Skip to content

TechChannels Network:      Whitepaper Library      Webinars         Virtual Events      Research & Reports

×
Generative AI

The Gentleman’s 478 Victims Reveal Cybercrime’s Shift from Exploits to Access

Ransomware is heading away from isolated gangs and toward a criminal-services economy. The Prodaft threat intelligence team (2026) found that the Gentleman group has claimed at least 478 victims since 2021 and may have generated nearly $38 million. The Gentleman, also tracked as Phantom Mantis, Larva 368, Zeta88, and reportedly operating on Telegram as Hastalmuerte, appears to move across several layers of the ransomware ecosystem rather than existing as a single malware crew.

Cybercrime groups are starting to behave less like hackers chasing technical breakthroughs and more like investors hunting for asymmetric upside.

One well-placed insider can do what weeks of reconnaissance, privilege escalation, lateral movement, and evasion are meant to achieve: put the attackers close to the systems that matter.

The attack is a sequence of services, and the strongest groups are those that can coordinate them efficiently. The Gentleman’s reported Ransomware-as-a-Service model fits that shift. Affiliates can deploy ransomware tools in return for a share of the profits, while the core operators expand their reach without conducting every attack themselves. Its reported links to LockBit, Qilin, Medusa, and RansomHub suggest a group plugged into a wider supply chain of malware families, affiliates, tooling, and infrastructure.

AI strengthens that machinery in practical ways. It can accelerate reconnaissance, rank exposed systems, improve phishing copy, personalize impersonation, triage vulnerabilities, and help sort stolen files for extortion value. The advantage is speed and scale: more targets assessed, more convincing lures written, and more campaigns run with fewer people.

Cybersecurity has largely viewed access as a technical problem that answers a stream of repetitive dilemmas. Can an attacker get inside a network? Can they elevate privileges? Can they move laterally? Can they avoid detection?

Groups like the Gentleman increasingly approach these questions from an economic perspective. Access already exists, so the challenge is identifying who possesses it, who controls it, and under what circumstances it might become available. The Gentleman has offered insiders up to 90% of the ransom proceeds in exchange for access to corporate systems. At first glance, the figure seems extraordinary. In reality, it reflects a cold calculation.

A trusted employee already knows where critical systems sit, which security controls are actively enforced, how backups are managed, and which executives make decisions during a crisis. They understand the organization's habits, routines, and blind spots. From an attacker's perspective, that knowledge can be worth more than a sophisticated exploit.

Right now, the organizations facing the greatest risk are not necessarily those with the weakest technology. They are often those who underestimate the strategic value of trust, permissions, relationships, and institutional knowledge. Security teams can inventory devices, applications, and vulnerabilities. Mapping access is considerably harder because access is embedded in people, processes, suppliers, contractors, and everyday business operations.

Groups like The Gentleman recognize something many organizations still struggle to quantify: a network can be segmented, a server can be patched, and a vulnerability can be fixed. Understanding who holds meaningful access, why they hold it, and how that access creates concentration points of risk is a far more complex exercise.



Share on

More News