ransomware-as-a-service operation, suffered a catastrophic internal breach in early May 2026, with researchers gaining access to a partial 44.4 MB sample of what appears to be a 16.22 GB full dataset leaked onto underground forums. According to Check Point Research, the group’s administrators acknowledged the breach on May 4th, 2026, disclosing the compromise of an internal backend system dubbed “Rocket” that stored operational data, affiliate information, and victim intelligence.
The Gentlemen emerged around mid-2025 and rapidly scaled into one of the most active RaaS programs operating today. Check Point Research documented approximately 332 publicly listed victims in the first five months of 2026 alone, while a discovered SystemBC proxy malware botnet revealed over 1,570 corporate victims serving as compromised infrastructure. The group operated across at least 17 countries, with a documented focus on manufacturing, construction, healthcare, and insurance sectors—particularly across the Asia-Pacific region.
The leaked data provided an unprecedented window into the group’s operational machinery. The exposed materials included detailed internal communications between operators and affiliates discussing ongoing intrusions, toolset distribution, exploit strategies, infrastructure components, victim assignment, ransom negotiations involving multi-million-dollar demands, and the administrator’s direct participation in attacks. Researchers determined the group likely operated from Russian-speaking regions based on language artifacts and their prohibition against targeting organizations within Russia and Commonwealth of Independent States countries.
Security researchers at Shieldworkz suggested the breach likely stemmed from an insider—either a disgruntled affiliate or former core member—rather than state-sponsored adversaries or rival criminal gangs, based on the nature of leaked operational security details and affiliate credentials. The incident underscores a critical vulnerability in scaled RaaS operations: the recruitment of lower-tier actors with minimal ideological or financial loyalty and inadequate vetting, creating what analysts termed an “industrialization of betrayal.”
The Gentlemen’s double-extortion model—combining encryption with data theft to coerce ransom payments—relied entirely on victim trust that paying would result in data deletion. The breach fundamentally destroyed that trust proposition. Initial access vectors typically leveraged compromised credentials for edge networking equipment such as Fortinet devices and deployment of tools like ZeroPulse, creating persistent footholds from which affiliates could stage ransomware deployment.
Organizations should assume credentials for edge devices such as VPNs, firewalls, and management interfaces may be compromised and should implement immediate credential rotation, enhanced monitoring for SystemBC proxy activity, and incident response protocols. The breach represents a rare opportunity for defenders to study real-time RaaS operational procedures and refine detection signatures based on exposed toolsets and infrastructure details now available to the security community.
