A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group.
A graphic created and shared by The Gentlemen ransomware group administrator Hastalamuerte on Breachforums in May 2026. Credit: ke-la.com.
Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware.
“A 90/10 affiliate revenue split — compared to the industry standard 80/20 — is accelerating the group’s growth by attracting experienced operators from competing programs,” the researchers wrote in April.
Check Point found The Gentlemen are the second most active ransomware group by victim count so far this year, claiming at least 332 published victims since the group’s inception in mid-2025 and more than 240 in 2026 alone.
According to Check Point, the group targets Internet-facing devices (VPNs, firewalls) as their entry point, and once inside moves quickly to encrypt entire networks within hours.
Check Point says the administrator and primary operator of the ransomware group uses the nickname Zeta88 on the Russian-language cybercrime forums, and that this individual was previously known under the moniker Hastalamuerte. Check Point noted that a breach of the group’s backend infrastructure made it clear that Hastalamuerte/Zeta88 is the person who assembles the locker and RaaS panel, manages payments, and is essentially the administrator of the entire program who receives 10 percent of all ransoms.
WHO IS HASTALAMUERTE?
The cyber intelligence firm Intel 471 shows that the user Hastalamuerte is a Russian and English speaking person who registered on almost a dozen cybercrime forums between 2019 and the present day, including Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled.
Intel 471 reveals that Hastalamuerte registered on Breachforums in January 2025 from an Internet address in Izhevsk, the capital city of Russia’s Udmurt Republic. Likewise, the user Zeta88 signed up at the English-language cybercrime forum Breached in August 2022 from a different Internet address in Izhevsk.
Intel 471 finds Hastalamuerte registered on Raidforums in 2020 using the email address hastalamuerte1488@protonmail.com (1488 is a common combination of two numeric symbols associated with white supremacy). A lookup on this address at the open source intelligence service Epieos shows it is connected to an account at Apple and to a phone number ending in 04.
Epieos says that Protonmail address is also linked to a GitHub account under the username SantaMuerte. That account is marked private, but a history of this user’s activity shows they are watching and developing a number of malware tools and exploits.
In April 2020, Hastalamuerte said on the crime forum Nulled that they could be contacted at the Telegram instant messenger name @hastalamuerte18, and the threat intelligence company Flashpoint finds this username is assigned the unique Telegram ID number 30907522 [full disclosure: Flashpoint is an advertiser on this blog].
The breach tracking service Constella Intelligence reports that Hastalamuerte’s Telegram ID is connected to another username — “bu4vs” — and to the Russian phone number 79127650004. Pivoting on this phone number in Constella fetches multiple records from hacked Russian government databases showing it is assigned to one Alexander Andreevich Yapaev, a 36-year-old from Izhevsk.
Constella reveals that phone number was used to create an account at the Russian social media platform Pikabu under the name “4apai18,” and shows Mr. Yapaev has signed up at a number of websites using the common surname Ivanov, or else “Chapaev” (the numeral 4 is often used as shorthand for a “ch” sound in Russian).
A search in Intel 471 for cybercrime forum members with the nickname SantaMuerte unearths an account by the same name created in 2020 on the Russian hacking forum Codeby. Intel 471 shows this user originally registered on Codeby with the not-so-subtle nickname Alexandr 4apaev.
Constella finds Mr. Yapaev regularly used the email address bu4vs@mail.ru. Meanwhile, Epieos shows this address is connected to a LinkedIn account for Alexander Yapaev, who lists himself as the head of B2B marketing at the company Uralenergo Udmurtia, one of Russia’s largest suppliers of electrotechnical and lighting products.
Mr. Yapaev did not respond to multiple requests for comment.
Nearly every time we publish one of these Breadcrumbs stories, readers are curious to know why it seems like so many cybercriminals from Russia apparently do little to hide their real life identities. The truth is that — Russian or not — most didn’t exactly set out to be arch criminals, but instead got drawn into the scene gradually over several years as their skills broadened and sharpened.
Another important dynamic is that the Russian government generally either co-opts or ignores cybercriminal activity within its borders so long as the hackers do not steal from or attack Russian businesses and citizens. As a result, successful cybercriminals in Russia are usually insulated from prosecution and arrest by foreign law enforcement agencies provided they occasionally pay off the right people and do not travel abroad. And cybercriminals who intend to strictly adhere to those unwritten rules may (at least initially) be less concerned about covering their tracks online.
But the simplest explanation is that cybercriminals of all nationalities tend to make a number of basic operational security mistakes early in their careers, when they are less savvy and have far less to lose by their carelessness. A review of Hastalamuerte’s early posts on the crime forums (circa 2019-2020) shows a relatively unsophisticated and low-skilled hacker still trying to learn the ropes and earn a positive reputation on these communities.
For example, in June 2020 Hastalamuerte’s Telegram account joined a multi-month training program (@pntst) to learn how to use popular penetration testing tools, and their candid posts to this hacker training camp show Hastalamuerte struggling to use these tools effectively. A Google-translated record of Hastalmuerte’s posts to @pntst is here.
Update, June 11, 10:23 a.m. ET: The threat research group PRODAFT has released a detailed writeup on the history and current operations of The Gentlemen. PRODAFT said its findings match the same persona with “high confidence,” and found the administrator (Zeta88/Hastalamuerte) supplies affiliates with initial access directly, primarily Fortinet SSL-VPN credentials obtained through brute-force attacks or sourced from the group’s own leak database. They also discovered the administrator is using AI to develop and maintain the ransomware and associated tooling, as well as to assist with post-exploitation activity.
True operational secrecy is a pain in the butt, hard to maintain, and easy to screw up. That’s why it’s better to be able to act in your real name and not have to worry about it…
It’s amazing how these ransomware gangs are able to maintain military intelligence level opsec
Almost as if…
Um, almost as if their business model provides enough income to afford it? Enough with the conspiracy theories. Brian understands that most of these sorts of operations have a learning curve. They are most vulnerable at three or four times in each ransom cycle (three, if it is an established affiliate relationship for long enough to have ascertained they aren’t involved in a sting). Once they figure out how to proxy, manage their toolchain properly, and successfully get ahold of the money they asked for, the only thing left to worry about is how to make it look legitimate. Ransomware removes the long-term upkeep and gradual profit model of a botnet. Now that companies are willing to pay hundreds of thousands or millions per incident, you don’t need to be ‘Russian’ or ‘Ukrainian’, or have connections to any sort of corrupt officials, you just have to throw someone else under the bus faster than the other person, it looks like.
‘able to maintain military intelligence level opsec’
Some of them are run by military intelligence in various countries, some of those are very good at it.
I don’t think that’s amazing, unbelievable or improbable, nor is it a conspiracy theory. It lines up fine.
If you’re trying to imply a _particular_ gang or campaign is run by mil.ops, that requires specificity.
Vague implications are like…
Has anyone told Apple about “Hastalamuerte registered on Raidforums in 2020 using the email address hastalamuerte1488@protonmail.com (1488 is a common combination of two numeric symbols associated with white supremacy). A lookup on this address at the open source intelligence service Epieos shows it is connected to an account at Apple and to a phone number ending in 04.”
Can they disable his account?
I don’t see why. He’s not infringing on any of Apple’s terms with his account, nor has he attacked Apple. Simply *being* a criminal shouldn’t get you disbarred from using any services.
“He’s not infringing on any of Apple’s terms with his account, nor has he attacked Apple.”
That _you_ know of? It’s improbable that nobody connected to Apple whatsoever was targeted.
I’ve not recently deep-read Apple’s EULA but I’d think *being a criminal* is in there somehow…
Hats off, GENTLEMEN, to Brian Krebs!
It’s funny. When I start reading it, I thought to myself, “Russian?” And sure enough. It is.
I think the reason it’s so easy to track there people down (aside from the Russian government letting them do it as long as the victims are in the West and that’s why they don’t care about hiding) is because most of those “hackers” are just plain stupid low lives. Otherwise anyone that had two brain cells had already left that nasty country.
@Dennis – I think if you have money, are careful and discreet, and stay out of politics… Russia can be a veery pleasant place to live.
Hmmm. Never seemed to work for Arkady Renko.
“Nasty country” – pray tell where you’ve found so entirely free of nastiness to live, Mr. Menace?
Might as well be living on the sun.
He’s got an umbrella and time to kill. It’s a dry heat.
I believe his identity is BIG BALLS! You know the guy that got beat up by a girl in DC and even of more surprise he was on a date with a GIRL.
Seems like something the snowflake orange one would be involved with.
There was some chatter on Telegram about ShinyHunters running The Gentlemen ransomware group, but oh well…
Not the same people, of course. Sort of like suggesting Horohorin is, I dunno, the dude that runs the Krebs carding dump site.
No Doubt!
TIL that WayBackMachine archived Google Plus (RIP) posts..
It’s cute that even Russian ransomware gangs think stuff like… GDPR violations? matter at all in the real world.
From reading the Checkpoint article, it definitely seems like we’re finally getting into the era of “AI-powered ransomware”. Not completely “agentic” a la “claude, ransom this company, make no mistakes”, but like… AI-written panels, AI-written ransom notes, and seeing as how quick and badly they got pwned, I’d imagine some local Chinese AI was like “You’re absolutely right, exposing port 445 on your Synology NAS to the clearnet is the most secure way to securely access your files anywhere!” and now we’re here.
This pretty much nulls most textual forensics, too, yeah.
When I lived in Transnistria briefly, many many years ago, there were no ATMs at all. It was a surprisingly genteel place to stay for a week or two to get away from crazies, LGBTQ- obsessed Pussy Riot fans, and tourists, until they made that mean something else entirely. CLEARLY, there was access to legitimate ATMs an easy, cheap train-ride away, until the sheeeyit hit the Kendrick a few months (and many many years) later.
welp! time for my teeth to marry the extension cord again!
Arguably, they should not, merely by the existence of a name, known it was the same person, no less a ‘criminal’, right?
soon the next prod release of Kill Your Celf will push!
Quickly, quickly ai chatbot!
The NSA.
WHAT DID I WIN
The same guys who run every ransomware group
The same guys who run Krebs.
Did you use a real russian time?Brian , or is it a synthetic russian?
Cant arrest data. Even from the Moscow field office of the FBI
The same guys who run every ransomware group
The same guys who run Krebs.
Did you use a real russian this time?Brian , or is it a synthetic russian?
Cant arrest data. Even from the Moscow field office of the FBI
If Yan can’t think then NOBODY IS ALLOWED TO. Off to the reeducation camps like a good lad.
Martin,
Go squat in a thorny tree.
What is Martin’s metier, anyway?
Krebs isn’t run by any one group of anything any more than you are.
Lots of AI slop puppeting every meatpuppet now (no offense, Brian).