The Gentlemen Ransomware Group Rises as Second Most Active, Linked to Russian Hacker Alexander Yapaev

The Gentlemen ransomware group has emerged as the second most active ransomware operation by victim count, according to Check Point Software, with over 332 victims reported since its inception in mid-2025. The group’s aggressive 90/10 affiliate revenue split—offering affiliates 90% of ransoms—has accelerated its growth, attracting experienced hackers from rival programs, the firm reported in April 2023.

How The Gentlemen Operates

The Gentlemen targets internet-facing devices such as VPNs and firewalls, infiltrating networks and encrypting entire systems within hours, as noted by Check Point. The group’s administrator, identified as Zeta88 on Russian-language cybercrime forums, also operated under the alias Hastalamuerte, according to the security firm. A breach of the group’s backend infrastructure revealed Zeta88’s role in managing the ransomware-as-a-service (RaaS) platform and handling payments.

Tracing the Administrator: From Forums to Real-World Identity

Cyber intelligence firm Intel 471 tracked Hastalamuerte’s activity across multiple forums, including Breachforums and Raidforums, from 2019 to 2023. A 2025 registration on Breachforums from Izhevsk, Russia, and a 2022 sign-up on Breached under the Zeta88 moniker suggest a consistent digital footprint. The user’s email address, hastalamuerte1488@protonmail.com, is linked to a GitHub account under the username SantaMuerte, which shows development of malware tools, according to Epieos.

Telegram records from 2020 connect Hastalamuerte to the username @hastalamuerte18, while Constella Intelligence links the platform’s unique ID 30907522 to the Russian phone number 79127650004. This number is tied to Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, via hacked Russian government databases. Yapaev’s social media activity, including a LinkedIn profile as a B2B marketing head at Uralenergo Udmurtia, further connects him to the digital trail, though he has not commented on the allegations.

Why Russian Cybercriminals Often Avoid Anonymity

Russian hackers often operate with minimal operational security, a trend attributed to the country’s lenient approach to cybercrime. As long as attacks do not target Russian entities, perpetrators face little risk of prosecution, according to cybersecurity analysts. This environment allows figures like Yapaev to maintain online personas without immediate consequences.

Early forum posts from 2019–2020 reveal Hastalamuerte’s learning curve, including participation in a Telegram-based penetration testing course. Google-translated records show struggles with technical tools, suggesting a gradual evolution from novice to operator.

What This Means for Cybersecurity

The Gentlemen’s rapid expansion highlights the growing threat of RaaS models, which lower the barrier to entry for cybercrime. With 90% of ransoms going to affiliates, the group’s structure incentivizes widespread malware distribution. Experts warn that the link between online aliases and real-world identities, as seen in Yapaev’s case, could aid law enforcement in targeting such operations.

As ransomware attacks escalate, the intersection of digital forensics and real-world data—like the connection between Yapaev’s phone number and his professional profile—may become a critical tool in combating cybercrime. However, the lack of transparency from figures like Yapaev underscores the challenges of holding cybercriminals accountable in a borderless digital landscape.