A cybercrime group operating under the name The Gentlemen has quietly become the second most active ransomware gang by victim count—and security researchers believe they may have finally identified who is actually running the operation.
The acceleration of The Gentlemen’s rise hinges on a single, radical business decision: offering affiliate hackers 90 percent of any ransom paid by victims. That payout structure is unprecedented in the ransomware-as-a-service economy, and it has proven devastatingly effective at attracting skilled attackers to the group’s network.
- The Payout Revolution: The Gentlemen offers 90% of ransom payments to affiliates, inverting the industry standard of 20-40%.
- The Scale Effect: This generous split has made them the second most active ransomware group by victim count within months.
- The Identity Trail: Security researchers have traced infrastructure patterns that may reveal the administrator’s real-world identity.
The Gentlemen operates on a franchise model common in modern cybercrime. Rather than executing attacks directly, the group’s administrator recruits independent hackers—called affiliates—who conduct the actual intrusions, deploy the ransomware, and negotiate with victims. The administrator typically takes a cut of the ransom as payment for providing the malware, infrastructure, and victim support systems. In most ransomware operations, that cut ranges from 20 to 40 percent, leaving affiliates with the remainder. The Gentlemen inverted that math, keeping only 10 percent while handing 90 percent to the hackers doing the work.
That generosity has a purpose: speed and scale. By offering the industry’s most attractive split, The Gentlemen has rapidly assembled a large pool of capable affiliates willing to conduct attacks under the group’s banner. More attacks means more victims, more ransom payments, and ultimately more revenue flowing to the administrator—even at a reduced per-transaction margin. It is a strategy borrowed from legitimate software distribution and venture capital: sacrifice short-term margin to capture market share and network effects.
How Did Researchers Trace The Gentlemen’s Administrator?
The identity of The Gentlemen’s administrator has remained obscured, but security researchers examining the group’s infrastructure, communications, and operational patterns have begun to narrow the field. The investigation points to clues embedded in the group’s technical setup, recruitment messaging, and the timing and geography of victim selection. Krebsonsecurity reported that researchers have identified potential real-world connections to the administrator’s identity, though the source material does not disclose the specific name or details of that identification.
• Academic analysis of ransomware operations reveals that affiliate recruitment patterns often expose administrator identities through linguistic and temporal markers
• Infrastructure analysis can trace payment flows and server locations back to specific geographic regions
• Communication metadata from affiliate recruitment frequently contains identifying information about group leadership
What Makes This Ransomware Model Different?
What makes The Gentlemen’s emergence significant is not merely its ranking by victim count, but what that ranking reveals about the ransomware economy’s evolution. The group has demonstrated that the traditional affiliate-payout model can be disrupted—and that disruption, paradoxically, can be achieved by giving away more money, not less. This mirrors a pattern seen in other criminal markets: when a new operator enters with a more attractive value proposition, they can rapidly consolidate talent and market share.
The parallels to data-driven exploitation are worth noting. Just as Cambridge Analytica built a global microtargeting apparatus by aggregating behavioral data and psychological profiles—then monetizing access to that data through a network of political clients—The Gentlemen is building a distributed attack network by aggregating skilled hackers and monetizing their labor through a transparent, attractive payout structure. Both operations succeeded by making participation lucrative for subordinates and by building systems designed to scale rapidly. Cambridge Analytica harvested psychological profiles at industrial scale; The Gentlemen harvests ransomware attacks at industrial scale. The infrastructure differs, but the underlying logic—recruit talent, offer better terms than competitors, scale the operation faster than anyone else—is structurally identical.
• Traditional ransomware splits: 20-40% to administrators, 60-80% to affiliates
• The Gentlemen’s model: 10% to administrators, 90% to affiliates
• Result: Second highest victim count among active ransomware groups
Why Does This Business Model Work?
For organizations and individuals, The Gentlemen’s rise carries a direct implication: the ransomware threat is not static. Research into ransomware group structures shows that as long as the economics of ransomware remain attractive—and as long as victims continue to pay—new operators will enter the market with increasingly sophisticated recruitment and operational strategies. The Gentlemen’s 90 percent payout is not a sign of the group’s weakness or generosity; it is a calculated investment in growth.
The approach demonstrates how criminal enterprises adapt competitive strategies from legitimate business. By offering superior compensation terms, The Gentlemen has effectively poached talent from competing ransomware operations. This talent consolidation creates network effects: more skilled affiliates mean more successful attacks, which generates more revenue and allows the group to maintain its generous payout structure while still growing the administrator’s absolute income through volume.
Security researchers continue to investigate The Gentlemen’s infrastructure and communications in hopes of confirming the administrator’s identity. If that confirmation comes, it could provide law enforcement with a specific target for investigation and potential disruption. Until then, the group remains one of the most active and well-resourced ransomware operations in operation, attracting new affiliates through a business model designed to outcompete every other ransomware gang in the market.
