A ransomware crew is paying its affiliates 90 percent of every ransom — and in doing so, it just became the second-most-active extortion group on the internet. The Gentlemen, a Russian-speaking ransomware-as-a-service operation that surfaced in mid-2025, has redrawn how criminal crews recruit, and the security industry is already pulling on threads that may unmask its administrator. For defenders, the story is less about one alleged operator in Izhevsk and more about what happens when criminal economics flip in the attackers’ favor.
Why a 90/10 Affiliate Split Changes the Ransomware Market
According to researchers at Check Point Software, The Gentlemen offers affiliates a 90/10 revenue split versus the industry-standard 80/20, and that single change is “accelerating the group’s growth by attracting experienced operators from competing programs.” Check Point reports the group has claimed at least 332 published victims since inception and more than 240 in 2026 alone, making it the second most active ransomware gang by victim count this year.
This matters because ransomware affiliate programs are labor markets. When one program pays 10 percentage points more per job, the best intrusion operators migrate, taking their tradecraft, access brokers, and tooling with them. Mature, well-funded affiliates — the ones who can pop a Fortune 500 VPN before lunch — now have a financial reason to consolidate under one banner. Defenders who were tracking a fragmented ecosystem of mid-tier crews suddenly face a smaller number of better-resourced ones.
If you run a mid-market hospital network or a regional manufacturer with Internet-facing firewalls and VPN appliances, this directly raises your threat profile: Check Point says The Gentlemen targets exactly those edge devices and encrypts entire networks within hours of initial access. Expect the 80/20 floor to crack across the rest of the RaaS market within the next twelve months as competing programs match the cut to retain talent.
How OPSEC Mistakes Unmasked the Alleged Administrator
The second story buried in the reporting is a clean attribution case study. Check Point identifies the administrator behind the nicknames Zeta88 and Hastalamuerte as the person who builds the locker, runs the RaaS panel, manages payments, and takes the 10 percent house cut. Intel 471 traces Hastalamuerte across nearly a dozen forums — Exploit, Breachforums, Ramp_V2, BHF, Raidforums, Nulled — registered between 2019 and today, with Breachforums and Breached signups originating from IP addresses in Izhevsk, capital of Russia’s Udmurt Republic.
From there, the chain follows a standard OSINT pivot. A Protonmail address — hastalamuerte1488@protonmail.com — surfaces on Raidforums in 2020. Epieos links it to an Apple account, a phone number ending in 04, and a private GitHub account named SantaMuerte that has been watching malware tooling. A 2020 Nulled post tied Hastalamuerte to Telegram handle @hastalamuerte18, which Flashpoint matches to Telegram ID 30907522, which Constella Intelligence in turn connects to the Russian phone number 79127650004 — registered, per leaked Russian government databases, to Alexander Andreevich Yapaev, a 36-year-old from Izhevsk who lists himself on LinkedIn as head of B2B marketing at Uralenergo Udmurtia. Yapaev did not respond to requests for comment.
Why it matters: this attribution path was built almost entirely from public and commercial intelligence sources stitched together by selectors — email, phone, Telegram ID, forum nickname. Imagine you’re a corporate threat-Intel lead trying to brief your board on a specific actor; the same toolkit (Constella, Intel 471, Flashpoint, Epieos) that traced Hastalamuerte’s pivot from teenage forum lurker to alleged RaaS administrator is available to you. The lesson for defenders is that long-lived identifiers are kryptonite for criminals — and that the people running today’s largest crews mostly made their OPSEC mistakes when they were nobodies.
What This Means for Edge Device Defense and Critical Sectors
Check Point’s report is explicit that The Gentlemen’s preferred entry points are Internet-facing devices — VPN concentrators and firewalls — and that the group moves to full-network encryption in hours. That’s not novel; it’s the dominant ransomware playbook. What’s new is the speed at which a 90/10 program can scale attacker headcount against that same surface. Healthcare networks, logistics providers, and regional utilities are sitting on the exact mix of legacy appliances and weak segmentation this model preys on.
If you operate in a regulated vertical, treat your edge appliance inventory as a tier-zero asset. For teams running hospital and pharma platforms, that means tying VPN and firewall patching SLAs to the same change-control rigor as your EHR. For operators of shipping, food safety, and manufacturing platforms, it means accepting that a ransomware event on a single warehouse VPN can stall a multi-tier logistics chain for days. And for engineering leaders weighing immutable audit logs against operational performance, the tradeoffs between blockchain-backed records and traditional databases shift materially when forensic timelines compress from weeks to hours.
The prediction: within the next year, expect at least one major insurer to refuse coverage renewal for organizations that can’t prove a documented edge-device patching cadence — directly citing The Gentlemen’s tradecraft as justification.
FAQ
Q: What is ransomware-as-a-service (RaaS)? A: RaaS is a criminal business model where one group builds and maintains the ransomware payload, payment infrastructure, and victim-negotiation portal, then licenses it to “affiliates” who perform the actual intrusions. The Gentlemen’s twist is paying affiliates 90 percent of each ransom instead of the typical 80 percent, keeping only 10 percent for the operator.
Q: Who is Hastalamuerte and what’s the evidence trail? A: Hastalamuerte is the forum nickname Check Point and Intel 471 link to the administrator of The Gentlemen RaaS program. Through Protonmail, Telegram ID 30907522, Russian phone number 79127650004, and Constella’s records, the trail points to Alexander Andreevich Yapaev of Izhevsk — though Yapaev has not responded to comment requests and no charges have been filed.
Q: Why don’t Russian cybercriminals hide their identities better? A: Per the original report, two reasons: most made sloppy OPSEC mistakes early in their careers before they had anything to lose, and the Russian government typically tolerates cybercrime that doesn’t target Russian citizens or businesses. Operators who avoid foreign travel and stay within those unwritten rules face little domestic prosecution risk.
Key Takeaways
- Audit your Internet-facing VPN and firewall appliances this quarter — The Gentlemen’s entry pattern is unsophisticated, and uptime-driven patch delays are the real exposure
- Expect competing RaaS programs to match the 90/10 affiliate split within twelve months, consolidating top intrusion talent under fewer banners
- Long-lived identifiers — Protonmail addresses, Telegram IDs, GitHub handles — remain the single biggest attribution lever; assume any selector you’ve reused since 2019 is burned
- Boards in healthcare, logistics, and energy should be briefed specifically on hours-to-encryption metrics, not just generic ransomware risk posture
- Cyber insurance underwriting will tighten around documented edge-device hygiene; teams without auditable patch evidence should prepare for harder renewals