For years, ransomware gangs have operated with the confidence that they were untouchable behind layers of anonymity, affiliate programs, and hidden infrastructure. That confidence took a hit in May 2026 after the ransomware group known as The Gentlemen reportedly suffered a breach of its own internal systems, giving researchers a rare look into how the operation functioned behind the scenes.
According to researchers at Check Point Research (CPR), the compromise exposed parts of the gang’s backend infrastructure, affiliate activity, operational tools, and victim management environment. The incident gave researchers direct visibility into a ransomware operation that had spent months targeting organizations across multiple sectors worldwide.
The Leaked Data
Researchers said the leaked data included systems used to track victims, manage affiliates, and coordinate attacks. In effect, the same type of operational exposure that ransomware gangs try to force onto companies happened to the attackers themselves.
CPR’s later technical analysis also pointed to leaked internal chats and backend databases connected to the operation. Researchers said affiliates discussed attack methods, credential abuse, EDR-killer tools, and access to enterprise systems inside private channels linked to the gang.
The report further identified operational channels allegedly used by affiliates for tooling, victim coordination, and infrastructure discussions. Researchers also referenced conversations involving Fortinet systems, Cisco-related access, and NTLM relay techniques.
The Gentlemen Ransomware – Who and How
The Gentlemen first appeared in 2025 and expanded through a ransomware-as-a-service (RaaS) model. Under that setup, the main operators run the ransomware platform while affiliates carry out attacks and share a percentage of ransom payments. CPR noted that the group reportedly offered affiliates a 90 percent revenue share, an unusually generous split that likely helped attract experienced cybercriminals.
While many ransomware groups advertise advanced capabilities, researchers said The Gentlemen focused more on operational execution than flashy techniques. The gang reportedly targeted internet-facing systems, disabled security tools after gaining access, and encrypted Windows, Linux, NAS, and ESXi environments.
As researchers examined the leaked systems, they also identified signs of additional malware activity connected to the operation. One example mentioned in the report was the use of SystemBC, malware commonly linked to persistence, remote access, and traffic tunneling during ransomware attacks.
The exposed systems also revealed a victim count that appeared far higher than the numbers publicly displayed on the gang’s leak site. According to CPR, investigators identified more than 1,570 likely victims connected to the operation.
The Gentlemen Expands Operations Despite Internal Leak
Even after the leak exposed parts of its internal operation, The Gentlemen does not appear to be slowing down. On May 16, administrators of a newer version of BreachForums announced that the ransomware gang had become an official partner of the forum. The partnership reportedly allows The Gentlemen to advertise on the platform while receiving infrastructure and operational support from the forum itself.
While the relationship would still be considered unconfirmed publicly, Hackread.com later observed The Gentlemen displaying a BreachForums banner on its official dark web onion site, the same portal typically used to publish victim announcements and extortion updates.
Nevertheless, even though ransomware gangs present themselves as highly organized operations, incidents like this show that internal security failures remain a weak point. Disputes between affiliates, poor infrastructure security, insider leaks, and operational mistakes continue to create opportunities for researchers and law enforcement to gather intelligence on criminal groups.
