A cybercrime group known as The Gentlemen has quickly established itself as the second most active ransomware gang in terms of victim count. This group employs an aggressive recruitment strategy, offering affiliates a remarkable 90 percent share of any ransom paid, significantly higher than the industry standard of 80 percent.
Growth and Targeting Strategy
According to experts at Check Point Software, The Gentlemen has claimed at least 332 published victims since its inception in mid-2025, with more than 240 victims recorded in 2026 alone. The group primarily targets Internet-facing devices, such as VPNs and firewalls, and is known for its rapid encryption of entire networks within hours of gaining access.
Identifying the Administrator
Research indicates that the administrator of The Gentlemen operates under the nicknames Zeta88 and Hastalamuerte. A breach of the group’s backend infrastructure has confirmed that this individual is responsible for assembling the ransomware and managing the affiliate program. They receive 10 percent of all ransoms collected.
Background of Hastalamuerte
Intel 471 has traced Hastalamuerte’s online presence across multiple cybercrime forums since 2019. They registered on Breachforums in January 2025 from an IP address in Izhevsk, Russia. Additionally, the email address hastalamuerte1488@protonmail.com has been linked to various accounts, including one at Apple and a GitHub account under the username SantaMuerte, which is associated with malware development.
Operational Security and Implications
Despite the risks, many cybercriminals, including those in Russia, often do not take extensive measures to conceal their identities. This is partly due to the Russian government’s tendency to overlook cybercrime as long as it does not target domestic entities. The operational security mistakes made by early-stage hackers contribute to their eventual identification.
In a recent update, the threat research group PRODAFT corroborated the findings regarding Zeta88/Hastalamuerte, noting that the administrator provides affiliates with initial access, primarily through Fortinet SSL-VPN credentials obtained via brute-force attacks. They also utilize AI to enhance their ransomware and associated tools.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
