Full Report
A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group. Check Point says the administrator and primary operator of the ransomware group uses the nickname Zeta88 on the Russian-language cybercrime forums, and that this individual was previously known under the moniker Hastalamuerte. Check Point noted that a breach of the group’s backend infrastructure made it clear that Hastalamuerte/Zeta88 is the person who assembles the locker and RaaS panel, manages payments, and is essentially the administrator of the entire program who receives 10 percent of all ransoms.
Analysis Summary
# Threat Actor: The Gentlemen
## Attribution & Identity
* **Primary Identity:** Alexander Andreevich Yapaev (identified as a 36-year-old from Izhevsk, Russia).
* **Administrator Aliases:** Zeta88, Hastalamuerte, SantaMuerte, SantaLaMuerte, Alexandr 4apaev, bu4vs, 4apai18.
* **Known Associations:** Operates as a Ransomware-as-a-Service (RaaS) administrator. Linked via digital breadcrumbs to a professional role as head of B2B marketing at **Uralenergo Udmurtia**.
* **Forum Presence:** Registered on Exploit, Breachforums, Ramp_V2, BHF, Raidforums, Nulled, and Codeby.
## Activity Summary
Emerging in mid-2025, The Gentlemen rapidly became the second most active ransomware group by victim count. Their growth is driven by an aggressive recruitment strategy offering affiliates a 90% revenue share (compared to the industry standard of 80%). Between mid-2025 and June 2026, the group claimed at least 332 published victims, with over 240 occurring in the first half of 2026 alone.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of Internet-facing devices, specifically VPNs and firewalls.
* **Speed of Impact:** Rapid lateral movement and network-wide encryption occurring within hours of initial breach.
* **Business Model:** Ransomware-as-a-Service (RaaS) with an "aggressive" 90/10 split in favor of affiliates.
* **Operational Security (OPSEC) Failures:** Use of consistent aliases and a reusable phone number linked to leaked Russian government databases and social media accounts (Pikabu).
## Targeting
* **Sectors:** Organizations utilizing vulnerable Internet-facing infrastructure (cross-sector).
* **Geography:** Global (implied by the volume and affiliate model), though the administrator operates from Izhevsk, Russia.
* **Victims:** Over 332 published victims; specific organization names were not listed in the article, but the sheer volume indicates broad targeting.
## Tools & Infrastructure
* **Locker/Malware:** Custom "Gentlemen" ransomware locker assembled by Zeta88.
* **Infrastructure:** RaaS backend panel for managing payments and affiliate activity.
* **Emails:**
* hastalamuerte1488[shortened]@protonmail.com
* bu4vs[at]mail.ru
* **Telegram:** @hastalamuerte18 (ID: 30907522)
* **Other:** GitHub account (SantaMuerte) used for tracking exploits and malware development.
## Implications
The Gentlemen represent a shift in the RaaS market where higher affiliate commissions are being used to "poach" talented attackers from established groups like LockBit or BlackCat (ALPHV). Their rapid rise demonstrates that financial incentives can quickly consolidate high-level talent under a new brand, leading to high-volume attack campaigns in a very short timeframe.
## Mitigations
* **Edge Device Security:** Prioritize patching and multi-factor authentication (MFA) for all Internet-facing devices, particularly VPNs and firewalls.
* **Rapid Response:** Implement automated isolation protocols, as the actor is known to move from entry to full-network encryption within hours.
* **Affiliate Recruitment Resistance:** Monitor cybercrime forums for high-payout recruitment drives, which often precede a surge in localized attack volume.