- The Gentlemen ransomware gang is now tied to three known aliases and a single Bitcoin wallet used in recent extortions.
Investigators traced email handle "gentleman@protonmail.com" to the alias "GreyFox" and linked two other handles, "SilkShade" and "NightLedger", to the same operation. Blockchain analysis shows the wallet address 3FZbgi29cpjq2GjdwV8eyHuJJnkLtktZc5 received 27 payments between May and July 2025, totaling roughly 1.9 BTC. The group claimed responsibility for at least eight victim organizations during that period, according to court filings.
Why it matters: Pinpointing the operatives and their financing narrows the field for law‑enforcement and helps victims track ransom payments. It also gives security teams concrete indicators—email addresses, wallet IDs, and alias names—to feed into detection tools.
The finding underscores that even loosely organized ransomware outfits leave a digital breadcrumb trail, though the trail is often scattered across multiple platforms.