The Gentlemen: Second Most Active Ransomware Group in 2026
The ransomware group "The Gentlemen" has claimed at least 332 victims since mid-2025, with over 240 in 2026 alone, making it the second most active ransomware group by victim count this year, according to Check Point Software. The group operates as a ransomware-as-a-service (RaaS) platform, offering affiliates a 90/10 revenue split — significantly higher than the industry standard 80/20 — to attract experienced operators from competing programs.
Technical Operations: VPNs, Firewalls, and AI
Check Point researchers report that The Gentlemen primarily targets Internet-facing devices such as VPNs and firewalls as initial entry points. Once inside, they move quickly to encrypt entire networks within hours. A separate report from PRODAFT reveals that the administrator supplies affiliates with initial access directly, primarily Fortinet SSL-VPN credentials obtained through brute-force attacks or sourced from the group's own leak database. PRODAFT also discovered that the administrator uses AI to develop and maintain the ransomware and associated tooling, as well as to assist with post-exploitation activity.
OSINT Trail Leads to Izhevsk
Threat intelligence firm Intel 471 tracked the administrator's nicknames — Hastalamuerte and Zeta88 — across multiple cybercrime forums. Hastalamuerte registered on Breachforums in January 2025 from an IP address in Izhevsk, Russia. The user Zeta88 signed up on Breached in August 2022 from a different IP address in the same city. Both accounts are linked to the same individual.
Using the ProtonMail address hastalamuerte1488@protonmail.com (the "1488" suffix is a known white supremacist numeric symbol), OSINT service Epieos found connections to an Apple account and a phone number ending in 04. Further pivoting revealed a GitHub account under the username SantaMuerte, which is private but has a history of watching and developing malware tools and exploits.
The Telegram username @hastalamuerte18 (ID 30907522) was linked to another username "bu4vs" and the Russian phone number 79127650004 via Constella Intelligence. That phone number appears in hacked Russian government databases belonging to Alexander Andreevich Yapaev, a 36-year-old from Izhevsk. The same phone number was used to create a Pikabu account under "4apai18," and Yapaev has used the surname "Ivanov" or "Chapaev" on various sites.
Marketing Executive by Day
Constella found that Yapaev regularly used the email bu4vs@mail.ru, which Epieos linked to a LinkedIn profile for Alexander Yapaev, who lists himself as head of B2B marketing at Uralenergo Udmurtia, one of Russia's largest suppliers of electrotechnical and lighting products. He did not respond to requests for comment.
Opsec Mistakes: Learning to Hack in Public
Hastalamuerte's early posts on crime forums (2019-2020) show a relatively unsophisticated hacker. In June 2020, his Telegram account joined a multi-month training program (@pntst) to learn penetration testing tools. His posts to that channel show him struggling to use those tools effectively. A Google-translated record of those posts is available.
The article notes that Russian cybercriminals often operate with impunity as long as they avoid attacking Russian businesses and citizens. However, the simplest explanation for the poor opsec is that cybercriminals make basic mistakes early in their careers when they are less savvy and have less to lose.
What This Means for Developers
If you manage infrastructure exposed to the internet, especially Fortinet SSL-VPNs, ensure they are patched and configured with strong credentials. Consider monitoring for brute-force attempts. The use of AI in ransomware development is a growing trend that may lower the barrier for creating sophisticated malware.
