A ransomware-as-a-service operation that pays affiliates 90 percent of every ransom has climbed to the second spot among the most active extortion crews this year. Now researchers say the administrator left a trail of old forum posts, a 2020 ProtonMail address, and a recycled phone number that points back to a marketing executive in Russia.
A ransomware crew calling itself The Gentlemen has muscled its way to the second most active extortion operation by victim count this year, and it did so with a recruiting pitch that competing gangs can't easily match: affiliates keep 90 percent of every ransom payment. That split, against an industry norm closer to 80/20, has pulled experienced operators away from rival programs and helped the group rack up at least 332 published victims since it launched in mid-2025, with more than 240 of those landing in 2026 alone.
The numbers come from researchers at Check Point Software, who have been tracking the group's campaigns since the spring. "A 90/10 affiliate revenue split, compared to the industry standard 80/20, is accelerating the group's growth by attracting experienced operators from competing programs," the Check Point team wrote in April. The economics are simple. If you can move malware and you have a choice of crews, you go where the cut is biggest.
How the operation works
The Gentlemen run a ransomware-as-a-service, or RaaS, model. The administrator builds and maintains the encryption tooling and the affiliate panel, handles payments, and takes a 10 percent cut off the top. Affiliates do the breaking and entering. According to Check Point, the entry point is almost always an Internet-facing device, a VPN concentrator or a firewall, and once an affiliate is inside, the playbook calls for encrypting an entire network within hours rather than days.
That speed is the practical lesson for defenders. If your detection and response window is measured in days, you are already behind a crew that finishes the job before lunch. The exposed edge devices, the VPNs and firewalls that sit on the public Internet, are the part of your attack surface that deserves the most aggressive patching cadence and the tightest monitoring. A perimeter appliance running months-old firmware is exactly the doorway this group is built to walk through.
The administrator's trail
The more interesting part of the story is what happened when the group's own backend got breached. That breach made clear that a single person, operating under the handle Hastalamuerte and later Zeta88, assembles the locker, runs the RaaS panel, and manages the money. In other words, the entire program traces back to one operator.
And that operator, like so many before him, left a paper trail. The intelligence firm Intel 471 shows Hastalamuerte registered on close to a dozen cybercrime forums between 2019 and the present, among them Exploit, Breachforums, Raidforums, and Nulled. The Breachforums registration in January 2025 came from an Internet address in Izhevsk, capital of Russia's Udmurt Republic. The Zeta88 account that signed up at the forum Breached in August 2022 also traced to Izhevsk.
The thread that unravels everything is an old email. On Raidforums in 2020, Hastalamuerte registered with the address [email protected]. The 1488 suffix is a numeric combination associated with white supremacist movements, and it is the kind of detail a careful operator would never reuse. A lookup through the open source intelligence service Epieos ties that address to an Apple account, a phone number, and a GitHub account under the name SantaMuerte that has been quietly watching and developing malware tooling.
From there the pivots stack up. A 2020 Telegram handle, @hastalamuerte18, maps to a unique Telegram ID. Breach data connects that ID to another username and to a Russian phone number. That phone number, run through breached Russian government databases, returns the name Alexander Andreevich Yapaev, a 36-year-old from Izhevsk. The same number created a social media account under "4apai18," and a hacking forum account on Codeby originally registered as Alexandr 4apaev. The email [email protected], also tied to Yapaev, links to a LinkedIn profile listing him as head of B2B marketing at a regional electrical supplier.
Why this keeps happening
Readers of these identity investigations always ask the same question. Why do so many Russian cybercriminals do so little to hide who they are? The honest answer is that most of them did not start out as career criminals. They drifted into the scene over years, sharpening their skills on forums while building a reputation, and the operational security mistakes that expose them were made early, before they had anything to lose.
There is a structural reason too. The Russian government tends to leave domestic cybercriminals alone as long as they do not target Russian businesses or citizens, and as long as they stay inside the country's borders. That insulation breeds carelessness. An operator who never expects to be arrested has little incentive to scrub a ProtonMail address from 2020.
Hastalamuerte's own early posts back this up. Records from a 2020 penetration testing training program he joined show an unsophisticated hacker fumbling with standard tools, struggling to make them work, learning in public. Five years later the same person is running one of the most active ransomware programs in the world. The skills grew. The old breadcrumbs never went away.
For security teams, the takeaway is twofold. Harden and watch your edge devices, because that is where this crew lives, and assume that no affiliate program, however generous its payout, is staffed by ghosts. The people behind these operations are findable, and the same sloppy reuse of emails, handles, and phone numbers that exposes them is a reminder of how much of attribution still comes down to patient correlation rather than any single decisive clue.
Comments
Please log in or register to join the discussion