"What makes the material especially interesting is that it appears to show the operational side of a modern ransomware ecosystem in real time, including infrastructure management, target selection, backend development and OPSEC practices," said Milivoj Rajić, head of threat intelligence at cybersecurity firm DynaRisk.
What leaked: chats, images, timestamps and a bitcoin address
The breach of internal material attributed to the ransomware group known as The Gentlemen began to surface on May 4 in a post to the Breached forum titled "The Gentlemen - hacked data for sale," which requested $10,000 payable in bitcoin and offered samples on request. The same user later posted a MediaFire link making the data available for free.
Researchers who examined the dump reported 8,200 lines of text from an internal chat tool, images of infected systems, and message timestamps that largely correspond to people who work Moscow hours, Milivoj Rajić said. The leaked files also included the group's current bitcoin wallet address for handling incoming payments.
Tactics exposed: reconnaissance, VPN access, EDR evasion and backup targeting
The chat transcripts reveal how The Gentlemen planned and executed intrusions. They discussed obtaining VPN access using OpenConnect, using command-and-control software to push payloads, and the use of an "EDR Killer" tool. The logs mention "fake CVE scripts" and point operators to YouTube videos for technical upskilling.
Operationally, the group emphasized careful reconnaissance rather than immediate encryption: mapping environments, searching for virtualization infrastructure, backup systems, NAS devices and critical servers to maximize impact before deploying crypto-locking activity. Messages show repeated efforts to disable endpoint security, evade endpoint detection and response tools, modify Group Policy Objects and obtain "domain admin" privileges in Active Directory.
Leaked material also highlights use of living-off-the-land techniques—leveraging legitimate enterprise admin tools to make malicious activity harder to spot—and a deliberate focus on disrupting backup and storage targets such as NAS systems, Exchange servers, storage arrays and backup infrastructure.
Alleged victims and the scope of claimed thefts
The leaked communications suggest The Gentlemen hacked into Sony and Barclays, stealing perhaps a terabyte of data from each, and reference non-disclosure agreements the group has threatened to publish if ransoms are not paid. By the time researchers cataloged the operation, the group had more than a dozen victims in Thailand and the United States.
By the end of last year the group's victim list included organizations in manufacturing, healthcare and insurance, and it claimed responsibility for a Christmastime disruption of Romanian state-owned power producer Complexul Energetic Oltenia. As of April, cybersecurity firm S-RM reported The Gentlemen had listed over 340 non-paying victims on its data leak site.
Business model: rapid development, affiliates, and changing profit splits
The Gentlemen surfaced as a ransomware-as-a-service (RaaS) organization in mid-2025, a profile noted by SOCRadar. The group recruited affiliates through darkweb sites, promoted Go-based malware capable of "silent encryption" across Windows, Linux, NAS, BSD and ESXi, and relied on initial access brokers and marketplaces of stolen credentials—described in the reporting as "clouds of logs harvested by information stealing malware"—to reach victims.
Evidence in the leak and outside reporting shows a fast development cycle: after Bedrock Safeguard released a free decryptor for the group's crypto-locking malware, The Gentlemen issued a same-day patch. In April the group revised affiliate profit shares—promising a base rate of 90% of ransom proceeds but offering 97% to affiliates for data-only extortion attacks (where systems were not encrypted). ZeroFox interpreted that change as an attempt to attract affiliates who prefer lower operational risk.
What this means for technologists, affected enterprises, and policymakers
- Technologists and security teams: The leaked playbook highlights the need to monitor edge-networking credential exposure (noted in the dumps as frequently involving Fortinet gear), watch for abuse of open-source tools such as the ZeroPulse repository for remote administration, and guard backup and virtualization assets explicitly named in the chatter.
- Affected enterprises and procurement leaders: The group's emphasis on mapping virtualization, NAS, Exchange and backup systems underscores the operational priority of isolating and protecting backup infrastructure and hardening administrative interfaces that attackers cited as gateways.
- Policymakers and regulators: The group's public victim list—over 340 non-paying victims as of April—and the unresolved question of how many victims paid ransoms point to ongoing challenges in measuring the scale and financial flows of RaaS operations.
The leak provides a rare, granular view into how a modern ransomware enterprise organizes itself: technical tradecraft, infrastructure choices, and commercial incentives are all visible in the chat logs. What remains unclear in the record is who exfiltrated the group's data, whether the original sale price was met, and how many victims ultimately paid. The published dump, however, leaves no doubt that the group’s internal practices and profit-driven adjustments are now visible to defenders and rivals alike.




