Who Runs 'The Gentlemen' Ransomware? Krebs Names Him

In mid-2025, a new ransomware operation appeared on criminal forums advertising an unusually aggressive affiliate deal: 90% of every ransom, paid directly to the attacker doing the work. Within months, "The Gentlemen" had become the second most active ransomware group on the planet. Now, thanks to a methodical open source investigation published by Brian Krebs, the person who built it has a name.

Key Takeaways

• Alexander Andreevich Yapaev, 36, of Izhevsk, Russia, has been identified as the administrator of The Gentlemen ransomware group, per a June 2026 Krebs on Security investigation.
• The Gentlemen claimed 332 victims between mid-2025 and June 2026 — with 240+ attacks in 2026 alone — making it the second busiest ransomware operation by victim count this year.
• The group's 90/10 revenue split (affiliates keep 90%) undercuts the industry standard 80/20 model and has driven rapid affiliate recruitment.
• Attribution relied on four intelligence platforms — Intel 471, Epieos, Constella Intelligence, and Flashpoint — converging on the same identity through a chain of email addresses, phone numbers, and forum registrations.
• Yapaev's LinkedIn profile publicly listed him as head of B2B marketing at Uralenergo Udmurtia, an Izhevsk energy company, at the time of publication.

Who Are The Gentlemen?

The Gentlemen launched as a ransomware-as-a-service (RaaS) operation in September 2025. By June 2026, the group had published 332 victims on its leak site — with 240 of those occurring in 2026 alone. Check Point Research, which produced a detailed technical breakdown of the group, places it second only to Qilin in raw victim volume, ahead of established names like Cl0p, RansomHub, and what remains of LockBit.

The number that drew serious attention from researchers wasn't the victim count. It was the split. Most RaaS operations keep 20% of every ransom paid. The Gentlemen inverted that logic — the administrator retains just 10%, funneling 90% to whoever did the intrusion. By victim count, the strategy worked.

How Does the Group Operate?

The Gentlemen's entry vector is consistent: internet-facing devices, specifically Fortinet FortiGate appliances and SSL-VPN endpoints. According to PRODAFT, the administrator supplies affiliates directly with brute-forced Fortinet SSL-VPN credentials, some sourced from the group's own breach database. Halcyon's analysis found attackers cycling through roughly 1,000 Fortinet VPN targets, with reused passwords like "gentlemen25" and "gentle26" appearing across multiple victims.

Once inside, the attack chain is fast. Affiliates use Active Directory enumeration, EDR evasion via registry manipulation and vulnerable driver exploitation, and automated exfiltration targeting NAS devices and backup systems. Networks are encrypted within hours of initial access. The administrator built the group's GLOCKER admin panel in three days using AI-assisted coding — with Chinese language models DeepSeek, Qwen, and Kimi cited as preferred tools in leaked internal chats.

The group actively monitors published CVEs. Check Point researchers identified The Gentlemen evaluating CVE-2024-55591 (FortiOS management), CVE-2025-32433 (Erlang SSH), and CVE-2025-33073 (NTLM relay) for potential exploitation. This is systematic vulnerability triage, not opportunistic scanning.

How Did Krebs Identify the Administrator?

Check Point's initial research identified the group's administrator as operating under the alias Zeta88, with a secondary alias Hastalamuerte. Krebs combined four intelligence platforms to trace the real identity behind those handles.

Intel 471 found Zeta88 forum registrations on Exploit, BreachForums, RaidForums, and Nulled dating back to 2019, with login IP addresses pointing consistently to Izhevsk, Russia.

Epieos, a tool that reverse-searches email addresses against connected accounts, linked a ProtonMail address associated with the Hastalamuerte alias to an Apple account and a GitHub profile using username variations of "4apai18."

Constella Intelligence connected the Telegram ID 30907522 (used by @hastalamuerte18) to a Russian phone number: 79127650004. Constella also accessed hacked Russian government databases containing identity records.

Flashpoint independently associated the Telegram username with the same unique identifier number, cross-validating the Constella finding.

Public records tied the phone number and Izhevsk location to Alexander Andreevich Yapaev, born 1990. His LinkedIn profile — still publicly visible at the time Krebs published — listed him as head of B2B marketing at Uralenergo Udmurtia, a regional energy company. Additional aliases tracked to the same cluster include SantaMuerte, bu4vs, and Alexandr 4apaev.

Why Did the OSINT Work?

Yapaev's exposure illustrates a principle that security researchers understand but threat actors consistently underestimate: early-career opsec failures are almost impossible to erase. The forum registrations Intel 471 traced dated to 2019 — seven years before The Gentlemen launched. By the time he was running a sophisticated RaaS operation, those 2019 registrations were already in commercial threat intelligence databases, indexed and searchable.

No single data point identified Yapaev. It was the convergence: a ProtonMail address linked to an Apple account, a Telegram ID that matched a Russian phone number, forum registration IPs that put him in one specific city. Each link was individually deniable. Together, they were not.

Why Russian Tolerance Matters

Russia does not extradite its nationals for cybercrime charges brought by Western governments. Russian cybercriminals operate with what amounts to implicit acceptance, provided they follow an unwritten rule: do not target Russian organizations or Russian citizens. The Gentlemen's victim list spans 66 countries. None are in Russia.

Public attribution by journalists like Krebs creates reputational and operational pressure, and may complicate future travel or financial activity, but it does not automatically produce criminal consequences. The value of a Krebs investigation is less about triggering arrest and more about disrupting recruitment, eroding affiliate trust, and — occasionally — prompting law enforcement action when a named actor makes a mistake.

Why Email and Inbox Security Matter Here

Ransomware groups don't only encrypt servers. They steal data first. The Gentlemen's affiliates exfiltrate from NAS devices and backup systems before deploying their locker — meaning every email archive on a compromised network is a potential leak. For journalists and activists, that includes source communications. For security teams, it means checking whether a compromised endpoint had access to email infrastructure.

The group's use of breached Fortinet credentials sourced from its own leak database is also a reminder that stolen corporate credentials rarely stay in one place. A Fortinet SSL-VPN credential and a corporate email password often originate from the same breach dump. As covered in our analysis of how hackers use tracking pixels to find live inboxes, and in our reporting on AI-driven phishing attacks now accounting for 82% of email threats, credential reuse is a primary entry point into communications infrastructure.

The Gentlemen's administrator is now named. Whether that changes anything for his 332 victims is a different question entirely.