Inside the Operations of the Gentlemen Ransomware Group: A Recent Analysis
Recent investigations into the Gentlemen ransomware operation have unveiled a complex narrative about its origins and evolution. Initially functioning as an affiliate group conducting double extortion attacks, the organization has successfully leveraged resources from various ransomware-as-a-service (RaaS) schemes, including notable enterprises like LockBit, Qilin, and Medusa. This shift indicates a strategic maneuver aimed at financial gain through sophisticated cybercriminal activities.
According to a comprehensive report published by PRODAFT, an esteemed cybersecurity company, the organization—tracked under the name "Phantom Mantis"—is spearheaded by an individual known as LARVA-368. This cybercriminal, who operates under multiple aliases including hastalamuerte and ArmCorp, has been identified as a significant player in the ransomware landscape. The timeline of the group’s emergence is marked by its active engagement since March 2025, during which it has claimed a staggering total of 478 victims, as delineated by data from Ransomware.Live.
In July 2025, Phantom Mantis rebranded itself as The Gentlemen, establishing an independent partnership program that no longer relied on affiliations with other RaaS groups. PRODAFT emphasized the group’s significant reliance on artificial intelligence for both the development and maintenance of its ransomware tools. This technological edge has enabled the group to optimize its post-exploitation procedures, highlighting its innovative approach within a rapidly evolving cyber threat landscape.
LARVA-368’s previous affiliations with the Embargo ransomware group mark a foundational phase in his criminal career, culminating in the establishment of The Gentlemen after a mere four-month interval. His identity, unmasked by prominent cybersecurity journalist Brian Krebs, reveals that he is Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia. This confirmation sheds light on the personal aspects of cybercriminal enterprises and underscores the interconnections between various actors within the ransomware ecosystem.
The metamorphosis from Phantom Mantis to The Gentlemen corresponds with a pivotal moment of contention: a payment dispute between LARVA-368 and the Qilin group. Allegations surfaced that Qilin operated exit scams and swindled LARVA-368 out of $48,000, inciting a fracture in their collaboration and catalyzing the shift toward independent operations. This incident reflects the volatility and competitive nature of cybercrime marketplaces, where trust can quickly erode.
Despite the transition to independent operations, The Gentlemen had initially positioned itself as a formidable affiliate group with a rapid onboarding process—over 20 targets registered on its affiliate panel within less than 30 days. Internal strife, however, was evident, with claims made by LARVA-368 and associates suggesting that support operations from Pestilent Mantis were riddled with deceit, including insinuations of backdoors within their affiliate system. This internal dispute may have been a calculated tactic to lure Pestilent Mantis affiliates into the Phantom Mantis fold.
Phantom Mantis has exhibited strategic maneuvers beyond mere extortion. The group has utilized premium accounts in underground forums to enhance its visibility and mitigate competitive pressures. Despite the secretive nature of its operations, the intricate roles within the organization are highlighted by its operations manager, known as Gentlemen Data, who facilitates communication and provides technical support to affiliate members.
A plethora of operational intelligence has emerged from various analyses of the ransomware group. Notably, Cybereason’s LevelBlue team characterized The Gentlemen as a "highly adaptive, fast-moving ransomware operation." Its hybrid techniques integrate double extortion strategies, cross-platform lockers, and comprehensive affiliate support, cementing its position as a leading threat actor. Data from NCC Group indicates that The Gentlemen is responsible for approximately 10% of ransomware activity as of April 2026, employing tactics that include stealing credentials and exploiting known vulnerabilities in internet-facing services.
Interestingly, the group’s target demographics suggest a wider international reach, with only 13% of victims based in the U.S. The majority of impacted organizations span countries including Thailand, the United Kingdom, Brazil, Germany, and India, reflecting a global nature to the cyberattacks perpetrated by The Gentlemen.
The threat actor employs varied technological frameworks, utilizing the BYOVD technique to bypass established security measures. Additionally, communication channels have been established on secure messaging platforms like Tox and Ricochet Refresh, exchanging critical information related to encryption and intrusions.
The Gentlemen’s affiliate model is predicated on a generous profit-sharing strategy, offering 90% to affiliates and retaining only 10%. This enticing structure coupled with accessibility to tools—including ransomware suited for various operating systems—illustrates the group’s recruitment prowess in attracting new affiliates.
The extensive toolkit of The Gentlemen executes multi-faceted strategies, from initial access through exploited edge devices to sophisticated post-infection operations. The average duration from initial breach to full encryption is reported to be between two to six weeks.
Further investigation into internal communications has revealed the group’s active monitoring of contemporary vulnerabilities, illustrating its dynamic response to the cybersecurity landscape. A notable leak of an internal Rocket.Chat database offers invaluable insights into The Gentlemen’s inner workings, emphasizing its organized structure and efficiency.
The emergence and evolution of The Gentlemen ransomware operation serves as a stark reminder of the complex and adaptive nature of cybercriminal enterprises. As technology continues to evolve, so too does the sophistication of these threats, demanding constant vigilance and adaptation from both cybersecurity professionals and organizations worldwide. The analysis of The Gentlemen illuminates not just the mechanics of ransomware but a broader narrative relevant to the ongoing cybersecurity crisis faced in today’s digital world.