The ransomware group known as “The Gentlemen” has become the second most prolific ransomware operation in the world this year, claiming more than 330 published victims and over 1,570 compromised organizations in total, according to Check Point Research. Now Brian Krebs has traced the group’s administrator to a real-world identity: Alexander Andreevich Yapaev, a 36-year-old man from Izhevsk, the capital of Russia’s Udmurt Republic.
The identification, published this week on Krebs on Security, is the result of a painstaking chain of open-source intelligence work that connected forum handles, encrypted email addresses, a Telegram ID, and breached Russian government databases to a single individual.
How the Trail Unfolded
Krebs started with two nicknames that Check Point had linked to The Gentlemen’s operational leadership. On Russian-language cybercrime forums, the administrator used the name “Zeta88.” On English-language forums and the group’s own marketing, the same person had previously used “Hastalamuerte” (Spanish for “until death”). Both were known to run the ransomware-as-a-service (RaaS) operation.
The threat intelligence firm Intel 471 showed that Hastalamuerte had registered on nearly a dozen cybercrime forums since 2019, including Exploit, Breachforums, Ramp_V2, and Raidforums. Registration for Breachforums in January 2025 came from an IP address in Izhevsk. The related account Zeta88 had registered on the forum Breached in August 2022 from a different Izhevsk address.
A 2020 registration on Raidforums used the email address hastalamuerte1488@protonmail.com. The open-source intelligence service Epieos connected that address to an Apple account and a Russian phone number ending in 04. That ProtonMail address also linked to a GitHub account under the name “SantaMuerte,” which was following and developing malware tools.
From Telegram ID to a Name
On the crime forum Nulled in April 2020, Hastalamuerte listed a Telegram contact: @hastalamuerte18. Flashpoint, a threat intelligence company, identified the unique numeric ID behind that username. The breach tracking service Constella Intelligence connected that Telegram ID to another username, “bu4vs,” and the full Russian phone number +7 912 765 0004.
Constella then pivoted that phone number against breached Russian government databases. The records showed the number was assigned to Alexander Andreevich Yapaev, born in 1990 or 1991, living in Izhevsk. Further searches showed that Yapaev had used the number to register on the Russian social platform Pikabu under the handle “4apai18” (where the digit 4 replaces the “ch” sound in “Chapaev”), and had signed up on other sites using the surnames “Ivanov” and “Chapaev.” On the Russian hacking forum Codeby, the same individual registered with the handle “Alexandr 4apaev.”
The Business Behind the Ransomware
The Gentlemen operates as a RaaS platform that has attracted a large affiliate network through aggressive terms. While the industry standard split is 80 percent for the affiliate who carries out the attack and 20 percent for the RaaS operator, The Gentlemen offers 90 percent to affiliates and keeps only 10 percent.
The economics are effective. Check Point Research counted 332 published victims on the group’s data leak site as of mid-2026. But when Check Point obtained The Gentlemen’s internal backend data following a breach of the group’s own infrastructure in May 2026, the real number was far larger: over 1,570 compromised victims. The implication is that more than 78 percent of victims paid ransoms quietly and were never publicly listed.
The internal data, published by a forum user who leaked the group’s backend in May, also revealed sophisticated operational tactics. The Apolo Cybersecurity analysis of the Check Point report found that the group cross-references victim data with ZoomInfo to estimate revenue and determine the exact maximum of a company’s cyber insurance policy. In one documented case, the group knew a victim had a $10 million insurance ceiling and set their ransom demand at precisely that figure.
A Modern Ransomware Machine
The Gentlemen operates differently from the ransomware groups of a few years ago. Microsoft Threat Intelligence, which tracks the operators under the label Storm-2697, describes the encryptor as a Go-based binary obfuscated with Garble that uses per-file ephemeral Curve25519 keys with the XChaCha20 stream cipher. The malware is self-propagating, using multiple simultaneous lateral movement methods to spread across a network within hours of initial access.
The group’s primary initial access vector is stolen credentials purchased on the underground market, sourced from infostealer logs. Their secondary entry points are Internet-facing devices: unpatched VPN appliances, firewalls, and gateways. Once inside, the group moves quickly to encrypt and exfiltrate data before victims can react.
Microsoft has observed The Gentlemen impacting organizations across education, transportation, healthcare, and financial services in North America, South America, Europe, Africa, and Asia.
What the Identification Means
The identification of Yapaev as the alleged operator does not mean arrests are imminent. Izhevsk is in Russia, and Russian authorities have rarely cooperated with Western law enforcement in ransomware cases, particularly when the targets are outside Russia. What the OSINT chain does demonstrate is that ransomware operators are not as anonymous as they believe.
The group’s own infrastructure breach in May 2026 was the first domino. Krebs traced the second. The question now is whether law enforcement agencies can take the next step, or whether The Gentlemen’s administrator will simply change handles and rebuild.