Unmasked: 16GB “Rocket” Database Leak Exposes The Gentlemen Ransomware Cartel

A massive internal data leak has blown the lid off “The Gentlemen,” a highly organized Ransomware-as-a-Service (RaaS) cartel that has rapidly become one of the most prolific threats of 2026. The exposure of their backend database offers defenders an unprecedented, unfiltered look into the daily operations of a modern cyber-extortion empire.

On May 4th, 2026, the shadowy administrator of The Gentlemen RaaS was forced to publicly acknowledge a severe operational failure: their internal backend database, known as “Rocket,” had been compromised and leaked to underground forums.

A newly published analysis by Check Point Research has dissected the 16 GB cache of leaked chats, server logs, and transaction histories. The findings completely demystify the group’s hierarchy, revealing that their massive scale—over 330 published victims in just five months—is not the work of a sprawling, decentralized crowd, but rather a tight-knit, highly coordinated syndicate.

“This leak exposed 9 accounts, including zeta88 (aka hastalamuerte), who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the administrator of the program,” the report states.

For everyone from seasoned CISOs to junior system administrators, the tactical data within this leak is a goldmine. The Gentlemen operate with a ruthlessly efficient, human-operated playbook that favors exposed edge infrastructure.

Check Point researchers noted that the internal chats provide a “rare end-to-end view of the operation,” detailing everything from initial access via Fortinet and Cisco edge appliances to their evasion toolkit.

The group relies heavily on a shared arsenal that includes ZeroPulse for command-and-control, NetExec for Active Directory discovery, and custom-built EDR evasion tools like gfreeze. Furthermore, they are highly attentive to the latest security flaws.

“The group actively tracks and evaluates modern vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073 and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline.”

In one chat, operators explicitly discussed weaponizing CVE-2025-33073 for NTLM reflection attacks, integrating tools like RelayKing to systematically map out vulnerable targets within a domain.

The leak contained a detailed case study of a double-breach involving a UK software consultancy and a subsequent victim in Turkey. The group didn’t just steal data from the UK firm; they weaponized internal project documents to successfully breach the Turkish company.

Once both networks were compromised, the threat actors engaged in a highly aggressive extortion strategy.

“The Gentlemen used this during negotiations as a dual-pressure tactic: they portrayed the UK firm as the ‘access broker,’ while mentioning to provide ‘proof’ to the Turkish company that the intrusion originated from the UK side and encouraging it to consider legal action against the consultancy.”

The leak also highlights a growing trend among cybercriminals: the integration of generative AI. The administrator, zeta88, openly bragged about “vibe-coding” the group’s entire RaaS panel in just three days using AI-assisted development. The group frequently references experimenting with uncensored, locally hosted Chinese LLMs like DeepSeek and Qwen to assist in triaging stolen data and discovering bypass techniques.

The Gentlemen operates like a lean corporation—distributing 90% affiliate cuts, actively monitoring competitors’ tactics (such as Black Basta’s certificate abuse), and utilizing complex exchange chains and over-the-counter physical cash deliveries to launder their Bitcoin payouts.

As the Check Point Research analysis concludes, this incident underscores a critical reality for enterprise security teams: contemporary RaaS programs seamlessly blend productized ransomware with highly professional intrusion teams. To defend against them, organizations must urgently harden internet-facing services, remediate edge-device misconfigurations, and continuously monitor for the specific tools and workflows outlined in this extraordinary leak.