Source linked

The Gentlemen Ransomware Admin Doxxed to a 36-Year-Old in Izhevsk

krebsonsecurity.com@systems_wire3 hours ago·Cybersecurity·1 comments

Check Point ranks The Gentlemen as the second most active ransomware group by victim count in 2026, and OSINT trails the admin to Alexander Yapaev, a B2B marketing lead at a lighting firm in Russia.

the gentlemenransomware as a servicecheck pointkrebs on securityintel 471osint

The admin of The Gentlemen ransomware group uses Telegram ID 30907522, registered a Protonmail address with white-supremacist numerology, and lists himself on LinkedIn as head of B2B marketing at a Russian electrotechnical supplier. That’s the kind of operational security that makes a 90/10 affiliate split look like a desperate talent grab.

Check Point’s April research clocked The Gentlemen as the second most active ransomware gang by victim count so far this year, with 332 published victims since mid-2025—240 of those in 2026 alone. The group targets Internet-facing devices (VPNs, firewalls) and encrypts entire networks within hours. The revenue split—90% to affiliates versus the industry-standard 80%—is accelerating recruitment from competing programs.

The Trail from Hastalamuerte to Alexander Yapaev

Intel 471 shows Hastalamuerte registered on Breachforums in January 2025 from an IP in Izhevsk, the capital of Russia’s Udmurt Republic. The same user, under the alias Zeta88, signed up on Breached in August 2022 from another Izhevsk address. The Protonmail address [email protected] links to a GitHub account (SantaMuerte) watching malware tools, and to Telegram username @hastalamuerte18 with unique ID 30907522.

Constella Intelligence tied that Telegram ID to the Russian phone number 79127650004, which appears in hacked government databases assigned to Alexander Andreevich Yapaev, 36, of Izhevsk. The same phone number was used to register on Russian social platform Pikabu under the alias “4apai18” (4 being a Cyrillic shorthand for “ch”). LinkedIn shows Alexander Yapaev as head of B2B marketing at Uralenergo Udmurtia, a major electrotechnical and lighting supplier.

Why Russian Cybercriminals Stay Sloppy

Krebs notes that most Russian cybercriminals don’t set out to be arch criminals—they drift into the scene as their skills grow. The Russian government typically ignores ransomware operators as long as they avoid domestic targets and pay off the right people. Yapaev didn’t respond to requests for comment, but his employer’s domain and his LinkedIn profile are now public artifacts of an investigation that started with a backend infrastructure breach at The Gentlemen.

Expect more researchers to pivot on that phone number and Telegram ID. The 90/10 model might buy affiliates, but it bought the admin a permanent doxxing.

Source: Who Runs the Ransomware Group 'The Gentlemen?'
Domain: krebsonsecurity.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
PyO3 nth_back Integer Underflow Exposes Arbitrary Memory Reads

An integer underflow in PyO3's nth_back iterator methods allows reading arbitrary memory past the end of Python list and tuple storage, affecting all versions 0.24.0 through 0.28.x.

ShinyHunters Hit 68% of Education Targets With Oracle PeopleSoft Zero-Day

A CVSS 9.8 remote code execution flaw was exploited as a zero-day against higher ed institutions before Oracle's June 10 advisory.

Apple Runs Private Cloud Compute on Google Cloud's Confidential VMs

Apple's PCC infrastructure now runs on Google Cloud using Intel TDX and NVIDIA Blackwell GPUs, with hardware-based TEEs and open-source transparency for verifiable privacy.

Yarbo's Hard-Coded MQTT Credentials Expose Entire Robot Fleet to Takeover

Two critical vulnerabilities let attackers with extracted credentials read telemetry and send commands to any Yarbo robot globally-no per-device authorization required.

Comments load interactively on the live page.