ZeroFox Intelligence Profile - The Gentlemen

ZeroFox Intelligence Profile - The Gentlemen

Product Serial: P-2026-05-07a

TLP:CLEAR

This Threat Actor Profile is a baseline analysis for the ransomware-as-a-service collective The Gentlemen, which has been active since at least September 2025.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• The Gentlemen is a ransomware-as–service (RaaS) collective active since at least September 2025 that publishes victim data on its dark web-hosted blog. As of April 2026, The Gentlemen has conducted at least 346 attacks, averaging 43 per month.
• The Gentlemen is almost certainly financially motivated; neither its dark web leak site nor its public statements on dark web forums, social media, or covert communication channels indicate any political stance, ideological messaging, or affiliation with a specific cause.
• The Gentlemen employs a double extortion model with a silent encryption mode, as indicated by the file encryptions and ransom notes in confirmed attacks. The group actively solicits initial access brokers (IABs) for Virtual Private Networks (VPNs) and botnets and purchases targets’ data from infostealer logs.
• The collective’s target pool has included a national human rights institute, a university, and the healthcare sector, suggesting the group or its affiliates do not exclude public sector organizations despite their typically lower ransom-paying capacity.
• ZeroFox assesses that The Gentlemen is likely a technically mature threat actor group based on its observable Operations Security (OPSEC) posture, which presents a mixture of defensive security measures and credibility-driven self-exposure.