From Affiliate to Independent Operator
A new analysis of The Gentlemen ransomware operation has revealed that the financially motivated threat group, tracked as Phantom Mantis by PRODAFT, initially operated as an affiliate for multiple ransomware-as-a-service schemes including LockBit, Qilin, and Medusa. According to the Swiss cybersecurity firm, the group was led by a Russian speaking cybercriminal using the alias LARVA-368, who has been publicly identified as 36 year old Alexander Andreevich Yapaev from Izhevsk, Russia. In July 2025, Phantom Mantis transitioned into The Gentlemen, becoming an independent partnership program that no longer relied on other RaaS groups.
Worm Like Capabilities and Scale of Attacks
The Gentlemen ransomware has claimed 478 victims to date, according to data from Ransomware.Live, and is capable of spreading like a worm across networks. LARVA-368 heavily relies on artificial intelligence for developing and maintaining the ransomware tools, as well as for post exploitation procedures. The group’s evolution followed a payment dispute with the Qilin RaaS operation, which the threat actor accused of carrying out an exit scam and defrauding them of $48,000. PRODAFT confirmed that its findings match the identified persona with high confidence, noting that the individual was previously a member of the Embargo ransomware group before launching their own operation under the name ArmCorp, which was later rebranded as The Gentlemen.
Source: The Hacker News
