The Gentlemen and the Architecture of Modern Ransomware | A Case Study in Cybercrime, Attribution, and Geopolitical Impunity
Introduction
In today’s cybersecurity landscape, ransomware has emerged as one of the most significant and rapidly growing cyber threats. What began as attacks carried out by individual hackers has evolved into a highly organised criminal enterprise, with groups operating through structured business models and global networks. The emergence of The Gentlemen ransomware group reflects this transformation, demonstrating how modern threat actors can quickly expand their operations and target organisations across multiple sectors. Their rise highlights the increasing sophistication of ransomware campaigns and the growing challenges faced by organisations in defending against them. The attribution of the group's administrator to an identified individual in Izhevsk, Russia, provides a valuable lens through which to examine three interconnected developments: the maturation of ransomware-as-a-service (RaaS) business models, the inherent operational security (OPSEC) weaknesses that emerge over the course of cybercriminal careers, and the geopolitical environments that enable such actors to operate with relative impunity. Together, these dynamics illustrate the industrialisation of modern cybercrime.
The Industrialisation of Ransomware-as-a-Service
The remarkable rapid rise of The Gentlemen is impossible without discussing the maturation of ransomware-as-a-service (RaaS). RaaS systems utilize network intrusion experts as affiliates who conduct networks intrusions and secure access in exchange for a cut of the total ransoms paid, while a core group builds and maintains the ransomware framework itself. Although Reveton, one of the earliest Raas providers, can be credited with bringing early iterations of RaaS to fruition in 2012, the potential scale was truly evident in the mid-2020s. By 2025 it was estimated that there were over 100 active ransomware gangs operating; this proliferation is the direct result of the franchise-like system, which has lowered the barriers to entry for cybercrime.
The marketplace surrounding RaaS is intensely competitive, and this is clearly exemplified in the business structure of The Gentlemen: while many of the top ransomware groups provide an 80/20 profit share (with the majority of the profit going to the affiliates), The Gentlemen has an exceptionally profitable 90/10 split (affiliates keep 90% of the profit share) for affiliates, likely to draw experienced operators away from their rivals given recent decreases in victim willingness to pay and corresponding increases in the incentives RaaS platforms are required to offer.
The operational efficiency of the group is representative of a successful enterprise. They attack vulnerable internet-facing VPNs and firewalls and generally complete the network encryption within a matter of hours, leaving defenders with very little time to respond, as confirmed by Check Point Software, a renowned cybersecurity vendor.
Additionally, PRODAFT reports that the administrator of The Gentlemen, known by the alias Zeta88 (previously known as Hastalamuerte), directly provides affiliates with SSL VPN credentials, often obtained through brutal force attacks or their own private leaked databases, indicating an unusually high level of vertical integration for RaaS groups.
AI as a Force Multiplier in Ransomware Development
A particularly significant aspect of the Hastalamuerte case is PRODAFT's finding that the administrator employs artificial intelligence to develop and maintain ransomware, support associated tooling, and assist post-exploitation operations. This reflects a broader trend observed across the 2025–2026 threat landscape, where AI has increasingly lowered the capability threshold for participation in organised cybercrime. Researchers have documented its role in automating stages of intrusion, accelerating malware development cycles, and simplifying the maintenance of malicious infrastructure. These capabilities have been leveraged by both nation-state actors and criminal enterprises.
The trajectory of Hastalamuerte is especially illustrative. Cybersecurity Forum posts during 2019-2020 depict a hacker who is fairly novice at fundamental penetration testing procedures. A subsequent emergence as the operator of a top-tier ransomware-as-a-service operation indicates that AI-assisted development may be responsible for dramatically reducing the skill level and time necessary to create a successful criminal enterprise in cyberspace. The evolution of these tools should make the route from novice forum user to accomplished ransomware operator more attainable for a wider array of perpetrators in the future.
The OPSEC Paradox: How Cybercriminals Leave a Trail
The attribution of Hastalamuerte's identity by researchers from Intel 471, Flashpoint, and Constella Intelligence demonstrates the effectiveness of modern open-source and commercial intelligence methodologies. A forum registration traceable to an IP address from Izhevsk, Russia linked a Protonmail address, which linked to an Apple account, a GitHub profile, a Telegram handle, a Russian phone number, and finally to a 36 year old marketing professional named Alexander Andreevich Yapaev who was also living in Izhevsk. Investigators did not use an advanced capability in their attribution, but rather a simple OPSEC mistake of consistently reusing credentials. Every username and email address and every phone number creates a linkage between disparate data points, eventually building into a real-world persona.
It has also come out in the forum discussion that while training for a penetration testing course in 2020, Hastalamuerte displayed the kind of inexperience that a novice would display in traceable, recorded fashion to intelligence databases. It's an example of a broader rule about attribution; attacker mistakes provide the most value. With Russians the lack of apparent consequences may contribute to a lack of need to maintain tight OPSEC from the start.
The Russian Safe Haven: Conditional Impunity and Its Limits
Yapaev's base in Izhevsk is emblematic of the geostrategic situation that has allowed Russian cybercriminality to prosper. Security researchers routinely label Russia's policy as one of "controlled impunity," where the cybercriminality directed at foreign entities is ignored or implicitly condoned, while that directed at Russian interests will prompt a law enforcement response. This constitutes what has been called a "managed market" rather than an "unconditional sanctuary," where many of the named defendants could and likely will continue their illegal enterprise with little fear of reprisal, provided that they do not threaten the interests of the Russian state and do not attempt to move their operations outside of Russian control.
Yet this protection is neither absolute nor permanent. In May 2024, the transnational Operation Endgame campaign highlighted the growing global appetite for damaging the cybercrime ecosystem rooted in Russia. Russian authorities did indeed pursue and seize some assets and operators, but arrests seem largely confined to the lower-rung facilitators of these attacks (hosting providers and payment services), and it seems higher-end ransomware operators continue to evade scrutiny. Selective enforcement thus further bolsters the perception that protection is accorded according to strategic value, not legal standards. For operators such as Hastalamuerte, who possess no publicly documented intelligence connections, growing attribution capabilities, and sustained international pressure may gradually erode the security traditionally associated with operating from within Russia.
Attribution as a Deterrence Instrument
The public identification of Alexander Andreevich Yapaev as Hastalamuerte/Zeta88 shows the continued struggle with the utility of attribution in situations where immediate prosecution is not feasible. Its utility is far more extensive than simply an ability to make an arrest. Functionally, public naming forces a perpetrator into an open evidentiary space and can lead to alterations in their operational habits and effectiveness. Strategically, attribution provides future leverage for sanctions, indictments, financial restrictions, or extradition if the target can leave their safe haven country. The logic behind US rewards programs (paying up to $10 million for the capture and conviction of ransomware operators) relies on this principle. The analytical insight provided by the case cannot be understated either. Hastalamuerte's trajectory from a relative amateur forum participant on Nulled and Raidforums in 2019 to leading a significant ransomware operation by 2026 offers an invaluable look into the career progression of a cyber criminal. It confirms one of the lessons learned through deterrence and attribution: pseudonymity is not everlasting, and many years of OPSEC failures can be pieced together to establish a real-world identity.
Conclusion
The Gentlemen incident is emblematic of the three broad themes that currently characterise cyber warfare: ransomware-as-a-service through innovative competition, common OPSEC failures that enable attribution, and a new, conditional regime of protection for Russian cybercriminals. The obvious defense lesson: increasing attack surfaces require stronger identity, behavioural monitoring, and intelligence capacities. The policy lesson: effective attribution is still an essential tool for comprehension, deterrence, and disruption in an increasingly industrialised environment of criminals supporting each other's operations in ransomware-as-a-service.
References
- https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
- https://www.recordedfuture.com/
- https://www.vectra.ai/topics/ransomware-as-a-service
- https://www.trmlabs.com/es/resources/blog/new-disruption-opportunities-in-the-evolving-ransomware-ecosystem
Related Blogs
Pretext
On 20th October 2022, the Competition Commission of India (CCI) imposed a penalty of Rs. 1,337.76 crores on Google for abusing its dominant position in multiple markets in the Android Mobile device ecosystem, apart from issuing cease and desist orders. The CCI also directed Google to modify its conduct within a defined timeline. Smart mobile devices need an operating system (OS) to run applications (apps) and programs. Android is one such mobile operating system that Google acquired in 2005. In the instant matter, the CCI examined various practices of Google w.r.t. licensing of this Android mobile operating system and various proprietary mobile applications of Google (e.g., Play Store, Google Search, Google Chrome, YouTube, etc.).
The Issue
Google was found to be misusing its dominant position in the tech market, and the same was the reason behind the penalty. Google argued about the competitive constraints being faced from Apple. In relation to understanding the extent of competition between Google’s Android ecosystem and Apple’s iOS ecosystem, the CCI noted the differences in the two business models, which affect the underlying incentives of business decisions. Apple’s business is primarily based on a vertically integrated smart device ecosystem that focuses on the sale of high-end smart devices with state-of-the-art software components. In contrast, Google’s business was found to be driven by the ultimate intent of increasing users on its platforms so that they interact with its revenue-earning service, i.e., online searches, which directly affects the sale of online advertising services by Google. It was seen that google had created a dominant position among the android phone manufacturers as they were made to have a set of google apps preinstalled in the device to increase the user’s dependency on google services. The CCI felt that Google had created a dominant position to which they replied that the same operations are done by Apple as well, to which the commission responded that apple is a phone and app manufacturer and they have Apple-owned apps in Apple devices only, but Google here in had made a pseudo mandate for android manufactures to have the google apps pre-installed which is, in turn, a possible way of disrupting the market equilibrium and violative of market practices. The CCI imposed a penalty of Rs. 1,337.76 for abusing its dominant position in multiple markets in India, CCI delineated the following five relevant markets in the present matter –
- The market for licensable OS for smart mobile devices in India
- The market for app store for Android smart mobile OS in India
- The market for general web search services in India
- The market for non-OS specific mobile web browsers in India
- The market for online video hosting platforms (OVHP) in India.
Supreme Courts Opinion
In October 2022, the Competition Commission of India (CCI) ruled that Google, owned by Alphabet Inc, exploited its dominant position in Android and told it to remove restrictions on device makers, including those related to the pre-installation of apps and ensuring exclusivity of its search. Google lost a challenge in the Supreme Court to block the directives, as the learned court refused to put a stay on the imposed penalty, further giving seven days to comply. The Supreme Court has said a lower tribunal—where Google first challenged the Android directives—can continue to hear the company’s appeal and must rule by March 31.
Counterpoint Research estimates that about 97% of 600 million smartphones in India run on Android. Apple has just a 3% share. Hoping to block the implementation of the CCI directives, Google challenged the CCI order in the Supreme Court by warning it could stall the growth of the Android ecosystem. It also said it would be forced to alter arrangements with more than 1,100 device manufacturers and thousands of app developers if the directives kick in. Google has been concerned about India’s decision as the steps are seen as more sweeping than those imposed in the European Commission’s 2018 ruling. There it was fined for putting in place what the Commission called unlawful restrictions on Android mobile device makers. Google is still challenging the record $4.3 billion fine in that case. In Europe, Google made changes later, including letting Android device users pick their default search engine, and said device makers would be able to license the Google mobile application suite separately from the Google Search App or the Chrome browser.
Conclusion
As the world goes deeper into cyberspace, the big tech companies have more control over the industry and the markets, but the same should not turn into anarchy in the global markets. The Tech giants need to be made aware that compliance is the utmost duty for all companies, and enforcement of the law of the land will be maintained no matter what. Earlier India lacked policies and legislation to govern cyberspace, but in the recent proactive stance by the govt, a lot of new bills have been tabled, one of them being the Intermediary Rules 2021, which has laid down the obligations nand duties of the companies by setting up an intermediary in the country. Such bills coupled with such crucial judgments on tech giants will act as a test and barrier for other tech companies who try to flaunt the rules and avoid compliance.
Starting in mid-December, 2024, a series of attacks have targeted Chrome browser extensions. A data protection company called Cyberhaven, California, fell victim to one of these attacks. Though identified in the U.S., the geographical extent and potential of the attack are yet to be determined. Assessment of these cases can help us to be better prepared for such instances if they occur in the near future.
The Attack
Browser extensions are small software applications that add and enable functionality or a capacity (feature) to a web browser. These are written in CSS, HTML, or JavaScript and like other software, can be coded to deliver malware. Also known as plug-ins, they have access to their own set of Application Programming Interface (APIs). They can also be used to remove unwanted elements as per customisation, such as pop-up advertisements and auto-play videos, when one lands on a website. Some examples of browser extensions include Ad-blockers (for blocking ads and content filtering) and StayFocusd (which limits the time of the users on a particular website).
In the aforementioned attack, the publisher of the browser at Cyberhaven received a phishing mail from an attacker posing to be from the Google Chrome Web Store Developer Support. It mentioned that their browser policies were not compatible and encouraged the user to click on the “Go to Policy”action item, which led the user to a page that enabled permissions for a malicious OAuth called Privacy Policy Extension (Open Authorisation is an adopted standard that is used to authorise secure access for temporary tokens). Once the permission was granted, the attacker was able to inject malicious code into the target’s Chrome browser extension and steal user access tokens and session cookies. Further investigation revealed that logins of certain AI and social media platforms were targeted.
CyberPeace Recommendations
As attacks of such range continue to occur, it is encouraged that companies and developers take active measures that would make their browser extensions less susceptible to such attacks. Google also has a few guidelines on how developers can safeguard their extensions from their end. These include:
- Minimal Permissions For Extensions- It is encouraged that minimal permissions for extensions barring the required APIs and websites that it depends on are acquired as limiting extension privileges limits the surface area an attacker can exploit.
- Prioritising Protection Of Developer Accounts- A security breach on this end could lead to compromising all users' data as this would allow attackers to mess with extensions via their malicious codes. A 2FA (2-factor authentication) by setting a security key is endorsed.
- HTTPS over HTTP- HTTPS should be preferred over HTTP as it requires a Secure Sockets Layer (SSL)/ transport layer security(TLS) certificate from an independent certificate authority (CA). This creates an encrypted connection between the server and the web browser.
Lastly, as was done in the case of the attack at Cyberhaven, it is encouraged to promote the practice of transparency when such incidents take place to better deal with them.
References
- https://indianexpress.com/article/technology/tech-news-technology/hackers-hijack-companies-chrome-extensions-cyberhaven-9748454/
- https://indianexpress.com/article/technology/tech-news-technology/google-chrome-extensions-hack-safety-tips-9751656/
- https://www.techtarget.com/whatis/definition/browser-extension
- https://www.forbes.com/sites/daveywinder/2024/12/31/google-chrome-2fa-bypass-attack-confirmed-what-you-need-to-know/
- https://www.cloudflare.com/learning/ssl/why-use-https/
Executive Summary
A video showing thick smoke rising from a building and people running in panic is being shared on social media. The video is being circulated with the claim that it shows Iran launching a missile attack on the United States.CyberPeace’s research found the claim to be misleading. Our probe revealed that the video is not related to any recent incident. The viral clip is actually from the September 11, 2001 terrorist attacks on the World Trade Center in the United States and is being falsely shared as footage of an alleged Iranian missile strike on the US.
Claim:
An Instagram user shared the video claiming, “Iran has attacked a US airbase in Qatar. Iran has fired six ballistic missiles at the Al Udeid Airbase in Qatar. Al Udeid Airbase is the largest US military base in West Asia.”
Links to the post and its archived version are provided below.
Fact Check:
To verify the claim, we extracted key frames from the viral video and ran a reverse image search using Google Lens. During the search, we found visuals matching the viral clip in a report published by Wion on September 11, 2021. The report, titled “In pics | A look back at the scenes from the 9/11 attacks,” included an image that closely resembled the visuals seen in the viral video. The caption of the image stated that it was a file photo from September 11, 2001, showing pedestrians running as one of the World Trade Center towers collapsed in New York City.
Further research led us to the same footage on the YouTube channel CBS 8 San Diego. At the 01:11 timestamp of the video, visuals matching the viral clip can be clearly seen.
We also found an Al Jazeera report dated June 23, 2025, which confirmed that Iran had attacked US forces stationed at the Al Udeid airbase in Qatar in retaliation for US strikes on Iran’s uclear facilities. However, the visuals used in the viral video do not correspond to this incident.
Conclusion
The viral video does not show a recent Iranian attack on a US airbase in Qatar. The clip actually dates back to the September 11, 2001 terrorist attacks on the World Trade Center in the United States. Old 9/11 footage has been falsely shared with a misleading claim linking it to Iran’s alleged missile strike on the US.
