SUBJECT PROFILE
The Gentlemen is the breakout ransomware group of Q1 2026, climbing to #2 globally with 400+ public victims in under 10 months of operation. Founded by 'hastalamuerte,' a former senior Qilin affiliate who departed after a $48,000 commission dispute, the group arrived with a pre-staged stockpile of approximately 14,700 compromised FortiGate devices (exploited via CVE-2024-55591) and 969 validated brute-forced VPN credentials. On May 4, 2026, the group itself was breached by an anonymous party who exfiltrated its internal database from hosting provider 4VPS, exposing full operational structure, ransom negotiations, and confirmed use of DeepSeek and Qwen AI models to accelerate ransomware development. Chain-victimization — using data from one victim to attack that victim's clients — is a confirmed tactic.
Financial extortion via double-extortion RaaS with globally diversified targeting; deliberate avoidance of US targets to reduce law enforcement exposure
OPERATIONAL HISTORY
CVE-2024-55591 (FortiOS/FortiProxy authentication bypass), CVE-2025-32433, NTLM relay (CVE-2025-33073), Active Directory enumeration, BYOVD EDR disablement, antivirus killers, SystemBC proxy malware for covert tunneling, Group Policy-driven domain-wide ransomware deployment, browser session harvesting (M365/Okta), credential broker purchasing, infostealer log markets for initial access, AI coding assistants (DeepSeek/Qwen) for malware development, double extortion (encryption + DLS publication), chain-victimization (supply chain lateral targeting), reverse-engineered encryption routines from Babuk/Qilin/LockBit 5.0/Medusa
KNOWN INFRASTRUCTURE
Tor-based data leak site; RocketChat-based affiliate communications; 4VPS hosting (now compromised); ~14,700 pre-staged FortiGate ORB nodes globally concentrated in APAC and Latin America; qTox and Session apps for victim negotiation; in-development in-house LLM tooling