On May 14, 2026, an actor using the handle hyflock123 opened a recruitment thread on the Duty-Free forum claiming prior work for both LockBit and Qilin, launching a ransomware-as-a-service program called Hyflock. The following day, hastalamuerte, the founder and administrator of The Gentlemen RaaS, ran a recruitment campaign on BreachForums with a 90% affiliate share, a partnership the forum officially announced on May 16, 2026. Both surfaced during a quarter that recorded 2,122 leak-site victims, the second-highest first-quarter figure on record.
- Operators claiming former LockBit and Qilin experience are launching independent RaaS programs (Hyflock, The Gentlemen). The lineage claim is self-reported, with hyflock123 writing “we have previously worked for LockBit and Qilin for some time,” and we cannot corroborate it. If accurate, we assess with moderate confidence that those operators carry their tradecraft into the new brands, shortening the runway from launch to operational capability.
- The Gentlemen RaaS scaled fast, rising from 40 victims in Q4 2025 to 166 in Q1 2026 (third place globally per a Duty-Free analytical report), and secured an official BreachForums partnership to recruit affiliates at a 90% revenue share. We hold this with high confidence: both the forum figures and Check Point’s external tracking agree that The Gentlemen expanded influence in the quarter.
- The ecosystem is reconsolidating around fewer, more capable operators after a fragmented stretch, with the top 10 groups accounting for 71% of all Q1 2026 victims. We assess this with moderate confidence.
- New entrants are competing on affiliate experience: integrated negotiation panels, AI-based data analysis, faster encryption, GPO-based spreading, and red-team support. The combined effect lowers the skill barrier for an effective attack. Moderate confidence.
- LockBit 5.0 logged 163 victims in Q1 2026, so the brand is still moving, but its own alumni programs may end up poaching the affiliate base it depends on. We hold the cannibalization read with low confidence.
LockBit’s Disruption Seeded New Competitors
Operation Cronos seized LockBit’s infrastructure in February 2024. Two years on, the people who ran that machine are setting up shop under new names. An actor describing itself as a former LockBit and Qilin operator, posting under the handle hyflock123, opened a recruitment thread on the Duty-Free forum on May 14, 2026, launching a RaaS program called Hyflock. The day after, on May 15, 2026, hastalamuerte, founder and administrator of The Gentlemen RaaS, ran a recruitment campaign for the program on BreachForums, and the forum officially announced the partnership on May 16, 2026. Both arrived during a quarter when over 70 active data leak sites listed 2,122 new victims, a figure 117% above Q1 2024’s 977 (Check Point via Industrial Cyber).
The Gentlemen’s primary lineage runs through Qilin, not LockBit. Per Check Point, the group was founded by hastalamuerte, an experienced Qilin affiliate who left Qilin following a $48,000 payment dispute and who previously operated as the ArmCorp affiliate crew. hastalamuerte also carries prior experience with LockBit, Embargo, and Medusa, but the documented split is from Qilin. A lineage claim only matters if the lineage was significant, and LockBit’s was. The U.S. Department of Justice charged the group with targeting over 2,500 victims and collecting more than $500 million in ransom payments. Law enforcement unmasked and sanctioned alleged leader Dmitry Khoroshev in May 2024 (National Crime Agency), and an unknown actor breached LockBit’s affiliate panel in May 2025 (Trellix). The affiliates were always independent contractors, and contractors move on rather than vanish.
“We have previously worked for LockBit and Qilin for some time,” hyflock123 wrote in the launch thread, adding deferentially that “they are both excellent organizations and worthy predecessors for all RaaS to learn from” (View on Flare). The claim is self-reported, and we cannot corroborate it. What it does flag is the destination for institutional knowledge after a server seizure: how to run encryption infrastructure, how to negotiate a payment, how to manage a roster of affiliates. That knowledge is now being repackaged into competing products. Forum post dates throughout this report are drawn from Flare’s dark-web monitoring and cannot be independently verified against clear-web sources, though they are consistent with the known timeline of events.
The Gentlemen RaaS Scaled to 166 Victims in One Quarter with a 90% Affiliate Share
The Gentlemen RaaS grew from 40 victims in Q4 2025 to 166 in Q1 2026, a 315% increase, to become the third-largest ransomware operation globally, and it did so with an official BreachForums partnership that wires it straight into the forum’s affiliate and access-broker community. The recruitment thread, posted by hastalamuerte on May 15, 2026, leads with economics, welcoming “teams, individual pentesters, and access brokers to join our affiliate program.”
LockBit gave affiliates 80% and kept 20% for the operator (DOJ indictment via Flashpoint). The Gentlemen undercuts that by ten points and throws in full negotiation control: each build “automatically generates a ransom note on the victim’s machine with your contact details,” and if the victim contacts the operator’s main Tox account it is “automatically forwarded to you.” On a ransom demand averaging over $1.5 million (Xact Cybersecurity), those ten points are real money to a skilled pentester deciding which program to sign with. The thread describes a Go-based cross-platform locker for Windows, Linux, NAS, and BSD using XChaCha20 and Curve25519 with a unique ephemeral key per file, three speed modes (--fast at 9%, --superfast at 3%, --ultrafast at 1%), and execution that “can run as a regular user (no admin rights required).” A separate 32 KB ESXi locker is written in C. Affiliate onboarding carries a hard filter: builder access requires either data from a prepared target or a $1,500 deposit “to filter out researchers and law enforcement,” and “work in Russia and CIS countries is strictly prohibited.”
“We are proud to announce that The Gentlemen are becoming official partners of BreachForums,” forum representative diencracked wrote on May 16, 2026, describing the program as “one of the most advanced Ransomware-as-a-Service operations in history” and “actively looking for skilled affiliates,teams, individual pentesters, and access brokers” (View on Flare). The timing is not incidental. The FBI seized the RAMP forum on January 28, 2026, the same forum where LockBit had announced version 5.0. That left BreachForums as the place where access brokers selling RDP and VPN footholds now sit a click away from the RaaS that will weaponize them.
No account? Start a free trial
An analytical report posted to Duty-Free on May 18, 2026 by the handle lisa99 (translated from Russian) calls The Gentlemen “the breakout story of Q1 2026,” putting it in third place globally and tracking its growth from 40 victims in Q4 2025 to 166 in Q1 2026 (View on Flare). Check Point’s external tracking lists The Gentlemen alongside Qilin and LockBit among the groups expanding influence in the quarter, which gives the forum figures outside support.
Hyflock Claims 2x LockBit Speed and an Integrated Access-Broker Marketplace
Hyflock’s pitch centers on experience. The cheaper cut is secondary. The launch thread by hyflock123 advertises an all-in-one panel (themed, the actor notes, after Cyberpunk 2077) that folds together initial-access purchases, automated negotiation rooms, automated revenue sharing, and AI-driven victim analysis, plus a dedicated red team to back affiliates during intrusions (“if all you have is access … our team can assist you in solving them”). Hyflock’s existence and its claimed features rest entirely on this forum post and cannot be independently verified beyond it. The encryption pitch benchmarks against the operator’s claimed former employer.
The “fastest encryptor in the world” line is marketing copy with no independent benchmark behind it, and it deserves no more weight than that, though the actor claims its AES-NI routine is “hand-optimized in assembly” and offers to let affiliates “test the exact speed yourself.” On economics, Hyflock advertises a sliding operator cut: 20% on the first job, 15% on the second, then “stable at this rate,” with room to “discuss the ratio again” for special targets. The AI-based data analysis is the part worth attention. If operators are parsing exfiltrated revenue and tax records to set ransom demands (hyflock123 explicitly pitches analysis of “financial tax evasion, marketing budgets … stock trends”), incident responders should assume full data exfiltration even when encryption is contained, and should read the demand figure as a sign the attacker has already gone through the victim’s books.
Hyflock backed the pitch with operational detail, posting panel screenshots of the affiliate management interface and access-broker “square” where affiliates can “purchase initial access” (View on Flare) and a QTox contact for recruitment (handle 37BC1EC8D8EEE7ECEA44A953855DAC628DF0920CE41EE4164006BDC95ADEBA5738C870A23686) with the instruction “tell me which forum you find me” (View on Flare). The marketplace is the structural change here. An affiliate used to shop separately for network access. The panel offers purchase, negotiation, and deployment in one interface, with an auto-generated negotiation room spun up for each encryptor build. Median time from intrusion to ransomware execution has dropped sharply in recent years, and bundling the supply chain into a single panel will keep pushing that number down. One caveat on Hyflock itself: the account is a recent arrival with only a handful of posts confined to Duty-Free, so the LockBit and Qilin lineage rests entirely on its own word.
Q1 2026 Victim Data Confirms Consolidation Around Fewer, Larger Operators
The top 10 ransomware groups accounted for 71% of the 2,122 Q1 2026 victims, “sharply contrasting with the fragmentation observed in Q3 2025,” per the analytical report. A market that splits this way rewards scale. The report from lisa99 lays out the rankings.
This is a single source from a Tier 4 forum (originally Russian-language), so it would carry little weight on its own. Its core figures hold up against external tracking, though. Check Point recorded LockBit 5.0 rebounding 106% from 79 victims to 163 in Q1 2026, fourth among the most active operators (Industrial Cyber), matching lisa99’s count of 163 and fourth place exactly. Qilin, with 338 victims, led the quarter for the third consecutive period. The report also notes that the 7.1% apparent year-over-year decline from Q1 2025 is misleading: Q1 2025 was inflated by Cl0p’s mass Cleo exploitation (~390 victims in one burst), and excluding Cl0p from both periods turns the comparison into a 5.3% increase. None of this means the market is full. GuidePoint tracked more than 7,500 unique victim organizations on leak sites in 2025, up 58% from 2024 (GuidePoint via Axis Intelligence). A well-resourced spinoff like The Gentlemen can grab share fast without having to knock the incumbents off the board.
Defender Outlook: Faster Encryption and Lower Barriers Demand Earlier Detection
Expect more brands through 2026 as alumni operators chase the same finite pool of skilled affiliates. We assess with moderate confidence that within two to three quarters, one or two of these entrants will consolidate a dominant position the way Qilin did. The 90% share The Gentlemen offers sets a floor that newer programs will be pressured to match. Hyflock already starts at an 80% affiliate share that rises to 85% by the second job, and each step down on the operator’s cut makes ransomware a more attractive move for a capable pentester. Worth keeping in front of the recruitment story: Verizon’s 2025 DBIR found 54% of ransomware victims had domain credentials surface in stealer log marketplaces before the attack.
No account? Start a free trial
The Gentlemen’s locker runs without administrator rights and ships an --ultrafast mode that touches only 1% of each file, so the priority is alerting on rapid partial-write patterns across many files from non-elevated processes, since privileged contexts are no longer the only source. Its “silent mode” (which “does not change file names or modification dates” and drops notes only into domain and local admin folders with no wallpaper change) is built to defeat naive file-rename detection, so behavioral monitoring should not lean on extension or filename changes alone. Both lockers reach Linux, NAS, BSD, and ESXi hosts (the latter via a 32 KB C binary with cluster-aware race-condition handling) that frequently run without EDR coverage. Get behavioral monitoring onto those systems first, because that is where these payloads will land with the least resistance. Note too that verified Gentlemen partners are offered EDR killers and a custom multichain pivot, so assume defensive tooling may be targeted directly.
Hyflock advertises GPO deployment and active cloud-backup file encryption, which makes Group Policy modification logs and the isolation of cloud backup credentials from domain admin paths a near-term audit job. The Gentlemen separately advertises domain-wide GPO spreading with proper triggers, so this is not a single-vendor quirk. The BreachForums partnership turns credential exposure on that forum into an early-warning signal, so monitoring for company-specific access listings (RDP, VPN, Citrix) there is a concrete collection requirement tied directly to this threat. And given the AI-driven analysis of exfiltrated financial data Hyflock is selling, treat any contained-encryption incident as a full data theft anyway, and rotate every credential a compromised account could reach before you start recovery.
Flare monitors ransomware affiliate recruitment, leak-site victim activity, and access-broker deals across dark web forums and Telegram channels in real time. To see how your organization appears in this data, visit flare.io.
