The Gentlemen, a ransomware-as-a-service crew active since around September 2025, has now listed 483 victims on its dark-web leak site, including 380 in 2026 alone, according to Ransomtracker data Ransomnews pulled on 13 June 2026. A May 2026 leak of the gang’s internal chat logs exposed a nine-person core, AI-assisted tooling, and an intrusion model built on stolen infostealer credentials. The group is active and still listing victims weekly.
That makes The Gentlemen the second most prolific ransomware brand of 2026 by published victim count, behind only Qilin. This report combines three data sources that have not been brought together before: our own live tracker pull of every victim the group has posted, the leaked internal chats analysed by KELA, and an infostealer-exposure spot-check of named victims run against the alerts.bar credential index. Together they show a crew that scaled less through novel malware than through disciplined access brokering and borrowed tradecraft.
Who are The Gentlemen?
The Gentlemen are a financially motivated ransomware-as-a-service operation that surfaced publicly in September 2025 and reached full operational tempo through the first half of 2026. The brand runs a classic affiliate model: a small core builds and maintains the locker and the negotiation panel, and external affiliates carry out intrusions in exchange for the lion’s share of each ransom. The group advertises a 90/10 split in the affiliate’s favour, which is aggressive even by current RaaS standards.
A leak of the group’s internal communications, advertised on the Exploit.in forum on 4 May 2026 and analysed in depth by threat-intelligence firm KELA, put names to the core. KELA identified roughly nine recurring handles, including the administrator zeta88 and an apparent initial-access broker operating as hastalamuerte, alongside hands-on intrusion operators and tooling contributors. The leaked chats span 7 November 2025 to 30 April 2026 and read less like a criminal conspiracy than a small product team arguing about infrastructure, encryption routines, and which large language model to use.
How many victims has The Gentlemen actually hit?
Our 13 June pull of the group’s leak-site postings returns 483 distinct victims. The overwhelming majority are recent: 474 of them were listed from September 2025 onward, and listings accelerated sharply in early 2026. February and April 2026 were the two peak months, at 85 and 89 new victims respectively. The chart below is built directly from the tracker timestamps.
Victim counts vary by source and by the day you measure them, which is normal for a live operation. KELA counted 328 claimed victims through the end of May 2026; The Hacker News reported 478 in early June. Our higher figure reflects a later pull and the group’s continued weekly posting. The direction of travel is the only number that matters here: up and to the right, fast.
Who are The Gentlemen targeting?
The targeting is strikingly global for a 2026 ransomware brand. Only about 15 percent of listed victims are based in the United States, well below the 40 to 50 percent that US targets represent across most major leak sites. The rest are spread across Thailand, Brazil, the United Kingdom, France, India, Germany, Italy, Japan, Taiwan, and Spain. The leaked chats explain why: operators were told to prioritise what they called Tier 1 to 3 countries and Latin America, and to weigh operational pain over raw revenue, reasoning that a 20 million dollar utility can pay faster than a 200 million dollar manufacturer if the lock genuinely halts the business.
By sector, manufacturing dominates, followed by technology and business services. Healthcare sits fourth with 44 listed victims, which matters given a separate finding in the leak, discussed below, that operators tested extortion using stolen patient data.
How does The Gentlemen break in?
Initial access, not encryption, is where The Gentlemen invest. The leaked chats show operators scanning for and exploiting internet-facing vulnerabilities, including the FortiOS authentication-bypass flaw CVE-2024-55591, alongside older bugs and classic Active Directory misconfigurations such as ZeroLogon and PetitPotam coercion. When an exploit is not available, they fall back on valid credentials: compromised Outlook Web Access mailboxes used both to find VPN logins and to stage phishing from trusted internal accounts.
The thread that ties this together is the infostealer economy. The group leans heavily on credentials and session cookies harvested by commodity stealer malware, the same supply chain that feeds the wider initial-access-broker market. To test how real that link is, Ransomnews cross-referenced a sample of named Gentlemen victims against the alerts.bar infostealer index, which tracks credentials and cookies exposed in stealer logs.
The spot-check was small but pointed. Several sampled victims had live corporate logins or active session cookies sitting in stealer logs before they were listed on the leak site. One example, Philippine logistics firm 2GO, showed six employee logins, seven customer logins, and 38 active session tokens exposed in infostealer data, the exact category of stolen session material that lets an attacker bypass multi-factor authentication by replaying a valid session. That is the access pattern the leaked chats describe hunting for, observed in the wild against a real victim. Stolen session cookies are why dark-web and infostealer monitoring now belongs in the same risk tier as patch management.
What did the leaked chats reveal?
Three things stand out from KELA’s analysis of the internal logs. First, the group studies its rivals. Members actively read the February 2025 Black Basta chat leak and treated it as a training manual, copying its phishing and mailbox-abuse workflows rather than inventing their own.
Second, the operation is openly AI-assisted. Administrator zeta88 said he “vibe-coded” the negotiation panel in three days, and the crew discussed uncensored or “abliterated” open-weight models, including a stripped-down Qwen variant, for coding and for reasoning over hundreds of gigabytes of stolen data. This is one of the clearer documented cases of a ransomware crew folding large language models into day-to-day operations rather than just talking about it.
Third, the extortion is willing to get personal. KELA observed a leaked screenshot in which operators tested pressuring a victim with sensitive medical content, apparently sent from a compromised personal mailbox. Encryption is part of the toolkit, and Microsoft has separately documented a self-propagating Go-based Gentlemen encryptor, but the leverage increasingly comes from the data and the contacts, not the locked files.
What should defenders do?
Nothing about The Gentlemen requires exotic defences. The group is fast and disciplined, not magical, and the controls that blunt it are the ones that blunt most 2026 ransomware:
- Patch internet-facing edge devices on a short clock, with FortiOS CVE-2024-55591 and similar VPN and firewall bugs treated as emergencies, not monthly maintenance.
- Treat infostealer infections as breaches. A single stealer log can hand over credentials and live session cookies, so monitor for exposed corporate logins and force resets and session revocation when they appear.
- Make multi-factor authentication phishing-resistant. Stolen session cookies defeat SMS and push-based MFA, so move high-value access to hardware-backed or passkey authentication that does not produce replayable sessions.
- Harden Active Directory against ZeroLogon, PetitPotam, and privileged-account abuse, and segment so one compromised host cannot reach the whole estate.
- Keep offline, tested backups and assume data theft regardless of whether files are encrypted, because extortion now runs on exfiltration first.
For organisations that want this managed rather than assembled by hand, our guide to business ransomware protection covers the EDR and backup tooling that maps to these controls.
What this means for the ransomware market
The Gentlemen are a case study in how cheap it has become to scale a ransomware brand in 2026. They did not need a breakthrough encryptor. They needed a generous affiliate split, a steady feed of infostealer-sourced access, a rival’s leaked playbook, and a few open-weight models with the safety filters removed. The result is 483 victims across 66 countries in well under a year, assembled by a team you could fit around one table.
The leak that exposed all of this is also a reminder that these operations are fragile in their own way. A disgruntled insider or a careless host can turn a crew’s entire workflow into a public document overnight, as happened to Black Basta and now to The Gentlemen. For defenders, the lesson is to stop treating ransomware groups as faceless and start treating their inputs, edge vulnerabilities and stolen credentials, as the controllable risk they are. You can track the group’s live activity on our threat-group catalogue.
Frequently asked questions
Who are The Gentlemen ransomware group?
The Gentlemen are a ransomware-as-a-service operation active since around September 2025. They run an affiliate model with a 90/10 revenue split and have listed 483 victims as of June 2026, making them one of the most prolific ransomware brands of the year.
How many victims has The Gentlemen claimed?
Ransomnews tracked 483 distinct victims on the group’s leak site as of 13 June 2026, with 380 listed in 2026 alone. Other trackers report figures between 328 and 478 depending on the measurement date.
How does The Gentlemen gain initial access?
The group exploits internet-facing vulnerabilities such as FortiOS CVE-2024-55591, abuses compromised Outlook Web Access mailboxes, and relies heavily on credentials and session cookies harvested by infostealer malware. Stolen session cookies let them bypass multi-factor authentication.
Does The Gentlemen use AI?
Yes. Their leaked chats show the administrator built the negotiation panel with AI assistance and the crew discussed uncensored open-weight models for coding and for processing stolen data. It is one of the better-documented cases of operational AI use by a ransomware crew.
What countries does The Gentlemen target?
Targeting is unusually global. Only about 15 percent of victims are in the United States, with large numbers in Thailand, Brazil, the United Kingdom, France, India, and Germany. Operators were instructed to favour targets where business disruption forces fast payment.
Is The Gentlemen still active?
Yes. Despite the May 2026 exposure of its internal chats, the group continued listing new victims through June 2026. You can follow current activity on the Ransomnews live tracker.
Sources and further reading
- KELA Cyber Intelligence Center, Inside The Gentlemen Leak (internal-chat analysis, May 2026)
- Microsoft Threat Intelligence, Dissecting a self-propagating Go encryptor
- The Hacker News, The Gentlemen ransomware claims 478 victims
- Victim and timeline data: Ransomware.live, via the Ransomnews Ransomtracker pull of 13 June 2026
- Infostealer-exposure spot-check: alerts.bar credential and session-cookie index
- Related: Initial access brokers and the 2026 ransomware supply chain
Reporting by the Ransomnews Research Team threat-intelligence desk. Victim exposure figures are aggregate counts only; no credentials are reproduced.