The cybersecurity firm **Check Point Software** has been closely tracking **The Gentlemen**, a sophisticated "ransomware-as-a-service" (RaaS) operation. The group's enticing 90/10 affiliate revenue split – significantly higher than the industry standard 80/20 – has effectively accelerated its growth by attracting experienced operators from rival programs. According to **Check Point**, **The Gentlemen** have become the second most active ransomware group by victim count this year, claiming at least 332 published victims since their inception in mid-2025, with over 240 in 2026 alone. Their modus operandi involves targeting internet-facing devices like VPNs and firewalls as initial entry points, swiftly moving to encrypt entire networks within hours once inside. **Check Point** identifies the administrator and primary operator of the group by the nickname **Zeta88** on Russian-language cybercrime forums, previously known as **Hastalamuerte**. A breach of the group's backend infrastructure reportedly confirmed that **Hastalamuerte**/**Zeta88** is responsible for assembling the locker and RaaS panel, managing payments, and overseeing the entire operation, receiving 10 percent of all ransoms. ## Who is Hastalamuerte? Cyber intelligence firm **Intel 471** reveals that **Hastalamuerte** is a Russian and English-speaking individual who registered on nearly a dozen cybercrime forums between 2019 and the present, including **Exploit**, **Breachforums**, **Ramp_V2**, **BHF**, **Raidforums**, and **Nulled**. **Intel 471** uncovered that **Hastalamuerte** registered on **Breachforums** in January 2025 from an internet address in **Izhevsk**, the capital of Russia's Udmurt Republic. Similarly, the user **Zeta88** signed up on the English-language cybercrime forum Breached in August 2022 from a different **Izhevsk** IP address. Further investigation by **Intel 471** shows **Hastalamuerte** registered on **Raidforums** in 2020 using the email address **[email protected]**. The number '1488' is a known symbol associated with white supremacy. An **Epieos** lookup on this address links it to an Apple account and a phone number ending in **04**. **Epieos** also connects this Protonmail address to a GitHub account under the username **SantaMuerte**. Although the account is private, its activity history indicates involvement in watching and developing various malware tools and exploits. In April 2020, **Hastalamuerte** posted on the **Nulled** crime forum, providing the Telegram instant messenger name **@hastalamuerte18**. Threat intelligence company **Flashpoint** confirmed this username is assigned the unique Telegram ID number **30907522**. Breach tracking service **Constella Intelligence** reports that **Hastalamuerte**'s Telegram ID is linked to another username, "**bu4vs**," and to the Russian phone number **79127650004**. Pivoting on this number in **Constella** yielded multiple records from compromised Russian government databases, assigning it to **Alexander Andreevich Yapaev**, a 36-year-old from **Izhevsk**. **Constella** also found this phone number was used to create an account on the Russian social media platform Pikabu under the name "**4apai18**," and that Mr. **Yapaev** has registered on various websites using the surname "Chapaev" (with '4' often substituting 'ch' in Russian). An **Intel 471** search for cybercrime forum members with the nickname **SantaMuerte** revealed an account created in 2020 on the Russian hacking forum Codeby. **Intel 471** shows this user originally registered on Codeby with the less subtle nickname **Alexandr 4apaev**. **Constella** indicates Mr. **Yapaev** regularly used the email address **[email protected]**. Meanwhile, **Epieos** links this address to a LinkedIn account for **Alexander Yapaev**, who lists himself as the head of B2B marketing at **Uralenergo Udmurtia**, a major Russian supplier of electrotechnical and lighting products. Mr. **Yapaev** did not respond to multiple requests for comment. ## Why the Apparent Lapses in OpSec? It's a common observation that many cybercriminals, particularly those operating from Russia, appear to leave discernible digital trails. This often stems from a gradual immersion into cybercrime rather than an initial intent to be a hardened criminal. Their skills evolve over time, and early career mistakes in operational security (OpSec) are frequent due to a lower perceived risk. Another significant factor is the Russian government's stance, which often either co-opts or overlooks cybercriminal activities within its borders, provided they do not target Russian businesses or citizens. This provides a degree of insulation from foreign law enforcement, encouraging a less stringent approach to OpSec, especially for those who initially intend to adhere to these unwritten rules. For instance, early posts by **Hastalamuerte** from 2019-2020 reveal a relatively unsophisticated hacker learning the ropes. In June 2020, **Hastalamuerte**'s Telegram account joined a multi-month training program (@pntst) for penetration testing tools, with candid posts showing initial struggles in mastering these tools.