Emerging ThreatsMalware & Ransomware

Ransomware Gang 'The Gentlemen' Traced to Suspected Russian Operator

Analyst 207||Source: Krebs
Dimly lit server room with rows of computer servers, one device highlighted in brighter light.

A 90/10 affiliate revenue split — compared to the industry standard 80/20 — is accelerating The Gentlemen’s growth by attracting experienced operators, according to researchers at Check Point Software.

The Gentlemen’s 90/10 business model and rapid growth

Check Point says The Gentlemen is a ransomware-as-a-service (RaaS) program that promises affiliates 90 percent of any ransom paid by victims. That unusually generous split, Check Point wrote in April, is helping the group recruit skilled operators from competing programs. The security firm counts The Gentlemen as the second most active ransomware group by victim count so far this year, reporting at least 332 published victims since mid-2025 and more than 240 victims in 2026 alone.

Methods of attack: Internet-facing devices and fast network encryption

According to Check Point, The Gentlemen commonly compromises Internet-facing devices such as VPNs and firewalls as initial entry points. Once inside a network, the group moves quickly: Check Point says its operators can encrypt entire networks within hours. The group’s administrator — who has posted graphics and promotional material on forums under the name Hastalamuerte — also assembles the locker and the ransomware panel that affiliates use, according to evidence obtained from a breach of the group’s backend infrastructure.

Forum identities: Hastalamuerte, Zeta88, and SantaMuerte

Multiple cyber-intelligence services traced a web of forum accounts and handles connected to the operator who runs the RaaS. Check Point reports the administrator and primary operator uses the nickname Zeta88 on Russian-language cybercrime forums and was previously known as Hastalamuerte. Intel 471 shows the user Hastalamuerte registered on nearly a dozen cybercrime forums between 2019 and the present, including Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled.

Intel 471 found that Hastalamuerte registered on Breachforums in January 2025 from an Internet address in Izhevsk, the capital of Russia’s Udmurt Republic, and that Zeta88 signed up at the English-language forum Breached in August 2022 from a different Izhevsk address. Epieos links the ProtonMail address used on Raidforums — hastalamuerte1488@protonmail.com — to an Apple account and to a phone number ending in 04, and to a GitHub account under the user name SantaMuerte whose activity shows development and tracking of malware tools and exploits.

Signals tying online handles to Alexander Andreevich Yapaev

Threat intelligence firm Constella Intelligence reports that the Telegram ID tied to @hastalamuerte18 is connected to another username, “bu4vs,” and to the Russian phone number 79127650004. Pivoting on that number in Constella returned multiple records from hacked Russian government databases showing the number assigned to one Alexander Andreevich Yapaev, a 36-year-old from Izhevsk.

Constella says the phone number was used to create a Pikabu account under the name “4apai18,” and that accounts connected to Mr. Yapaev used the surnames Ivanov or “Chapaev.” Intel 471 found a SantaMeurte account on the Russian hacking forum Codeby created in 2020 under the nickname Alexandr 4apaev. Constella reports Mr. Yapaev regularly used the email bu4vs@mail.ru, and Epieos links that address to a LinkedIn account for Alexander Yapaev listing him as head of B2B marketing at Uralenergo Udmurtia. Mr. Yapaev did not respond to multiple requests for comment.

What this means for technologists, investigators, and affected organizations

  • Technologists and security teams: Check Point’s finding that The Gentlemen targets Internet-facing VPNs and firewalls and can encrypt entire networks within hours underscores the importance of rapid detection and containment of perimeter compromises and of tested offline backups.
  • Investigators and threat analysts: The trail from forum handles to a named individual illustrates how early operational-security lapses — reused usernames, email addresses, Telegram IDs and phone numbers — can be correlated across breached databases and public profiles to produce attribution leads.
  • Affected organizations and procurement leaders: The combination of an aggressive affiliate revenue split and rapid encryption capability suggests more operators may be drawn to The Gentlemen, increasing the likelihood of attacks and the need for prioritized hardening of Internet-facing infrastructure.

The record assembled in public forum posts, leaked backend data and multiple intelligence pivots has connected online aliases — Hastalamuerte, Zeta88, SantaMuerte and related handles — to accounts and a phone number tied by Constella and Epieos to Alexander Andreevich Yapaev in Izhevsk. Check Point’s count of hundreds of victims and its warning about the 90/10 affiliate model show the group is both prolific and commercially organized. Mr. Yapaev did not reply to requests for comment, and Flashpoint — which identified the Telegram ID for @hastalamuerte18 as 30907522 — is listed in Krebs on Security’s piece as an advertiser.

Link to original story: https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/

CybercrimeEmerging ThreatsNation-State ActorsRansomwareRansomware-As-A-ServiceRussiaAffiliate Revenue ModelCheck Point Software
Related Intelligence

Continue Reading

Busy office in Vietnam with cityscape view and people working at desks.

OceanLotus Targets Vietnam Investors with SPECTRALVIPER Backdoor

The notorious 15-year-old APT group, OceanLotus, is now setting its sights on Vietnam's investors with a cunning new backdoor attack called SPECTRALVIPER, showcasing their relentless adaptability and aggressive tactics. This latest move has left experts wondering if it's a temporary shift or a long-term strategy.

Analyst 207
Modern office space with scattered papers and an open file cabinet, hinting at disruption.

Ransomware Attacks Shift to Data Theft Tactics

Ransomware attacks have taken a sinister turn, with a growing number of hackers ditching decryption keys and instead using stolen data to extort their victims. In fact, a recent report found that a whopping 87% of ransomware claims now involve data theft, with encryption becoming a thing of the past.

Analyst 207
Formal government briefing room with podium, American flags, and seals, daylight streaming through tall windows.

FBI Disrupts Chinese Spy Websites Targeting US Security Clearance Holders

The FBI and Justice Department have shut down 13 fake websites pretending to be legitimate consulting firms, targeting US security clearance holders with lucrative job offers that aimed to extract sensitive information for the Chinese government. These seized domains were part of a sophisticated intelligence collection campaign that began in November 2023.

Analyst 207
Smartphone on a plain surface with subtle screen reflection in natural light.

NSO Group Defies Court Order, Continues Targeting WhatsApp Users

Despite a court order blocking it from doing so, NSO Group continues to target WhatsApp users, defying the ruling and putting users at risk. The company is fighting to overturn the order, claiming it will suffer harm if it's forced to comply.

Analyst 207