The ransomware group known as The Gentlemen has rapidly ascended to become the second most active cybercrime organization by victim count, driven by an aggressive recruitment strategy that offers affiliates a 90 percent share of ransom payments. Security researchers have traced the group’s backend infrastructure to an administrator operating under the monikers “Zeta88” and “Hastalamuerte,” with evidence pointing to a 36-year-old Russian national named Alexander Andreevich Yapaev. The group, which emerged in mid-2025, has claimed responsibility for at least 332 victim organizations, according to data from Check Point Software.
This surge in activity is attributed to a “ransomware-as-a-service” (RaaS) model that disrupts industry standards. While most competing programs offer an 80/20 revenue split, The Gentlemen provide a 90/10 split, a move that researchers state has successfully attracted experienced operators from other criminal syndicates. The group typically gains initial access to networks by targeting Internet-facing devices, such as VPNs and firewalls, before moving to encrypt internal systems within hours.
Tracing the Identity of Zeta88
Cyber intelligence firms have pieced together the digital footprint of the group’s primary operator. According to Intel 471, the user Hastalamuerte registered on numerous cybercrime forums, including Exploit and Breachforums, between 2019 and the present. Records indicate that Hastalamuerte registered on Breachforums in January 2025 from an Internet address located in Izhevsk, the capital of Russia’s Udmurt Republic. This location aligns with registration data for the moniker Zeta88, which appeared on the English-language forum Breached in August 2022, also originating from Izhevsk.
The digital trail extends to email and social media identifiers. Analysis by the open-source intelligence service Epieos linked the email address [email protected]—previously used by the actor on the forum Raidforums—to an Apple account and a phone number ending in 04. Further investigation by Constella Intelligence connected this phone number to a Russian mobile line, 79127650004. Cross-referencing this number with leaked Russian government databases identified the user as Alexander Andreevich Yapaev, a 36-year-old resident of Izhevsk.
A graphic created and shared by The Gentlemen ransomware group administrator Hastalamuerte on Breachforums in May 2026. Credit: ke-la.com.
Professional Background and Operational Security
Publicly available information suggests a dual life for the individual identified as Yapaev. Records from Epieos and professional networking sites indicate that the email address [email protected], which is associated with the identified phone number, is linked to a LinkedIn profile for an Alexander Yapaev. This profile lists his professional role as the head of B2B marketing at Uralenergo Udmurtia, a major supplier of electrotechnical and lighting products in Russia.
The transition from a novice hacker to a prominent ransomware administrator appears to have been a gradual process. Early forum activity from 2019 and 2020 shows the user struggling with basic penetration testing tools. In June 2020, the Telegram account associated with the persona joined a training program, where posts revealed a period of technical skill-building. Experts note that many cybercriminals in the region operate with relative impunity, provided they avoid targeting Russian entities and do not travel to countries with active extradition treaties for cyber-related offenses.
Current Operations and AI Integration
The technical sophistication of The Gentlemen has evolved significantly since their inception. In a report published on June 11, 2026, the threat research group PRODAFT confirmed with “high confidence” that the administrator—operating as Zeta88 or Hastalamuerte—directly supplies affiliates with initial access credentials. These are primarily obtained via brute-force attacks against Fortinet SSL-VPN devices or sourced from the group’s internal database of leaked credentials.
Furthermore, researchers have observed the administrator utilizing artificial intelligence to maintain the ransomware locker and its associated RaaS management panel. AI tools are reportedly employed to assist with post-exploitation activities and code development, allowing the group to maintain a high tempo of attacks. As of June 2026, the group had claimed more than 240 victims in the current year alone, according to findings from Check Point Software.
Alexander Yapaev did not respond to multiple requests for comment regarding these findings. The investigation remains ongoing as security firms continue to monitor the group’s infrastructure for new indicators of compromise. Readers are encouraged to monitor updates from official cybersecurity advisories, such as those issued by CISA, for guidance on protecting Internet-facing devices from similar ransomware threats.