Path & Payload

The Gentlemen's Second Payday: Turning One Victim Against Another

In April 2026, a software consultancy in the U.K. disclosed a breach. The leadership's public statement was the standard genre of corporate-ese: only “typical business data,” they said. Contracts, NDAs, contact information, nothing that should keep a client up at night.

Behind the scenes, however, a ransomware operator going by zeta88 was drafting a very different account of what he'd taken — customer infrastructure data, secrets, OAuth credentials — and citing GDPR exposure as leverage to get the consultancy to pay. Two weeks later, when the consultancy didn't pay enough, he published the consultancy’s identity and breach details on its leak site.

Then he did something more interesting. He went back into the stolen files, pulled an internal “Transfer/Migration Document” the consultancy had written about a client engagement in Turkey, and used it to enrich and pressure a second intrusion against that client. Check Point says the Turkish company’s initial access came through a vulnerable VPN appliance, but the stolen consultancy document gave The Gentlemen a second weapon: proof of the vendor relationship and a way to turn the two victims against each other.

One breach, two ransom conversations, and a manufactured legal fight. Not a situation found in a normal incident-response playbook.

This is The Gentlemen: the second most active ransomware operation in the world by victim count this year, and an instructive case study in what happens when a RaaS program accumulates more stolen access than it can sell through ransom notes alone.

Same Playbook, Half the Runway

The overall shape of The Gentlemen's origin story is not unusual. What's less typical is how little time it took for the group to mature.

The operation traces back to a Russian-speaking actor known on cybercrime forums as hastalamuerte, later operating under the handle zeta88. Independent research from PRODAFT, which tracks the actor as LARVA-368, and from Group-IB places this person inside the Qilin RaaS ecosystem in mid-2025, running an affiliate crew called ArmCorp. ArmCorp was active for roughly six weeks and deployed against fourteen targets before hastalamuerte filed a public arbitration complaint on the RAMP forum, accusing Qilin's operators of withholding an estimated $48,000 in commission from a single corporate negotiation.

Group-IB's analysis of the timeline suggests the dispute wasn't really the cause of the split though — it was just a cover story. A Windows ransomware sample matching The Gentlemen's later locker was uploaded to VirusTotal on July 17, 2025, five days before the public arbitration thread went up. The independent platform was already built. The Qilin fight gave hastalamuerte a public, reputation-damaging reason to leave with his existing affiliate base intact.

By September 2025, ArmCorp had become The Gentlemen, a fully independent RaaS offering affiliates a 90% revenue share against the operator's 10% — a striking contrast to the 80/20 industry standard, and according to Check Point Software's research, a major driver of the group’s growth. By Check Point’s count, The Gentlemen had listed approximately 332 victims in the first five months of 2026, putting it second only to Qilin among public leak-site ransomware operations.

The Persona Is Confirmed, but the Person Isn't

Brian Krebs reported earlier this month on the clues pointing to a real-world identity behind the alias chain: Alexander Andreevich Yapaev, a 36-year-old from Izhevsk who publicly lists himself as a B2B marketing executive. The piece is careful OSINT work, pivoting through forum registrations, a Telegram ID, a hacked Russian government database, and a personal email address tied to a LinkedIn profile — and Krebs frames it as evidence pointing toward an identity rather than a confirmed one.

The lack of confirmation has gotten lost in some of the coverage that followed. The persona itself is solidly corroborated. Check Point, PRODAFT, Group-IB, and Microsoft — tracking the operator as zeta88/hastalamuerte, LARVA-368, and Storm-2697, respectively — independently arrived at the same operational picture: a single administrator who builds the locker, runs the RaaS panel, manages affiliate payouts, and personally participates in intrusions. The persona rests on multiple, separately sourced technical investigations and isn't in dispute. But this person’s actual identity is less certain. As of this writing, confirmation hasn’t happened.

The Second Payday

The detail that makes The Gentlemen worth a profile isn't the affiliate split or the attribution chase, however. It's what happened after the U.K. consultancy breach — because it's a workflow other affiliates can run again.

Check Point's analysis of the group's leaked internal chats — exposed after The Gentlemen's own backend was compromised in May 2026 — shows zeta88 cross-referencing data from the first breach to enrich his targeting of the second. The Transfer/Migration Document was ordinary client-relationship paperwork, the kind of document almost every consultancy generates and rarely treats as sensitive.

The “access broker” framing did two jobs at once. It punished the U.K. consultancy, which the chats show zeta88 describing in personal, contemptuous terms, for not paying enough. And it complicated the Turkish company’s breach narrative by publicly tying the incident to a vendor’s stolen project files. The point was not simply to make the Turkish company sue but to turn the first victim into part of the second victim’s incident, creating reputational, legal and client-pressure fallout that extended beyond a single ransom negotiation.

Access Faster Than They Can Sell It

This kind of reuse isn't incidental to The Gentlemen's business model. It looks like a response to a business problem the 90/10 split created.

A revenue share that aggressive pulls in volume. Check Point's analysis of a single SystemBC command-and-control server tied to one affiliate found more than 1,570 infected organizations — a figure that dwarfs the 412 victims the group has actually published on its leak site. Most of those organizations were likely breached and never got as far as a ransom conversation, let alone a payment. The affiliate program is generating access faster than the small core team behind it — by Check Point's count, roughly nine named operators — can run negotiations.

Chain-victimization is a way to extract a second payday from access the group already holds, rather than chasing a new intrusion from scratch. It's inventory management for a group sitting on more stolen footholds than it has hours in the day to monetize one at a time.

What This Means for Defenders

The standard advice applies: The Gentlemen's primary access vector is exposed Fortinet and Cisco edge infrastructure, with CVE-2024-55591 doing much of the work, supplemented by brute-forced VPN credentials and access purchased from third-party brokers. Patch management on internet-facing devices, mandatory MFA on administrative portals, and credential hygiene around VPN and Microsoft 365 logins remain the baseline.

But the chain-victimization pattern points to a gap most incident response plans don't cover. A breach disclosure from a vendor, a consultancy, or any partner with access to your environment or your data is not just a compliance notification to log and forget. It's also an attack signal. If a vendor that holds your documentation, your contracts, or your project files reports a breach, the operative question is what the attacker is still planning.

This requires treating third-party breach notifications as a trigger for your own active threat hunting, not a box to check on a vendor risk questionnaire.

Sources

#Threat Actor Profiles