Unmasking Hastalamuerte: Identifying the Administrator of The Gentlemen Ransomware Group

Unmasking Hastalamuerte: Identifying the Administrator of The Gentlemen Ransomware Group

June 13, 2026 discoverhiddenusacom Technology

The Gentlemen, a prominent ransomware-as-a-service (RaaS) group, has ascended to become the second most active threat actor by victim count, largely due to an aggressive 90/10 revenue split that lures experienced affiliates. Security researchers at Check Point Software and PRODAFT have linked the group’s administrative operations to a Russian-based individual operating under the aliases “Hastalamuerte” and “Zeta88,” who has been identified through digital breadcrumbs as Alexander Andreevich Yapaev, a 36-year-old marketing professional from Izhevsk.

How The Gentlemen disrupted the ransomware market

The Gentlemen differentiate themselves through an aggressive financial incentive structure. While the industry standard for RaaS programs typically involves an 80/20 revenue split, The Gentlemen offer affiliates 90 percent of all ransom payments, according to Check Point Software. This shift has accelerated the group’s growth, allowing them to claim at least 332 published victims since mid-2025. PRODAFT researchers noted that the group’s administrator provides affiliates with initial access points, such as compromised Fortinet SSL-VPN credentials, to facilitate rapid network encryption.

How The Gentlemen disrupted the ransomware market
Did you know?
The Gentlemen are increasingly leveraging artificial intelligence to automate the development of their ransomware strains and to assist in post-exploitation activities, according to a June 2026 report by PRODAFT.

What connects the administrator to a real-world identity?

Digital forensics link the administrator’s online persona to Alexander Andreevich Yapaev. Investigations by Constella Intelligence and Intel 471 identified that the Telegram ID associated with the “Hastalamuerte” handle is linked to the Russian phone number 79127650004. Publicly available records from hacked Russian government databases confirm this number belongs to Yapaev, a resident of Izhevsk. Further analysis by Epieos connects the administrator’s email addresses to a LinkedIn profile for Yapaev, who currently lists his employment as the head of B2B marketing at the Russian firm Uralenergo Udmurtia.

Why do cybercriminals leave such obvious digital trails?

Many high-level cybercriminals begin their illicit activities as amateur hackers, often failing to maintain operational security (OPSEC) in their early years. According to historical forum posts reviewed by security researchers, the individual behind “Hastalamuerte” participated in entry-level penetration testing training as late as 2020. Furthermore, the geopolitical environment in Russia often provides a layer of insulation for hackers who refrain from targeting domestic entities. This perceived immunity can lead even sophisticated operators to become careless with their real-life identities, as they believe they are shielded from foreign law enforcement.

Future trends in ransomware operations

The professionalization of RaaS groups like The Gentlemen suggests a shift toward corporate-style management within cybercrime syndicates. As these groups continue to adopt AI-driven tools, the time between initial network entry and full-scale encryption is expected to shrink further. Security analysts anticipate that the “affiliate-first” model will force other established ransomware gangs to either increase their payout percentages or face a talent drain to more lucrative programs. Organizations should prioritize patching internet-facing devices, as these remain the primary entry vectors for these operators.

Future trends in ransomware operations

Pro Tip: Strengthening your defense

Because The Gentlemen rely heavily on brute-forcing VPNs and firewalls, organizations must enforce multi-factor authentication (MFA) on all internet-facing hardware. Regularly auditing exposed services is no longer optional; it is a critical requirement for preventing the rapid network compromise this group specializes in.

Pro Tip: Strengthening your defense

Frequently Asked Questions

  • Who is the primary administrator of The Gentlemen?
    Security researchers identify the administrator as an individual using the aliases “Hastalamuerte” and “Zeta88,” whom intelligence firms have linked to Alexander Andreevich Yapaev.
  • Why is The Gentlemen group growing so quickly?
    The group offers a 90 percent share of ransom payments to its affiliates, significantly higher than the industry average of 80 percent, which attracts experienced hackers from competing groups.
  • What are the main entry points for this group?
    According to Check Point Software, the group primarily targets internet-facing devices such as VPNs and firewalls, often using brute-force attacks to gain initial access.
  • Do these hackers hide their identities?
    Many do not, often because they start their careers as low-skilled hobbyists and only later evolve into sophisticated criminals, leaving a trail of linked accounts, emails, and phone numbers that can be traced back to their real-world identities.

Have you encountered suspicious activity on your network? Share your experiences in the comments below or subscribe to our threat intelligence newsletter for the latest updates on emerging ransomware trends.