Researchers Trace Clues to the Operator Behind The Gentlemen Ransomware Group
Security researchers say they have pieced together a trail that may link the administrator of the ransomware-as-a-service operation known as The Gentlemen to a real-world identity. The group has quick...
Security researchers say they have pieced together a trail that may link the administrator of the ransomware-as-a-service operation known as The Gentlemen to a real-world identity. The group has quickly become one of the most active ransomware crews this year, helped in part by an unusually generous affiliate program that offers attackers 90% of ransom payments, according to analysts at Check Point Software.
Check Point said the group has claimed at least 332 victims since emerging in mid-2025, with more than 240 of those reported in 2026 alone. The company also said The Gentlemen tends to focus on internet-exposed systems such as VPNs and firewalls, then moves rapidly to deploy encryption across victim networks.
Forum aliases and technical clues
Researchers say the person managing the operation appears to use the aliases Zeta88 and Hastalamuerte across multiple cybercrime forums. A breach of the group’s backend infrastructure reportedly showed that this user handled ransomware building, payment processing, and the administration of the broader program.
Intel 471, a cyber intelligence firm, linked the Hastalamuerte persona to registrations on several forums over the past few years, including Breachforums, Raidforums, Exploit, Nulled, and others. Some of the registrations and accounts were tied to addresses in Izhevsk, Russia. Additional open-source records connected the same online handles to related email addresses, Telegram accounts, GitHub activity, and other usernames.
Constella Intelligence and other researchers said those data points may point to a man named Alexander Andreevich Yapaev, though the findings remain based on attribution work rather than a formal public identification by law enforcement. Yapaev did not respond to requests for comment, according to the original report.
Why the trail matters
The article also notes that early forum activity associated with Hastalamuerte suggested a comparatively inexperienced hacker who was still learning basic offensive tools in 2019 and 2020. That evolution is consistent with how many cybercrime actors build reputation over time before moving into more profitable operations.
In an update published June 11, threat research group PRODAFT said its own analysis aligned with the same persona with high confidence. PRODAFT added that the operator appears to provide affiliates with initial access, often through Fortinet SSL-VPN credentials, and may be using artificial intelligence to help develop malware and support post-compromise activity.
As with other attribution efforts in cybercrime reporting, the findings should be read as an evidence-based assessment rather than a confirmed legal identification.
