A ransomware group barely a year old is the world's second most active by victim count, and the recruiting mechanism is a revenue split that puts more money in affiliates' pockets than the rest of the criminal market.
In a ransomware economy where most affiliates earn 80 percent of a victim's ransom, one group is offering 90. That ten-point spread is the recruiting wager that, according to researchers at Check Point Software as reported by Krebs on Security, has propelled The Gentlemen from a mid-2025 launch to the second most active ransomware operation in the world by victim count, with 332 claimed victims across its lifetime and more than 240 in 2026 alone.
The economics are blunt. Affiliates, the operators who actually break into networks and run the encryption, take home the overwhelming share. The group's administrator, by Check Point's account, keeps roughly ten percent and handles the surrounding machinery: the locker that scrambles files, the RaaS panel affiliates log into, and the payment and negotiation flow. In a criminal market where the 80/20 split has long been treated as standard, paying out ninety cents on the dollar is a way to lure experienced operators away from rivals. It also explains the speed of The Gentlemen's climb.
The identity thread runs through a handle. Krebs traces the administrator to "Hastalamuerte," a username documented by Intel 471 as active on Exploit, Breachforums, Ramp_V2, BHF, Raidforums, Nulled, and Breached across Russian- and English-language cybercrime venues since 2019. A second handle, Zeta88, appears in the same circles. Both accounts registered from internet addresses pointing to Izhevsk, the capital of Russia's Udmurt Republic and a city better known for Kalashnikov's original factory than for digital extortion. Krebs' reporting treats these traces as investigative leads to a real-life identity, not as courtroom attribution.
The operational pattern that follows is consistent across victims. Attackers go after internet-facing devices first, corporate VPNs and edge firewalls with known or unpatched flaws, then pivot inside and encrypt the network within hours. The victims on the group's leak site, which now lists 332 names since the operation's mid-2025 start, are largely self-reported: a public shaming layer that doubles as a pressure tactic during ransom negotiations. The 2026 figure of 240-plus is from the same source. Independent tallies do not exist.
Two things make this story worth more than the usual ransomware tally. First, the affiliate split is documented, not assumed. Krebs cites Check Point's operational visibility into the panel, the locker, and the payment rails, which is what allows the 90/10 framing to be asserted with that level of confidence. Second, the Izhevsk anchor is corroborated: independent forum-history research from Intel 471 lines up with Check Point's network-attribution work, so the geographic lead rests on more than a single screenshot, as laid out in the Krebs investigation.
The implications spread outward. For defenders, the recruiting logic predicts which rival groups are most likely to respond. If a 90/10 split works, expect competing RaaS programs to test higher payouts, looser rules on targets, or faster ransom-laundering turnarounds. For policymakers, the affiliate-economics angle offers a more concrete disruption target than victim-count shaming. For prospective affiliates, the model is on the record: ninety cents on the dollar in exchange for the legal exposure that comes with running a corporate network through an encryption event.
Krebs' investigation, drawing on Check Point and Intel 471's separate research streams, ends with a city on a map and a recruiting contract, not with a name behind a keyboard and not with charges filed. The next move belongs to law enforcement, if it comes, and to the next RaaS program that wants to keep its affiliates from drifting toward a better offer.