TheGentlemen RaaS lists Czech University of Finance and Administration (VSFS) and Swiss DEVO-Tech AG on leak site

campaign · item:thegentlemen-raas-czech-university-finance-administration-de

Coverage timeline

first 2026-05-20 → last 2026-05-20

Briefs

1 distinct

Sources cited

1 hosts

Sections touched

updates

Co-occurring entities

see Related entities below

Story timeline

2026-05-20CTI Daily Brief — 2026-05-20
updatesUPDATE on 2026-05-14 backend leak coverage: new EU higher-education + Swiss SMB engineering victims listed (not confirmed); TTPs unchanged

Where this entity is cited

updates1

Source distribution

dexpose.io2 (100%)

Related entities

The Gentlemen — RaaS surged Q1 2026 (192 attacks, 588% QoQ); 32% of victims European; FortiGate CVE-2024-55591 initial-access funnel
actoractor:TheGentlemen×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

All cited sources (2)

Items in briefs about TheGentlemen RaaS lists Czech University of Finance and Administration (VSFS) and Swiss DEVO-Tech AG on leak site (1)

UPDATE: TheGentlemen RaaS lists Czech university and Swiss engineering firm on leak site

From CTI Daily Brief — 2026-05-20 · published 2026-05-20 · view item permalink →

UPDATE (originally covered 2026-05-14 backend database leak analysis): The TheGentlemen RaaS group's leak site listed two new European victims this week: University of Finance and Administration (VSFS, vsfs.cz) in the Czech Republic on 2026-05-19 and Swiss engineering firm DEVO-Tech AG (devo-tech.ch, Ziefen / BL) on 2026-05-18. The DeXpose write-ups are aggregator coverage of the leak-site listings themselves; neither victim has publicly confirmed the breach as of this brief. TTPs, infrastructure, and the Go-based locker remain unchanged from the Check Point Research deep coverage of 2026-05-14 — the new data point is geographic spread continuing into EU higher education and Swiss SMB engineering.

Higher-education and public-sector defenders in the DACH region should confirm offline-backup integrity and revisit SD-WAN / VPN gateway patch posture (the primary initial-access vectors documented for TheGentlemen in prior reporting). Listings are not victim confirmation; both organisations were listed by TheGentlemen and not confirmed by the victims themselves.