Unmasking The Gentlemen: Ransomware Group’s Zeta88 Emerges as Key Operator Behind 332 Victims
A cybercrime syndicate known as The Gentlemen has rapidly ascended to become the second most active ransomware group in terms of victim count, leveraging a lucrative recruitment strategy that offers affiliates a staggering 90 percent of any ransom collected. This article delves into the emerging identity of the group’s administrator, shedding light on the broader implications of their operations.
The Rise of The Gentlemen
According to experts from Check Point Software, The Gentlemen operates as a “ransomware-as-a-service” (RaaS) model, enticing skilled hackers to distribute their malware in exchange for a substantial share of the profits. The group’s aggressive affiliate revenue split, which significantly exceeds the industry standard of 80/20, has attracted experienced operators from rival programs, thereby accelerating its growth.
Check Point’s research indicates that The Gentlemen have claimed at least 332 victims since their inception in mid-2025, with over 240 of those incidents occurring in 2026 alone. The group primarily targets Internet-facing devices such as VPNs and firewalls, swiftly encrypting entire networks within hours of gaining access.
Identifying the Administrator: Zeta88
The administrator of The Gentlemen, known by the aliases Zeta88 and Hastalamuerte, has been identified as a key figure in the group’s operations. A breach of the group’s backend infrastructure revealed that this individual is responsible for assembling the ransomware locker and RaaS panel, managing payments, and overseeing the entire operation, retaining 10 percent of all ransoms.
Background of Hastalamuerte
Cyber intelligence firm Intel 471 has traced the activities of Hastalamuerte, revealing that this individual is fluent in both Russian and English and has registered on numerous cybercrime forums since 2019. Notable platforms include Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled.
Hastalamuerte registered on Breachforums in January 2025 from an IP address located in Izhevsk, the capital of Russia’s Udmurt Republic. Similarly, Zeta88 created an account on the English-language forum Breached in August 2022 from a different address in the same city.
Email and Online Footprint
Investigations by Intel 471 indicate that Hastalamuerte registered on Raidforums in 2020 using the email address hastalamuerte1488@protonmail.com. The number “1488” is often associated with white supremacist ideologies. A lookup of this email through the open-source intelligence service Epieos revealed connections to an Apple account and a phone number ending in 04.
Epieos further links this Protonmail address to a GitHub account under the username SantaMuerte, which, while private, shows activity related to the development of various malware tools and exploits.
In April 2020, Hastalamuerte disclosed their Telegram contact as @hastalamuerte18, with the unique Telegram ID 30907522. The breach tracking service Constella Intelligence has connected this ID to another username, bu4vs, and a Russian phone number 79127650004. Records from hacked Russian government databases associate this number with Alexander Andreevich Yapaev, a 36-year-old resident of Izhevsk.
Connections to Real-World Identity
Constella’s findings indicate that Yapaev used this phone number to create an account on the Russian social media platform Pikabu under the name 4apai18. He has also registered on various websites using common surnames like Ivanov and Chapaev.
Further investigations reveal that an account named SantaMuerte was created in 2020 on the Russian hacking forum Codeby, originally registered under the name Alexandr 4apaev. Yapaev frequently utilized the email address bu4vs@mail.ru, which is linked to a LinkedIn account for Alexander Yapaev, who claims to be the head of B2B marketing at Uralenergo Udmurtia, a major supplier of electrotechnical and lighting products in Russia.
Yapaev has not responded to multiple requests for comment.
The Broader Cybercrime Landscape
The apparent ease with which many Russian cybercriminals operate under their real identities raises questions about the motivations behind their actions. Many individuals do not initially set out to become cybercriminals; rather, they gradually become involved as their skills develop.
The Russian government’s approach to cybercrime further complicates the landscape. Authorities often co-opt or overlook cybercriminal activities, provided that these do not target Russian businesses or citizens. This environment allows successful cybercriminals to operate with relative impunity, as long as they adhere to unwritten rules and avoid international travel.
Moreover, many cybercriminals, regardless of nationality, tend to make fundamental operational security mistakes early in their careers. A review of Hastalamuerte’s early posts on crime forums from 2019 to 2020 reveals a hacker still learning the ropes and striving to build a reputation within these communities.
For instance, in June 2020, Hastalamuerte’s Telegram account participated in a multi-month training program to learn popular penetration testing tools, with candid posts reflecting struggles to effectively utilize these tools.
Recent Developments
As of June 11, 2026, the threat research group PRODAFT has released a detailed report on The Gentlemen’s operations. Their findings corroborate the identity of Zeta88/Hastalamuerte, indicating that this administrator provides affiliates with initial access, primarily through Fortinet SSL-VPN credentials obtained via brute-force attacks or from the group’s leak database. PRODAFT also discovered that the administrator employs AI to develop and maintain the ransomware and associated tools, as well as to assist with post-exploitation activities.
Source: krebsonsecurity.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
