BreachForums is openly promoting an official partnership with The Gentlemen ransomware as a service operation.
The owner of BreachForums known as "diencracked" posted the official announcement declaring The Gentlemen as an approved partner, complete with the groups logo of a man in a top hat and clear promotional highlights.
The partnership grants the ransomware group advertising space and infrastructure support while actively recruiting skilled affiliates, penetration testers, and initial access brokers. Key incentives include a generous 90% revenue share for affiliates, full control over ransom negotiations by the affiliate, and cross platform support targeting Windows, Linux, and ESXi environments.
Additional features mentioned are a dedicated locker and unlocker plus a specialized ESXi locker, all designed to make the operation more appealing and efficient for participants.
The news show a notable update to the underground world of cybercrime
The Gentlemen ransomware group first appeared in mid 2025 and quickly built a reputation for rapid growth, claiming hundreds of victims worldwide by early 2026.
It offers affiliates strong technical tools and a business friendly model that emphasizes high payouts and operational autonomy.
Just weeks before the partnership reveal, the group endured an embarrassing internal data breach around May 4 when its Rocket backend database was leaked and offered for sale on forums. Despite that setback, The Gentlemen recovered quickly and used the new alliance to signal stability and expand its reach.
Researchers from ZeroFox, Check Point, and others have since documented the move, noting that the group even began displaying a BreachForums banner on its own dark web leak site as public proof of the tie up.
BreachForums itself has a long and turbulent history of seizures, relaunches, and internal power struggles.
Law enforcement has taken it down multiple times in past years, and the forum suffered major user data leaks in January and March 2026 that exposed hundreds of thousands of accounts.
It's worth noting that operators like ShinyHunters have publicly claimed that many current versions are unauthorized clones, adding to the confusion. But a functional iteration remains active on domains such as breached.st, including the subdomain thegentlemen.breached.st where the partnership page, still live.
BreachForums appears to be publicly promoting an official partnership with “The Gentlemen” ransomware operation, signaling yet another example of how cybercrime ecosystems continue evolving into highly organized business structures.
According to the announcement, the… pic.twitter.com/uKES6kY06Q— Dark Web Intelligence (@DailyDarkWeb) May 21, 2026
But what makes this development significant is how it illustrates the professionalization of cybercrime.
Underground forums are evolving beyond simple data marketplaces into full scale recruitment hubs and partnership platforms that resemble legitimate SaaS ecosystems.
The partnership signals that ransomware operators now compete aggressively for top talent by advertising polished programs, modular services, and clear revenue splits. Initial access brokers, affiliates, and technical specialists operate in a modular chain where each handles a specialized piece of the attack from credential theft to extortion negotiations.
This shift allows faster scaling and higher success rates against enterprises, especially those relying on virtualized infrastructure like ESXi servers where a single compromise can disrupt entire operations.
Public threat intelligence reports provide the clearest windows into these announcements since the actual forum sits on the dark web and is not accessible through standard browsers.
While the ecosystem remains unstable and subject to further takedowns or infighting, this alliance underscores a broader trend toward organized, business like criminal networks that treat ransomware as a scalable service rather than isolated hacks.
In the end, the story serves as a reminder that cyber threats continue to mature at a rapid pace.
What once looked like chaotic hacker collectives now operates with recruitment drives, revenue models, and public partnerships.
It's worth noting that a day before his, diencracked was inteviewed and in it, his cover BreachForums operations, his partnership with TeamPCP, ransomware alliances, the Shai Hulud supply-chain malware campaign, operational security, and future plans for the forum (including escrow services and welcoming more ransomware groups).