Inside the Gentlemen Leak: How a New RaaS Gang Rapidly Scaled in 2026

Quarterly tracking also showed dramatic growth: the group posted 179 victims in Q1 2026—up 588% from just 26 victims in Q4 2025.

How the RaaS business model works

Like many modern ransomware gangs, The Gentlemen operates as a ransomware‑as‑a‑service platform, meaning core developers build the malware and infrastructure while outside affiliates conduct intrusions and deploy the ransomware.

The leaked backend database exposed internal accounts and operational data tied to this ecosystem. Researchers observed multiple operator accounts connected to the RaaS panel, with the infrastructure reportedly administered by a core operator known as “zeta88” (also called “hastalamuerte”).

In this model:

• Core operators maintain the ransomware builder, infrastructure, and payment systems.
• Affiliates perform the intrusions, data theft, and ransomware deployment.
• Profits from ransom payments are split between the affiliates and the platform operators.

This division of labor allows the group to scale quickly while keeping the core team relatively small.

Targeting exposed edge infrastructure

One of the most important revelations from the leak is how heavily the group relied on internet‑facing network infrastructure for initial access.

Researchers linked the group’s intrusions to attacks on devices such as firewalls, VPN gateways, and network management systems—especially those exposed directly to the internet.

A key vulnerability repeatedly associated with their operations is CVE‑2024‑55591, a critical authentication‑bypass flaw affecting FortiOS and FortiProxy. The vulnerability can allow remote attackers to gain super‑administrator privileges through crafted requests.

By targeting edge appliances rather than endpoints, attackers can bypass many traditional security controls and gain a privileged foothold inside corporate networks.

A massive inventory of compromised FortiGate devices

Another striking detail from threat‑intelligence reporting is the scale of infrastructure the group appears to maintain.

Investigators found evidence that the operation tracked around 14,700 already exploited FortiGate devices worldwide, along with hundreds of validated VPN credentials associated with those systems.

Such an inventory can function as a pipeline for future attacks. Once access is obtained to a perimeter device, attackers can move deeper into a network without triggering the same defenses that typically detect phishing or malware delivery.

What the leaked chats revealed about operations

Although the leak is incomplete, internal communications provided insight into how the group coordinated attacks and managed campaigns. Chat channels documented discussions related to:

• targeting and victim selection
• infrastructure management
• affiliate activity
• coordination before publicly claiming victims

Researchers noted that the data included conversations across several operational channels and backend systems, shedding light on the timeline and workflow of ransomware campaigns.

Why the leak matters for defenders

Beyond exposing one ransomware group, the leak highlights a broader pattern in modern cybercrime: edge infrastructure is now a primary entry point for ransomware attacks.

Security teams often focus heavily on endpoint protection, but compromised firewalls, VPN appliances, and network management systems can effectively bypass those defenses. Once attackers control those systems, they can escalate privileges, harvest credentials, and move laterally inside the network.

Key defensive priorities include:

• Rapid patching of edge appliances, especially critical flaws such as CVE‑2024‑55591 affecting Fortinet devices.
• Removing public exposure of management interfaces whenever possible.
• Using multi‑factor authentication and network segmentation for administrative access.
• Monitoring logs from firewalls, VPN systems, and management interfaces as potential early indicators of compromise.

A partial but valuable window into ransomware operations

The leaked database does not reveal the full structure of The Gentlemen ransomware organization. Researchers emphasize that the dataset represents only a partial snapshot of internal activity, not the complete ecosystem.

Still, the leak offers a rare inside view of how a modern ransomware‑as‑a‑service program operates—and how quickly such operations can scale when affiliates, automated tooling, and exposed infrastructure combine.

For defenders, the message is clear: the network edge has become one of the most critical security frontiers in the ransomware era.