On May 2, 2026, the hosting provider 4VPS publicly disclosed that it had suffered a security incident affecting its public-facing website and customer billing systems. Two days later, on May 4, the backend database of The Gentlemen, a ransomware group ranked second-most-active globally in 2026 with more than 300 publicly named victims, was offered for sale on a cybercrime forum. By May 8, the full dataset was available for free. Security researchers, including Check Point Research, attribute the leak to the 4VPS incident, on the working inference that the criminal operation had been hosting its infrastructure at 4VPS. The Gentlemen subsequently acknowledged on underground forums that part of their infrastructure was indeed hosted at 4VPS.

The sequence reverses the standard attack pattern of the past several years. Ransomware groups have built much of their operational reach by compromising hosting providers, managed service providers, and software vendors to reach downstream victims. The 4VPS incident turned that logic around: a ransomware operation reached by way of its own hosting provider being attacked, with its internal data exposed to the security research community its victims rely on.

What the Leaked Database Contained

The dataset that became publicly available by May 8 was substantial. According to Check Point Research, which obtained and analyzed a portion of the material, the leak included:

  • Approximately 8,200 lines of internal chat communications across four channels: INFO, general, TOOLS, and PODBOR
  • Images of infected victim systems
  • Bitcoin wallet addresses used for internal fund transfers and equipment purchases
  • Ransom negotiation transcripts and operational documentation

The operational picture that emerges from the data is detailed. The Gentlemen operates as a ransomware-as-a-service group, with approximately 9 named operators and a network of affiliates conducting deployments. The group’s administrator, identified in the communications under the handles zeta88 and hastalamuerte, participates directly in attacks rather than operating purely as a platform manager. The affiliate revenue split offered by the group is 90 percent for affiliates and 10 percent for the operator, with data-only extortion deals carrying a 97 percent affiliate share. The industry standard for comparable arrangements is 80 percent. The communications also reference use of AI coding tools, including DeepSeek and Qwen, for accelerating development of attack tooling.

Fragnesia: A New Linux Kernel Privilege Escalation That Emerged From Prior Kernel Patches

Who the Leak Directly Affects

For organizations that have been targeted by The Gentlemen, the leak has practical consequences in both directions:

  • Companies that paid a ransom expecting the transaction to remain confidential no longer have that assurance. The negotiation transcripts and payment records are now in circulation among security researchers.
  • Companies that declined to pay or are still in negotiation may find their presence in the data surfacing through security research channels before they have made any public disclosure.
  • Organizations that suffered encryption and could not or did not pay should make contact with the security research community. The leaked database may contain decryption-relevant material, including keys or tooling information.

The more significant business risk surfaced in the communications involves downstream targeting. Check Point Research identified a specific sequence in the leaked data in which a UK consulting firm’s breach was used to reach that firm’s Turkish client. The attackers explicitly described the UK firm as their access broker for the Turkish engagement. This is not an edge case: ransomware groups routinely mine compromised organizations’ data for client lists, supplier contacts, and partner access credentials, then use that material to select and reach the next target. For any company operating in a sector where a known supplier, legal adviser, accountant, or technology partner has been hit by The Gentlemen, the leaked data raises the probability that the attacker holds intelligence relevant to reaching them.

When the Host Is the Threat Vector

4VPS is a Russian hosting provider operating since 2017. Its customer base, as documented by security researchers tracking criminal infrastructure prior to the May 2 incident, included cybercrime forums, ransomware operations, and related services alongside conventional customers. The Dark Web Informer, a threat intelligence account tracking criminal infrastructure, described the company on May 2 as “allegedly exit-scamming”, suggesting the company’s collapse may not have been a straightforward security incident but a deliberate shutdown under pressure.

For legitimate businesses that hosted workloads at 4VPS, the immediate consequences are:

  • Loss of infrastructure with no indication of an orderly migration path
  • Potential exposure of billing data, a category the company acknowledged was affected, with no public confirmation of whether it has been accessed or sold
  • No clear communication from the company on next steps for affected customers

The broader question the 4VPS incident raises applies beyond this provider. Any hosting company that knowingly or unknowingly carries a significant proportion of criminal infrastructure in its customer base operates in a higher-threat environment than one with a conventional mix. The same infrastructure, network, and support systems serve all customers. A provider that is a target for rival criminal groups, law enforcement operations, or researchers exposing criminal activity presents a different risk profile to its legitimate customers than one that does not. The 4VPS incident is a concrete illustration of what that elevated risk looks like when it materializes.