Thus Spoke…The Gentlemen
Essential information
- Published
- 13/05/2026 16:46
- Modified
- 14/05/2026 08:39
- Tags
- 2026-05-13 CVE-2024-55591 CVE-2025-32433 CVE-2025-33073 affiliate program cisco cryptocurrency data leak fortinet ntlm-relay raas ransomware-as-a-service systembc the gentlemen tox-ids
- Related entities
- 3 vulnerabilities (cve), 33 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware, 2 others
Description
On May 4th, 2026, The Gentlemen RaaS administrator acknowledged that an internal backend database called Rocket had been leaked, exposing nine accounts including zeta88, the program's effective administrator. The leak revealed internal discussions detailing initial access methods through Fortinet and Cisco edge appliances, NTLM relay, and credential logs, along with the group's role divisions and toolsets. Evidence shows evaluation of CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Leaked ransom negotiations showed a successful payment of 190,000 USD. The group reused stolen data from a UK software consultancy to attack a Turkish company, employing dual-pressure tactics during negotiations. Analysis of ransomware samples identified eight distinct affiliate TOX IDs, indicating the administrator actively participates in infections alongside managing the RaaS program.