A ransomware collective calling itself The Gentlemen has risen to become the second most prolific ransomware group by victim count this year, and researchers now believe they have identified the real-world person running it.
Rapid Rise Through Generous Affiliate Payouts
According to analysis by Check Point Software, The Gentlemen operates as a ransomware-as-a-service (RaaS) platform that launched in mid-2025 and has since claimed at least 332 published victims, with more than 240 of those recorded in 2026 alone. The group’s growth is partly attributed to an unusually favorable affiliate revenue split: operators who deploy the ransomware keep 90 percent of any ransom collected, compared to the 80 percent more commonly offered by competing programs. That differential has reportedly drawn experienced operators away from rival groups.
Check Point notes the group favors Internet-facing devices, including VPNs and firewalls, as initial entry points, and is capable of encrypting entire networks within hours of gaining access.
The Administrator Behind the Operation
Check Point identified the group’s administrator using the handle Zeta88 on Russian-language cybercrime forums, a persona previously operating under the nickname Hastalamuerte. A breach of the group’s backend infrastructure confirmed that this individual assembles the locker and RaaS panel, manages payments, and receives the remaining 10 percent of all ransoms collected.
Cyber intelligence firm Intel 471 found that Hastalamuerte has registered on nearly a dozen cybercrime forums since 2019, including Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled. Registration records show the Breachforums account was created in January 2025 from an IP address in Izhevsk, the capital of Russia’s Udmurt Republic. A separate Zeta88 account on the forum Breached was registered in August 2022 from a different Izhevsk address.
Connecting Handles to a Named Individual
Intel 471 found that Hastalamuerte registered on Raidforums in 2020 using an email address at Protonmail. An open-source intelligence lookup via Epieos tied that address to an Apple account, a phone number, and a GitHub account under the username SantaMuerte. That GitHub profile is marked private but shows activity involving malware tools and exploits.
A Telegram handle posted by Hastalamuerte on the Nulled forum in 2020 led to a unique Telegram ID number. Breach-tracking service Constella Intelligence linked that ID to another username and to a Russian mobile phone number. Records from hacked Russian government databases returned by that phone number identify the subscriber as Alexander Andreevich Yapaev, a 36-year-old resident of Izhevsk.
Further corroboration came from Intel 471, which found a SantaMuerte account on the Russian hacking forum Codeby originally registered under the name Alexandr 4apaev. Constella also connected Yapaev’s email address to a LinkedIn profile where he identifies himself as head of B2B marketing at Uralenergo Udmurtia, described as one of Russia’s largest electrotechnical and lighting product suppliers. Yapaev did not respond to requests for comment.
Why Russian Cybercriminals Often Leave a Trail
As with prior investigations of this kind, the operational security failures that enabled identification accumulated across years of forum activity, often beginning at a point in the subject’s career when the risks seemed abstract. Russia’s general posture of tolerating domestic cybercrime, provided attackers avoid targeting Russian entities and pay the appropriate informal dues, also reduces the perceived urgency of covering one’s tracks carefully.