Convergent reporting from PRODAFT and Brian Krebs traces one operator from a 2025 exit dispute to a 478 victim ransomware program that uses VPN gateway exploitation and AI assistance.
The ransomware affiliate model has a predictable output. Operate inside an established brand long enough to learn the playbook, then exit when an internal dispute or a better revenue split makes independence viable. The Gentlemen is what that pipeline looks like when it works.
Swiss threat-intel firm PRODAFT spent roughly a year tracking the operator behind this program, internally tagged "Phantom Mantis" and given the cluster identifier LARVA-368. The PRODAFT report, summarized in The Hacker News on June 11, 2026, traces the actor from March 2025 through to the present, with a public report on Catalyst detailing the affiliate history, the alias roster, and the technical fingerprint of the operation.
The pivot happened in July 2025. Before that, PRODAFT's telemetry shows the same operator working as an affiliate under three separate RaaS brands: LockBit (tracked as "Tenacious Mantis"), Qilin ("Pestilent Mantis"), and Medusa ("Venomous Mantis"). Each stint taught a layer of the trade, from affiliate panel logistics to negotiation tactics to leak-site management. Then the relationship with Qilin reportedly broke down over an alleged $48,000 exit-scam dispute. The operator spent a brief period working with Embargo (tracked by PRODAFT as "Primeval Mantis") before relaunching in July 2025 as The Gentlemen, an independent partnership program with a more generous 90/10 revenue split aimed at luring affiliates away from competitors. PRODAFT explicitly states it could not independently verify the Qilin exit-scam allegation, and the dispute should be treated as unconfirmed.
The scale followed fast. According to Ransomware.Live, the data-leak tracking site, The Gentlemen claimed 478 victims as of the June 11 publication date cited by The Hacker News; the live count on the same site had risen to 483 by the following day, with the last victim dated June 11, 2026 and 74 countries represented. Check Point Research, in its 2026 "Thus Spoke The Gentlemen" analysis, ranks the operation as the second most active RaaS family by victim count this year, with roughly 332 published victims in the first five months of 2026 and more than 1,570 linked victims across the broader dataset.
The headline-grabbing capability is the network propagation. The Gentlemen is built in Go and runs on Windows, Linux, BSD, and network-attached storage devices. Rather than self-replicating in the classic worm sense, it spreads aggressively through lateral movement and edge-device exploitation, with initial access typically through compromised Fortinet and Cisco VPN gateways and firewall appliances. It also uses a Bring Your Own Vulnerable Driver technique to disable endpoint security software before deployment, and abuses Group Policy Objects to push the payload domain-wide once inside an Active Directory environment.
Trend Micro's August 2025 analysis, published as "Unmasking The Gentlemen Ransomware," was an early look at the operation. The timing gap between Trend Micro's first investigation in August 2025 and PRODAFT's affiliate-origin date of March 2025 reflects the difference between when the operation became independently visible and when its predecessor activity actually began. Check Point, meanwhile, identified eight distinct affiliate TOX IDs, indicating that the admin still runs some intrusions personally while the rest of the network operates on its own.
A second capability deserves precise framing. PRODAFT's assessment is that LARVA-368 used AI assistance for ransomware development, code maintenance, and post-exploitation tasks, not as a fully autonomous engine. That distinction matters: AI tooling is shortening the time from "learned affiliate" to "independent operator with a competitive product," and The Gentlemen's timeline is consistent with that compression. PRODAFT has not released the prompts, the model used, or the specific tasks, so the claim is best read as a vendor assessment rather than a measured capability.
The human face arrived in June 2026. Brian Krebs, in a June 2026 investigation, identified the operator behind The Gentlemen as 36-year-old Alexander Andreevich Yapaev of Izhevsk, Russia. Krebs' attribution relied on forum-registration data from cyber-intelligence firm Intel 471 and OSINT from researcher Epieos. PRODAFT told The Hacker News its independent technical findings match the Yapaev persona "with high confidence," though PRODAFT has not publicly named him itself. A leaked backend database referred to internally as "Rocket" surfaced on May 4, 2026 and contained nine accounts, including zeta88 and hastalamuerte, two of LARVA-368's known aliases. The convergence of OSINT and technical attribution is unusual and is the strongest such case in the public RaaS attribution record this year.
What The Gentlemen illustrates is the structural pressure on the affiliate economy. Established RaaS brands keep fracturing, and exit scams, brand churn, and revenue-split disputes are turning out former affiliates as independent operators faster than law enforcement is dismantling them. The Gentlemen's 90/10 split is itself a recruitment signal aimed at affiliates inside the very brands the operator used to work for. If the trajectory from LockBit affiliate to 478 victims in roughly fifteen months is reproducible, the next named operator on a leak site is likely already in the pipeline.