The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

Ravie LakshmananJun 11, 2026Cybercrime / Ransomware

A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).

According to a detailed report published by PRODAFT, the group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.Live.

“In July 2025, Phantom Mantis transitioned into The Gentlemen, an independent partnership program no longer dependent on other RaaS groups,” the Swiss cybersecurity company said. “Additionally, LARVA-368 relies heavily on artificial intelligence for the development and maintenance of ransomware and tools, as well as for assistance with post-exploitation procedures.”

As for LARVA-368, the threat actor is assessed to have been a member of the Embargo (aka Primeval Mantis) ransomware group before launching their own operation under the name ArmCorp. It was subsequently rebranded to The Gentlemen four months later.

The individual’s identity has since been outed by cybersecurity journalist Brian Krebs as a 36-year-old Alexander Andreevich Yapaev (Япаев Алексанр Андреевич) from the Russian city of Izhevsk. PRODAFT told The Hacker News that its findings match the same persona with “high confidence.”

As detailed by Dark Atlas in August 2025, the shift coincided with a payment dispute between LARVA-368 and Qilin, with the threat actor accusing the RaaS operation of carrying out an exit scam and defrauding them of $48,000.

“Although Phantom Mantis was a…

Source