The Gentleman Ransomware Group Begins Leaking 2GO Group Data; Personal Collection Named as Next Victim
A ransomware group calling itself The Gentleman has started leaking internal files and customer data allegedly belonging to 2GO Group, one of the Philippines’ largest logistics and shipping companies. The incident marks the group’s latest data exposure activity, with a countdown timer already set for another victim: Personal Collection Direct Selling Inc. whose data is expected to be released less than 20 hours from this writing.
The Gentleman’s leak site, accessible through the dark web. Under the section labeled “2GO Group,” the site contains several folders titled part1, part2, part3, and data1, along with an Excel file named “Updated Master Customer.xlsx” (1.2 MB). The file name suggests that customer-related data may be part of the exposed content.
https://iili.io/KvP8Hib.png
https://iili.io/KvP8dfj.png
https://iili.io/KvP820x.png
Inside the data1 directory are more than 20 folders labeled with operational terms such as Finance, Retail, Forwarding, EXPRESS, Sales_Interim_CRM, Enterprise, and Infor. Other subfolders — Fedex PUD, QS Monitoring, Seasol_travel_archive, and SCVASI — indicate that the leak could involve logistics coordination, financial monitoring, and internal systems related to shipping operations.
A deeper section labeled EXP_FWD shows additional files, including “COST MONITORING PICs and Process with Links.xlsx” (740 KB) and “cost_accrual_cut_off_dates_August_202X.xlsx” (22.6 KB), alongside subfolders named Finance Cutoff Dimension, Repository of Standardized Template, and PIC Dimension. These materials appear to contain cost-tracking and internal financial process data — suggesting the breach reached deeply into the company’s accounting and management layers. A text file titled “DATA WILL BE UPDATED.txt” was also found in the directory, hinting at ongoing uploads or staged data releases.
Less than a day after the 2GO Group leak appeared, the group added Personal Collection, a well-known direct selling and distribution company in the Philippines, to its list of upcoming victims. The site currently displays a countdown timer indicating that the release of Personal Collection’s data will occur in under 20 hours. Details about the nature or scope of that dataset remain unknown as of this report.
No official statements have been issued by 2GO Group or Personal Collection regarding the alleged breaches. The extent of the compromised systems, ransom demands, and possible negotiations remain unclear.
The incident marks another significant cyberattack on large-scale Filipino enterprises in 2025, continuing a surge in ransomware activity targeting both public and private sectors in the country. Analysts note that the structured and well-organized leak presentation seen on The Gentleman’s portal reflects a professional-grade operation, consistent with known tactics used by major ransomware syndicates that exfiltrate data before encryption or extortion.
The Gentleman’s dark web page remains active at this time, with the 2GO Group leak ongoing and Personal Collection’s data release expected within the next few hours.
Other contents