The Gentlemen: How a New Ransomware Gang Became One of the Most Prolific Cybercrime Operations of 2026
In the ever-shifting landscape of global cybercrime, new ransomware groups rise and fall with alarming speed. But one group has managed to climb to the top of the threat charts faster than nearly any other in recent memory. Known as The Gentlemen, this ransomware gang has rapidly established itself as the second most active ransomware operation in the world by victim count — and security researchers are now digging into who is actually running the show.
With hundreds of confirmed victims, an aggressive recruitment strategy, and a business model designed to outcompete rival gangs, The Gentlemen represent a sophisticated and dangerous evolution in the ransomware-as-a-service ecosystem. Here is everything we know about how this group operates, why it has grown so quickly, and what clues have emerged about the identity of its administrator.
What Is The Gentlemen Ransomware Group?
The Gentlemen is a ransomware-as-a-service (RaaS) operation, meaning it functions less like a single hacking team and more like a criminal franchise. The core group develops and maintains the ransomware infrastructure, while outside hackers — known as affiliates — carry out the actual attacks. In exchange for doing the dirty work of breaching corporate networks and deploying the malware, affiliates receive a cut of any ransom paid by victims.
What sets The Gentlemen apart from their competitors is the size of that cut. While most RaaS programs offer affiliates an 80/20 revenue split, The Gentlemen offers a striking 90/10 arrangement — meaning affiliates keep 90 percent of every ransom payment. This unusually generous structure has made the group a magnet for experienced cybercriminals who might otherwise be working with established rivals like LockBit or BlackCat.
According to researchers at Check Point Software, who have been closely tracking the group since its emergence in mid-2025, The Gentlemen had already claimed at least 332 published victims by mid-2026, with more than 240 of those attacks occurring in 2026 alone. Those numbers place the group firmly in second place among all active ransomware operations worldwide by victim count.
How The Gentlemen Carry Out Their Attacks
The technical approach used by The Gentlemen follows a pattern that is increasingly common among sophisticated ransomware actors, but the speed and efficiency with which the group operates is notable. According to Check Point's research, the group typically gains initial access by exploiting vulnerabilities in Internet-facing devices such as VPNs and firewalls — the same network perimeter tools that organizations deploy precisely to keep attackers out.
Once inside a target network, the group wastes no time. Researchers have noted that The Gentlemen are capable of moving from initial access to full network encryption within a matter of hours. This rapid operational tempo leaves IT and security teams with very little time to detect and contain an intrusion before the damage is done.
This combination of a wide attack surface — targeting commonly used enterprise networking products — and a fast-moving post-compromise playbook has enabled The Gentlemen to rack up victims across multiple industries and geographies in a short period of time.
The Recruitment Strategy Fueling Explosive Growth
Beyond their technical capabilities, what has truly accelerated The Gentlemen's rise is their deliberate approach to recruiting top-tier talent from competing ransomware programs. The 90/10 affiliate split is not merely a financial arrangement; it is a recruiting tool designed to poach skilled operators who already know how to conduct large-scale ransomware campaigns.
"A 90/10 affiliate revenue split — compared to the industry standard 80/20 — is accelerating the group's growth by attracting experienced operators from competing programs," Check Point researchers noted in an April 2026 report. In a criminal ecosystem where reputation and earnings matter enormously, the difference between keeping 80 cents on every dollar versus 90 cents is significant enough to drive talent migration between groups.
This strategy effectively lets The Gentlemen's leadership scale their operation without having to train or develop new hackers from scratch. Instead, they are importing already-proven criminals who bring their own skills, tools, and target knowledge with them.
Who Is Behind The Gentlemen? The Trail Leads to 'Hastalamuerte'
Perhaps the most critical question surrounding any ransomware group is the identity of the people running it. Law enforcement agencies and private researchers alike focus heavily on attribution, since identifying and prosecuting administrators is generally more impactful than targeting individual affiliates.
In the case of The Gentlemen, security researchers have identified a key clue: the group's administrator appears to operate under the alias Hastalamuerte. This handle surfaced in connection with promotional and recruitment activity conducted on Breachforums, one of the most prominent cybercrime forums on the dark web. In May 2026, the administrator shared a graphic created and distributed under this alias — a piece of promotional material consistent with the group's ongoing effort to attract new affiliates and publicize their operation.
The use of a consistent alias across cybercrime forums is a common operational security practice among ransomware operators, but it also creates a persistent digital fingerprint that investigators can use to trace activity over time. Past high-profile takedowns of ransomware operators have frequently relied on exactly this kind of forum-based intelligence — cross-referencing aliases, writing styles, cryptocurrency transactions, and technical artifacts to build a picture of a real-world identity behind a pseudonym.
Why The Gentlemen Matter for Cybersecurity in 2026
The emergence of The Gentlemen as a top-tier ransomware threat is a reminder that the cybercriminal ecosystem continues to evolve and adapt. Even as law enforcement agencies have had notable successes against groups like LockBit in recent years, new operations are quick to fill the vacuum — often learning from the mistakes of their predecessors and building more resilient, harder-to-disrupt structures.
For organizations, the threat posed by The Gentlemen underscores several enduring security priorities. Keeping VPNs, firewalls, and other perimeter devices fully patched and properly configured is essential, since these are the primary entry points the group exploits. Network segmentation, robust detection and response capabilities, and offline backup strategies remain critical defenses against the kind of rapid, network-wide encryption the group deploys.
For researchers and law enforcement, the identity clues already surfacing around the Hastalamuerte alias represent a meaningful thread to pull. History has shown that ransomware administrators — no matter how technically sophisticated — tend to leave trails. Whether those trails lead to an arrest, a sanctions designation, or infrastructure takedown, the work of attribution remains one of the most powerful tools available in the fight against ransomware.
The Bottom Line
The Gentlemen ransomware group has gone from an unknown entity to one of the world's most prolific cybercrime operations in under a year. Their aggressive affiliate revenue model, fast-moving attack methodology, and apparent willingness to publicly recruit on major cybercrime forums make them both a significant threat and a group that may ultimately be undone by its own visibility. As researchers at Check Point and elsewhere continue to build out the picture of who runs this operation, the cybersecurity community will be watching closely to see whether Hastalamuerte and their associates can be brought to justice.