Inside the Leak: A Step-by-Step Guide to Dissecting the Gentlemen RaaS Operation
Overview
On May 4th, 2026, the administrator of The Gentlemen ransomware-as-a-service (RaaS) program confirmed a data leak. A backend database called 'Rocket' was exposed, revealing nine accounts, internal chats, and operational details. This guide takes you through the key findings from Check Point Research's analysis of that leak, turning a raw dump into structured intelligence. You'll learn how to identify the RaaS admin, map affiliate roles, understand negotiation tactics, and trace data reuse—all from the same leaked materials. By the end, you'll be able to apply these steps to similar leaks in the future.
Prerequisites
- Basic knowledge of RaaS structures – Understand that RaaS involves an admin who builds the locker and panel, and affiliates who carry out infections.
- Familiarity with underground forums and TOX IDs – The leak references TOX (a messaging protocol) and forum posts.
- Understanding of initial access vectors – Such as Fortinet and Cisco edge appliances, NTLM relay, and OWA/M365 credential harvesting.
- Awareness of CVEs – Specifically CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073 – the group actively tracked these.
- Ability to interpret ransom negotiation transcripts – The leak includes screenshots of such negotiations.
Step-by-Step Instructions
1. Identify the Administrator Accounts
The first step is isolating the admin from the nine leaked accounts. Look for the account with the highest privileges and consistent involvement in infrastructure management.
- Examine the account list: the admin's handle is zeta88 (also known as hastalamuerte).
- Check their responsibilities: running the infrastructure, building the locker and RaaS panel, handling payouts, and overall program administration.
- Cross-reference with the leaked internal discussions: the admin appears repeatedly in chats, coordinating tools and tracking CVEs.
- Result: you have identified a single high-value target – the individual controlling the entire operation.
2. Map Roles, Tools, and CVE Interest
The leak provides a rare end-to-end view of how a RaaS group operates. Extract each role from the chats and assign tools.
- Initial access affiliates: They use Fortinet and Cisco edge exploits, NTLM relay attacks, and OWA/M365 credential logs.
- RaaS panel operators: The admin builds the panel; affiliates log in via the panel.
- Shared toolset: SystemBC (a backdoor) was seen in a previous affiliate infection – the C&C revealed over 1,570 victims.
- CVE tracking: The group actively monitors new CVEs. Note the three CVEs mentioned – search for any other internal mentions to build a list of their priority vulnerabilities.
Compile this into a map: admin → builds locker & panel → affiliates use initial access tools → SystemBC → ransomware deployment.
3. Analyze Negotiation Tactics and Payment Data
The leak includes screenshots of ransom negotiations. Reconstruct the bargaining trajectory.
- Start with the initial demand (anchor): one case began at $250,000 USD.
- Track the final settlement: the group received $190,000 USD – a 24% reduction.
- Look for negotiation patterns: do they always anchor high? Are there fixed discount percentages? This can inform future ransom readiness for defenders.
- Record that the negotiation screenshot was from a successful payment – this indicates the affiliate's payout and the program's revenue.
4. Trace Data Reuse and Dual-Pressure Tactics
One of the most revealing aspects is how The Gentlemen reused stolen data from one victim to pressure another.
- Identify the first victim: a UK software consultancy. Their stolen data included network topology and client lists.
- Second victim: a Turkish company. During negotiations with the Turkish firm, the group presented the UK firm as an 'access broker.'
- Examine the dual-pressure tactic: The Gentlemen told the Turkish company they had 'proof' the intrusion originated from the UK side, and encouraged legal action against the consultancy.
- This shows how RaaS groups can weaponize data reuse beyond encryption.
5. Cross-Reference Affiliate IDs
Check Point Research collected all available ransomware samples from the program and identified 8 distinct affiliate TOX IDs, including the admin's own TOX ID.
- Map each TOX ID to roles: the admin's TOX appears both in management chats and in sample metadata from live infections.
- Conclusion: the admin not only manages the RaaS but actively participates in or directly carries out infections.
- Create a table of TOX IDs and their associated accounts (if known) to track affiliate activity over time.
Common Mistakes
- Assuming the full leak is accurate without verification – The admin confirmed the leak, but partial leaks may have missing or corrupted records. Always cross-reference with other sources.
- Misinterpreting the admin's role – Just because zeta88 is the admin doesn't mean every infection is directly their work; affiliates operate independently.
- Overlooking the dual-pressure tactic – Data reuse is easy to miss if you focus only on payloads. Read all chat logs for negotiation nuances.
- Confusing anchor demands with final payments – Many newcomers think the initial demand equals the ransom. The $250k → $190k gap shows negotiation is key.
- Ignoring the CVEs – The group's interest in those specific CVEs can help defenders prioritize patching. Don't dismiss them as noise.
Summary
By systematically analyzing the leaked internal database of The Gentlemen RaaS operation, you can extract actionable intelligence: identify the admin (zeta88), map the division of labor, understand negotiation dynamics (anchor $250k, final $190k), track data reuse for dual-pressure, and confirm that the admin also operates as an affiliate. This guide demonstrates how a single leak can provide a comprehensive view of an active RaaS program, and the steps you can apply to any similar incident.