Analyzing RaaS Operations: A Deep Dive into The Gentlemen Group's Internal Leak

Overview

This tutorial guides cybersecurity professionals through the process of analyzing leaked internal data from a ransomware-as-a-service (RaaS) operation. Using the real-world example of The Gentlemen group—whose internal database was leaked in May 2026—we walk through each step of extracting actionable intelligence: identifying key actors, mapping attack vectors, understanding role division, tracking CVE usage, examining negotiation tactics, and correlating affiliate identifiers. By the end, you will have a repeatable methodology for dissecting similar leaks and improving threat hunting.

Prerequisites

Before diving in, ensure you have:

• Basic understanding of ransomware lifecycle and RaaS models.
• Familiarity with common initial access vectors: Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential harvesting.
• Knowledge of recent high-impact CVEs (e.g., CVE-2024-55591, CVE-2025-32433, CVE-2025-33073).
• Experience analyzing threat actor communications and TOX IDs (a peer-to-peer encrypted chat identifier).
• Access to a sandboxed environment for safely examining leaked database extracts.

Step-by-Step Analysis Guide

Step 1: Identify the Leak and Key Actors

On May 4th, 2026, The Gentlemen administrator admitted on underground forums that their Rocket backend database had been exfiltrated. This leak exposed 9 accounts, including the admin account zeta88 (also known as hastalamuerte). Start by extracting all usernames, roles, and associated TOX IDs from the leaked data. Focus on the admin because they manage infrastructure, build the locker and RaaS panel, handle payouts, and essentially run the program.

Action: Parse the database dump for account tables. Look for fields labeled username, role, tox_id. Map each actor to their responsibility.

Step 2: Map Initial Access Vectors

The internal discussions reveal a rare end-to-end view of the operation. They detail initial access paths used by affiliates: exploiting Fortinet and Cisco edge appliances, performing NTLM relay attacks, and harvesting OWA/M365 credentials from logs. For each victim, compile the entry point. This helps defenders understand which devices and protocols are most targeted.

Action: From chat logs, extract mentions of vendor names (Fortinet, Cisco), protocol (NTLM, OWA), and any specific vulnerability IDs. Create a matrix of victim → access vector.

Step 3: Understand Role Division

The leak provides insight into how The Gentlemen splits responsibilities: admin (RaaS panel, development), penetration testers (initial access), operators (deploying ransomware), and negotiators (handling ransom chats). This division is common but was explicitly documented in the database. Identify who does what, as it can help attribute future attacks to specific individuals even if they change aliases.

Action: Categorize each leaked account by responsibility tags like infra, locker_dev, affiliate. Note overlaps (admin also conducts infections).

Step 4: Track Modern CVE Evaluation

The group actively tracked CVE-2024-55591 (Fortinet SSLVPN), CVE-2025-32433 (Cisco ASA), and CVE-2025-33073 (another edge appliance). These were evaluated in internal forums. For each CVE, check whether it was used in actual intrusions and how quickly after disclosure. This reveals the group’s agility and priorities.

Action: Cross-reference CVEs mentioned with victim timelines from the DLS. If a victim fell after a CVE’s disclosure and uses that vendor, it’s likely the vector.

Step 5: Analyze Ransom Negotiations and Dual-Pressure Tactics

Screenshots from ransom negotiations were leaked. A successful case shows the group received $190,000 after starting with a $250,000 demand (anchor). Also, a dual-pressure tactic emerged: stolen data from a UK software consultancy was reused to attack a Turkish company. The Gentlemen portrayed the UK firm as an "access broker" and even encouraged the Turkish victim to sue the consultancy.

Action: Study negotiation logs for anchors, counteroffers, and psychological manipulation. Document any third-party mentions that suggest data sharing or resale.

Step 6: Correlate Affiliate TOX IDs

Check Point Research collected ransomware samples and identified 8 distinct affiliate TOX IDs, including the admin’s. This proves that the admin not only manages the RaaS but also participates directly in infections. By linking TOX IDs to leaked account names, you can build a more complete profile of the threat actor group.

Action: Extract TOX IDs from ransomware binaries (e.g., via static analysis of embedded C2 configs). Match them against the leaked database to confirm admin involvement.

Common Mistakes

• Assuming all affiliates use the same techniques: The leak shows diverse initial access methods. Don't generalize from one affiliate’s modus operandi.
• Overlooking secondary extortion: The dual-pressure example (UK firm as broker) is easy to miss if you only examine straight negotiation logs.
• Misinterpreting TOX IDs as unique per person: One actor may use multiple TOX IDs; conversely, one TOX ID might be shared. Cross-reference with other sources.
• Ignoring the admin’s dual role: Just because they manage the panel doesn’t mean they aren’t also infecting victims. This oversight can lead to underestimating their capabilities.
• Failing to validate leak authenticity: Leaks can be fabricated. Compare data with known indicators (e.g., DLS victims, sample hashes) before using it for threat intelligence.

Summary

This tutorial demonstrates how a single database leak offers a comprehensive view of a RaaS operation. By systematically identifying actors, mapping attack vectors, understanding role division, tracking CVE usage, and analyzing negotiations, analysts can build actionable intelligence. The Gentlemen case also highlights the importance of correlating TOX IDs and recognizing dual-pressure tactics. Apply this methodology to future leaks to stay ahead of ransomware groups.