A new analysis of the The Gentlemen ransomware operation says the group has claimed 478 victims since March 2025 and shifted in July 2025 from relying on other ransomware services to running as an independent partnership program.
KEY FACTS
- Victims The group claims 478 victims to date.
- Timeline Activity has been tracked since March 2025, with an internal shift in July 2025.
- Infrastructure The operation has used tools and resources associated with LockBit, Qilin and Medusa.
- Targets Victims are concentrated in Thailand, the U.K., Brazil, Germany and India.
A technical analysis from PRODAFT says the group, which it tracks as Phantom Mantis, is led by a Russian-speaking operator it identifies as LARVA-368. The report says the actor used aliases including hastalamuerte, ArmCorp, zeta88, nobody0 and santamuerte.
The report says the operation began as an affiliate effort for double extortion attacks and later evolved into The Gentlemen, an independent ransomware partnership. It also says the operator relied heavily on artificial intelligence for ransomware development, maintenance and post-exploitation support.
Other reporting in the article says the operator was previously associated with the Embargo ransomware group before starting the ArmCorp brand, which later became The Gentlemen. Brian Krebs identified the person behind the operation as a 36-year-old Alexander Andreevich Yapaev from Izhevsk, and PRODAFT said its findings matched that persona with high confidence.
The article says the group has used a profit split of 90% for affiliates and 10% for the operator, with access to the affiliate panel tied to at least 1GB of exfiltrated data. It also says the malware comes in versions for Windows, Linux, ESXi, Windows XP and LVM, and that some versions can spread across reachable systems on a network.
The disclosure says The Gentlemen uses a mix of edge-device intrusions, red team tools, security evasion utilities and encrypted messaging platforms for support. It also says the group tries to clear Windows event logs, disable Microsoft Defender and add antivirus exclusions during attacks.
WHY IT MATTERS
The findings show how ransomware groups can shift between affiliate models and standalone operations while keeping access to the same tools and targets. That makes detection and disruption harder for defenders, especially when attacks can move from initial access to encryption over several weeks.