Introduction to The Gentlemen Ransomware Group
A cybercrime group known as The Gentlemen has emerged as a significant threat in the ransomware landscape, attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims.
Experts at the security firm Check Point Software have been closely monitoring the group's activities, revealing that The Gentlemen are the second most active ransomware group by victim count so far this year, with at least 332 published victims since the group's inception in mid-2025 and more than 240 in 2026 alone.
Modus Operandi of The Gentlemen
Check Point found that the group targets Internet-facing devices, such as VPNs and firewalls, as their entry point, and once inside, moves quickly to encrypt entire networks within hours.
The administrator and primary operator of the ransomware group, known by the nickname Zeta88 on Russian-language cybercrime forums, was previously known under the moniker Hastalamuerte.
Uncovering the Identity of Hastalamuerte
A breach of the group's backend infrastructure revealed that Hastalamuerte/Zeta88 is the person who assembles the locker and RaaS panel, manages payments, and is essentially the administrator of the entire program, receiving 10 percent of all ransoms.
Cyber intelligence firm Intel 471 shows that the user Hastalamuerte is a Russian and English speaking person who registered on almost a dozen cybercrime forums between 2019 and the present day.
Intel 471 reveals that Hastalamuerte registered on Breachforums in January 2025 from an Internet address in Izhevsk, the capital city of Russia's Udmurt Republic.
Alexander Andreevich Yapaev: The Man Behind Hastalamuerte
A lookup on the email address hastalamuerte1488@protonmail.com, used by Hastalamuerte, shows it is connected to an account at Apple and to a phone number ending in 04.
The phone number is linked to a GitHub account under the username SantaMuerte, which is marked private, but a history of this user's activity shows they are watching and developing a number of malware tools and exploits.
The breach tracking service Constella Intelligence reports that Hastalamuerte's Telegram ID is connected to another username — bu4vs — and to the Russian phone number 79127650004, which is assigned to one Alexander Andreevich Yapaev, a 36-year-old from Izhevsk.
Yapaev's Online Activities and Connections
Constella reveals that the phone number was used to create an account at the Russian social media platform Pikabu under the name 4apai18, and shows Mr. Yapaev has signed up at a number of websites using the common surname Ivanov, or else Chapaev.
A search in Intel 471 for cybercrime forum members with the nickname SantaMuerte unearths an account by the same name created in 2020 on the Russian hacking forum Codeby, which originally registered with the nickname Alexandr 4apaev.
Meanwhile, Epieos shows that the email address bu4vs@mail.ru is connected to a LinkedIn account for Alexander Yapaev, who lists himself as the head of B2B marketing at the company Uralenergo Udmurtia, one of Russia's largest suppliers of electrotechnical and lighting products.
Conclusion and Implications
The exposure of Alexander Andreevich Yapaev as the administrator of The Gentlemen ransomware group highlights the complexities of cybercrime and the need for continued efforts to track and disrupt these groups.
The fact that Yapaev was able to operate with relative impunity, despite making basic operational security mistakes, underscores the challenges faced by law enforcement agencies in pursuing cybercriminals.
The use of AI by The Gentlemen to develop and maintain their ransomware and associated tooling, as well as to assist with post-exploitation activity, is a concerning trend that highlights the evolving nature of cyber threats.
Source: Krebs on Security