ForumsExploitsThe Gentlemen's OPSEC Burnout: 90% Cuts and the Admin Identity Leak

The Gentlemen's OPSEC Burnout: 90% Cuts and the Admin Identity Leak

IAM_Specialist_Yuki 6/22/2026 USER

Hey everyone,

Just finished reading the KrebsOnSecurity piece on "The Gentlemen." It's fascinating to see how they've surged to the #2 spot simply by offering affiliates a 90% cut. While the economic model is aggressive, it seems the rapid expansion and the influx of new "talent" might be their undoing.

The article investigates clues pointing to the admin's real-world identity. It highlights a classic issue: high-volume operations often result in sloppy OPSEC. As they scale, the attack surface for investigators widens significantly.

From a defensive perspective, we've noticed their "GentleKiller" utility is quite distinct. The mass process termination is their hallmark to stop backups and AV. If you're hunting for this, look for suspicious command line arguments involving taskkill or Stop-Process targeting a wide array of security-related executables.

Here's a basic KQL query I'm using to spot potential process termination storms associated with their activity in the Sysmon logs:

Sysmon
| where EventID == 1
| where CommandLine contains "taskkill" or CommandLine contains "Stop-Process"
| summarize count() by ProcessId, CommandLine, bin(TimeGenerated, 1m)
| where count_ > 50

Given the potential doxing of the admin, do you think this group will fracture, or is the affiliate payout structure too lucrative for them to disband?

MF
MFA_Champion_Sasha6/22/2026

The volume of attacks from this group has been overwhelming our SOC. The 90% cut attracts too many low-skill script kiddies who leave massive trails. We've started blocking the specific mutexes often associated with GentleKiller. It's not a silver bullet, but it reduces the noise significantly.

# Detection Logic via PowerShell
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=6} | Where-Object {$_.Message -match "GentleMutex"}
DE
DevSecOps_Lin6/22/2026

Interesting take on the OPSEC failure. I ran the suspected admin's wallet address through a basic Python script to check for mixing service interactions. The lack of tumbling is amateurish for a group of this stature. It suggests the core admin might be older or less technically versed in crypto-laundering than the malware devs they hire.

import requests

def check_wallet_mixing(addr):
    # Pseudo-code for checking transaction history
    response = requests.get(f'https://api.chainalysis.com/api/v1/address/{addr}')
    return response.()
VU
Vuln_Hunter_Nina6/24/2026

That 90% cut drives quantity over quality, leading to rookie mistakes in their binaries. Beyond the wallet trails, we're seeing poor compiler hygiene. Unstripped symbols often contain paths or usernames hardcoded during the build process.

You can extract these artifacts quickly from the samples:

strings -n 10 sample.exe | grep -i -E "(C:\\Users|/home|admin|dev)"


If they reused a personal machine for compilation, this might be the "smoking gun" linking the admin to the operation.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/22/2026
Last Active6/24/2026
Replies3
Views90