Thus Spoke…The Gentlemen

May 14, 2026, 8:39 a.m.

Description

On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.

External References

https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
https://otx.alienvault.com/pulse/6a04aad1cd2da41f0087f85d
Tags
cryptocurrency
ransomware-as-a-service
systembc
raas
fortinet
CVE-2024-55591
cisco
CVE-2025-32433
CVE-2025-33073
the gentlemen
affiliate-program
2026-05-13
data-leak
ntlm-relay
tox-ids

Date

  • Created: May 13, 2026, 4:46 p.m.
  • Published: May 13, 2026, 4:46 p.m.
  • Modified: May 14, 2026, 8:39 a.m.

Indicators

  • 4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c
  • dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6
  • dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70
  • 24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966
  • 1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f
  • 994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
  • b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
  • 5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
  • 51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2
  • 8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
  • c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
  • c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
  • 788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19
  • 87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
  • 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
  • 3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6
  • 9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
  • a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
  • 6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63
  • 91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
  • 860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
  • 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
  • ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
  • 1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
  • 2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
  • 8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba
  • 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c
  • 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
  • efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
  • 62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
  • 48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
  • f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
  • fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
Download all indicators here!

Attack Patterns

  • SystemBC
  • The Gentlemen
  • The Gentlemen

Additional Informations

  • Technologies
  • United Kingdom of Great Britain and Northern Ireland

Linked vulnerabilities

CVE-2024-55591

9.8
    Fortinet
  • Fortiproxy
  • Fortios
Published: January 14, 2025

CVE-2025-32433

10.0
    Erlang
  • Otp
Published: April 16, 2025

CVE-2025-33073

8.8
    Microsoft
  • Windows Smb
Published: June 10, 2025