A cyber crime group known as Gentlemen has emerged as the second most active ransomware group in terms of victims, quickly attracting a large number of skilled hackers through an aggressive recruitment strategy that promises officials 90 percent of any ransom paid by victims. This post examines the clues that point to the real-life identity of the administrator of the Gentlemen ransomware group.
Image created and shared by The Gentlemen ransomware group administrator Hastalamuerte on Breachforums in May 2026. Credit: ke-la.com.
Security firm professionals Check Point Software have been closely covering The Gentlemen’s activities, a so-called “ransomware-as-a-service” (RaaS) offering that effectively helps distribute the group’s malware.
“A joint fee split of 90/10 – compared to the industry standard of 80/20 – accelerates the group’s growth by attracting experienced operators to competitive systems,” the researchers wrote in April.
Check Point found that Gentlemen is the second most active ransomware group in terms of number of victims so far this year, claiming at least 332 published victims since the group was founded in mid-2025 and more than 240 in 2026 alone.
According to Check Point, this group targets Internet-facing devices (VPNs, firewalls) as their entry point, and once inside they move quickly to encrypt entire networks within hours.
Check Point says the administrator and main user of the ransomware group uses an alias Zetha88 on cybercrime sites in the Russian language, and that this person was previously known under a moniker Hastalamuerte. Check Point noted that the breach of the group’s infrastructure made it clear that Hastalamuerte/Zeta88 is the person who integrates the locker and the RaaS panel, manages the payments, and is actually the administrator of the entire program who receives 10 percent of all ransoms.
WHO IS HASTALAMUERTE?
Internet intelligence company Intel 471 shows that user Hastalamuerte is a Russian and English speaker who has registered on about a dozen cybercrime forums between 2019 and today, including Exploit, Breachforums, Ramp_V2, BHF, Raidforumsagain It is nulled.
Intel 471 reveals that Hastalamuerte was registered on Breachforums in January 2025 at the address Izhevskthe capital of the Udmurt Republic of Russia. Likewise, the user Zetha88 registered in the English-language cybercrime forum Violated in August 2022 at a different Internet address in Izhevsk.
Intel 471 finds Hastalamuerte registered on Raidforums in 2020 using email address hastalamuerte1488@protonmail.com (1488 is a common combination of two numerical symbols related to the white dimension). Lookup this address on an open source intelligence service Epieos indicates that it is linked to an Apple account and a phone number ending in 04.
Epieos says the Protonmail address is also linked to the GitHub account under the username SantaMuerte. That account is marked as private, but this user’s work history shows that they have watched and developed a number of malware and exploit tools.
In April 2020, Hastalamuerte said in the criminal forum Nulled that they can be linked to the Telegram name of the instant messenger. @hastalamuerte18and a threatening intelligence agency A bright point finds this username assigned a unique phone ID number 30907522 [full disclosure: Flashpoint is an advertiser on this blog].
Breach tracking service Constella Intelligence reports that Hastalamuerte’s phone ID is linked to another username – “it’s 4 vs” — and on a Russian phone number 79127650004. A lookup of this phone number at Constella pulls up multiple records from a hacked Russian government database that show it has been assigned to one Alexander Andreevich Yapaev36 years old from Izhevsk.
Constella revealed that the phone number was used to create an account on the Russian social network Pikabu under the name “4apai18,” and shows that Mr. Yapaev is registered to a number of websites using the common surname Ivanov, or “Chapaev” (the number 4 is often used as an abbreviation for the “ch” sound in Russian).
An Intel search of 471 cybercriminal forum members with the nickname SantaMeurte found an account with the same name created in 2020 on the Russian hacking forum Codeby. Intel 471 shows this user initially registered on Codeby with a non-hidden alias Alexandr 4apaev.
Constella finds out that Mr. Yapaev often used an email address bu4vs@mail.ru. Meanwhile, Epieos shows that this address is linked to the LinkedIn account of Alexander Yapaev, who lists himself as the head of B2B sales at the company. Uralenergo Udmurtiaone of Russia’s largest suppliers of electrotechnical and lighting products.
Mr. Yapaev did not respond to multiple requests for comment.
Almost every time we publish one of these Breadcrumbs stories, readers are curious as to why it seems that many hackers from Russia apparently do nothing to hide their real-life identities. The truth is that – Russian or not – most did not set out to be great criminals, but instead were drawn into the scene gradually over several years as their skills developed and sharpened.
Another important variable is that the Russian government often cooperates with or ignores cybercrimes within its borders as long as the hackers do not make money or attack Russian businesses and citizens. As a result, successful cybercriminals in Russia are often prevented from being prosecuted and arrested by foreign law enforcement agencies as long as they pay the right people periodically and do not travel abroad. And cybercriminals intent on strictly adhering to those unwritten rules may (at least initially) be less concerned about covering their tracks online.
But the simple explanation is that cybercriminals of all nationalities tend to make many operational security mistakes early in their careers, when they have little experience and have little to lose from their carelessness. A review of Hastalamuerte’s original posts on the crime forums (circa 2019-2020) shows a low level and low skill hacker still trying to learn the ropes and gain a good reputation in these communities.
For example, in June 2020 the Telegram account of Hastalamuerte joined a multi-month training program (@pntst) to learn how to use popular penetration testing tools, and their clear posts in this hacker training camp show that Hastalamuerte is trying to use these tools successfully. A Google translated transcript of Hastalmuerte’s @pntst post is here.
