Operation Gentlemen® A.I CyberSecurity Scoring
Operation Gentlemen®
Company Information
Website:http://operationgentlemen.com
Employees number:2
Number of followers:57
NAICS:8132
Industry Type:Philanthropic Fundraising Services
Homepage:operationgentlemen.com
Operation Gentlemen® Risk Score (AI oriented)
Between 650 and 699
Operation Gentlemen®Philanthropic Fundraising Services
Updated:
11/06/2026
11/06/2026
661/1000
Weak
B
Operation Gentlemen® Global Score (TPRM)
xxxx
Operation Gentlemen®Philanthropic Fundraising Services
Score locked

Operation Gentlemen®Weak
Current Score
661B (WEAK)
01000
1 incidents
-105 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
662
JUNE 2026
661
MAY 2026
660
APRIL 2026
761
Ransomware
01 Apr 2026 • Operation Gentlemen®
The Gentlemen, Medusa and Cisco: The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
The Gentlemen Ransomware Operation: A Rising Threat with AI and RaaS Roots
656
CRITICAL-105
MEDCISOPE1781209579
The Gentlemen Ransomware Operation: A Rising Threat with AI and RaaS Roots
A new analysis by PRODAFT has uncovered the evolution of The Gentlemen, a financially motivated ransomware group that began as an affiliate for established ransomware-as-a-service (RaaS) operations like LockBit, Qilin, and Medusa before launching its own independent program in July 2025. Tracked as Phantom Mantis, the group is led by a Russian-speaking cybercriminal known as LARVA-368 a 36-year-old identified as Alexander Andreevich Yapaev from Izhevsk, Russia, with aliases including hastalamuerte, ArmCorp, and santamuerte.
Since its inception, The Gentlemen has claimed 478 victims, with a surge in activity making it one of the most prolific ransomware actors, responsible for 10% of global ransomware incidents in April 2026. The group’s transition to independence followed a payment dispute with Qilin, where LARVA-368 accused the RaaS operator of an exit scam, allegedly defrauding affiliates of $48,000. PRODAFT noted that Phantom Mantis may have spread disinformation to recruit Qilin affiliates by discrediting the group.
The Gentlemen operates with a sophisticated infrastructure, leveraging AI for ransomware development, tool maintenance, and post-exploitation procedures. Its affiliate program offers a 90/10 profit split, attracting partners with aggressive incentives. Affiliates must provide at least 1GB of stolen victim data to access the panel, a tactic designed to block researchers and law enforcement. The group supports multiple ransomware variants, including Windows, Linux, ESXi, and LVM-targeting strains, and uses open-source messaging platforms like Tox and SimpleX Chat for communication.
Initial access is typically gained through vulnerable edge devices particularly Cisco and Fortinet FortiGate systems followed by Active Directory exploitation using tools like NetExec, RelayKing, and PrivHound. The ransomware employs a hybrid encryption scheme (X25519 key exchange with XChaCha20) and can self-propagate as a worm when executed with the `--spread` argument. Microsoft, tracking the group as Storm-2697, noted that the Go-based malware is obfuscated with Garble and can wipe recoverable artifacts when run with the `--wipe` flag.
The Gentlemen’s attacks exhibit a high degree of adaptability, with dwell times ranging from two to six weeks. The group targets VMware infrastructure and employs multi-channel extortion, combining ransomware with email and phone-based pressure tactics. A recent leak of the group’s internal Rocket.Chat database spanning November 2025 to April 2026 revealed a structured criminal enterprise with clear role divisions, exploiting vulnerabilities like CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. In March 2026, an exposed toolkit on a Russian bulletproof host further exposed the group’s full intrusion lifecycle, from reconnaissance to encryption.
Victim distribution is global, with only 13% in the U.S., while the majority are concentrated in Thailand, the U.K., Brazil, Germany, and India. The group’s rapid development cycle was demonstrated in April 2026 when it released a same-day patch after a decryptor was made public. With roots dating back to at least 2020 including prior affiliations with the Embargo ransomware group LARVA-368’s expertise has positioned The Gentlemen as a formidable and evolving threat in the cybercrime landscape.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
761
FEBRUARY 2026
761
JANUARY 2026
761
DECEMBER 2025
761
NOVEMBER 2025
761
OCTOBER 2025
761
SEPTEMBER 2025
761
AUGUST 2025
761
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Operation Gentlemen® ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in June 2026 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in May 2026 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in April 2026 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in March 2026 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in February 2026 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in January 2026 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in December 2025 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in November 2025 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in October 2025 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in September 2025 ??
What was Operation Gentlemen®'s A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Operation Gentlemen®'s A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Operation Gentlemen® ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Operation Gentlemen®'s profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?