The Gentlemen RaaS Internal Chats and Backend Data Leaked on Breached Forum — Rare Visibility Into 10% of 2026 Global Ransomware Victims, Affiliate Economics, and EDR-Killer Tooling

On May 4, 2026, KELA observed partial internal chats and alleged backend data for The Gentlemen RaaS — now accounting for 10% of all publicly claimed ransomware victims globally in 2026 with 328 confirmed victims — advertised on cybercrime forum Breached for $10,000; the data was subsequently released for free, exposing nearly six months of operator communications (November 2025–April 2026). The leak reveals affiliate operator handles (zeta88, Wick, mAst3r, Kunder, qbit), a 90/10 ransom-split model with a 97% cut for data-only extortion, use of compromised Outlook Web Access as both initial access and payload staging, an EDR killer tool, and at least one instance of victim blackmail using sensitive medical content. The group patched its encryptor the same day a free decryptor was released in April, demonstrating a highly responsive development cycle that defenders should expect to continue.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.