Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak

The Gentlemen ransomware-as-a-service operation faces exposure after an operational security failure leaked internal communications and structural details that reveal how the group built and maintained its criminal affiliate network.

The leaked data exposes the gang's business model, which relies on recruiting affiliates through generous commission splits and a flat organizational hierarchy that empowers lower-level operators. Unlike traditional ransomware groups that centralize control, The Gentlemen distributed decision-making authority to affiliates, allowing them to target victims independently while maintaining consistency through standardized tools and playbooks.

The OPSEC failure provides security researchers with rare insight into the group's tactics, techniques, and procedures. The leaked materials document how The Gentlemen identifies vulnerable organizations, leverages both known and zero-day exploits, and negotiates ransom payments through coordinated cryptocurrency handlers. The group has demonstrated flexibility in targeting, hitting everything from healthcare providers to manufacturing firms across multiple countries.

The Gentlemen operate using a proven affiliate model where recruiters identify skilled operators and provide them with ransomware variants, deployment infrastructure, and negotiation scripts. Affiliates keep a percentage of ransom payments while The Gentlemen leadership retains oversight through encrypted communication channels and regular operational reviews. This structure enabled rapid scaling without requiring direct control of every attack.

The leaked documentation also reveals internal disputes over ransom pricing, victim selection criteria, and affiliate performance metrics. Some communications show disagreements between leadership factions over whether to target smaller organizations with faster payment timelines or pursue higher-value enterprises with extended extortion processes.

Law enforcement agencies and threat intelligence firms already track The Gentlemen's infrastructure and operational patterns. The leaked data allows defenders to attribute previously unclear attacks to the group and identify compromised networks still harboring active infections. Organizations previously targeted by affiliates now have opportunities to detect and remove persistent access points.

The exposure represents a significant setback for The Gentlemen's