TheGentlemen ransomware operation posted 20 new victims to its dark web leak site on June 15, 2026 — its most geographically diverse single-day batch to date. The victims span 14 countries and include Croatia’s national Ministry of Health, Denmark’s Nationalmuseet, healthcare providers in the United States and Canada, a major Polish business university, and commercial organizations across South America, Asia, Europe, and Australia. TheGentlemen operates under a double-extortion model: files are encrypted on victim systems while data is simultaneously exfiltrated and threatened for publication.
Croatia’s Health Ministry and Denmark’s Nationalmuseet Among TheGentlemen’s Highest-Profile Victims
The most operationally significant victims in the latest batch are national government and cultural institutions. Ministarstvo zdravstva Republike Hrvatske — Croatia’s national Ministry of Health — is the government body responsible for Croatia’s health system, hospital infrastructure, pharmaceutical procurement, and health data for Croatia’s population. A breach of Ministry systems creates exposure across patient records, administrative databases, staff information, health policy communications, and procurement records.
Denmark’s Nationalmuseet, the country’s national museum, holds digitized historical collections, archaeological data, donor records, and the internal administrative records of a major state cultural institution. These materials are difficult or impossible to replace and carry public significance beyond their institutional value.
Other notable victims include Kozminski University in Poland, South Texas Spinal Clinic and Maine Oxy in the United States, Centre Medical Crowley in Canada, Mackay Sugar in Australia, Fecovita in Argentina, and additional commercial targets across Chile, Thailand, Belgium, Germany, Italy, Singapore, and France. The complete batch listed on TheGentlemen’s dark web site on June 15 also includes Enciso Ltda, Executive Coach, Cole Manufacturing, Mahajak Development, Calipage Humblet, Linnecken Partner, Traublinger, Buratti, Times Software, and Constructions Piraino.
What Double Extortion Means for Croatia’s Ministry of Health: Encryption Plus a Publication Clock
TheGentlemen’s double-extortion model creates two simultaneous and separate crises for a victim like Croatia’s Ministry of Health. The encryption component disrupts operations immediately — locking staff out of systems and forcing manual workflows across the Ministry’s administrative functions. Restoring from backup addresses the encryption. It does not address the exfiltration.
The data publication threat is a distinct, longer-duration problem that persists even after systems are restored. If Croatia’s Ministry of Health declines to pay and TheGentlemen publishes the exfiltrated data, health records, administrative files, and staff information could appear publicly accessible on the group’s dark web leak site. For a national government institution, that event triggers breach notification obligations, public accountability, and direct harm to citizens whose data was stored in Ministry systems. Recovery from backup stops the operational disruption; it does not stop the countdown to publication.
The same dynamic applies to Denmark’s Nationalmuseet: ransomware encryption is a recoverable technical problem. The permanent loss of control over digitized historical records, collection inventories, and donor data through publication is not.
TheGentlemen’s 14-Country Victim Spread as a Deliberate Law Enforcement Fragmentation Strategy
A law enforcement response to any individual ransomware victim requires national authorities to open an investigation, request assistance from international partners, navigate mutual legal assistance treaty requirements, and coordinate across multiple jurisdictions before any joint investigation can formally begin. That process takes weeks at a minimum. TheGentlemen’s pressure timeline on victims runs in days.
By posting 20 victims across 14 countries simultaneously, TheGentlemen ensures that no single national law enforcement agency can mount a coordinated response before initial ransom deadlines expire. Croatia’s law enforcement responds to the Ministry of Health incident; Denmark’s to the Nationalmuseet; the United States to its domestic victims. Each national response proceeds in parallel without the coordination that might make a collective defensive or investigative posture possible within the relevant window.
Volume-Based Targeting Across Sectors Defines TheGentlemen’s Operational Model
Prior posting waves from TheGentlemen covered different victims across different countries in preceding weeks. The June 15 batch is a distinct wave with 20 new victims, none of whom appeared in earlier postings. The pattern across all batches is consistent: rapid, multi-country, multi-sector targeting with no apparent preference for high-value single targets over volume.
A healthcare ministry, a national museum, a university, an agricultural cooperative, a medical clinic, and an industrial gases company hit in the same batch reflects an extortion business model premised on volume: with 20 simultaneous victims across 14 jurisdictions, even a partial payment rate across the batch produces significant revenue. No sector and no country appears to fall outside TheGentlemen’s target scope, and the group’s acceleration in batch size from twelve victims in its prior posting to twenty in the current one suggests an expanding operational capacity.
