In a significant breakthrough against cybercrime, German authorities have identified and publicly named the individual allegedly behind two of the most infamous ransomware operations in history. The Federal Criminal Police Office of Germany (Bundeskriminalamt, BKA) revealed that the elusive hacker known by the alias “UNKN” (also written as “UNKNOWN”) is 31-year-old Russian national Daniil Maksimovich Shchukin. According to the BKA, Shchukin served as the mastermind of both the GandCrab and REvil ransomware groups, which together pioneered the double extortion model and caused widespread economic damage across Europe and beyond.
A Brief History of the Ransomware Gangs
GandCrab first emerged in January 2018 as a ransomware-as-a-service (RaaS) affiliate program. It quickly gained notoriety by offering generous profit splits to affiliates who infiltrated corporate networks. The group released five major versions of its malware, each incorporating clever evasion techniques to bypass security software. By the time GandCrab announced its shutdown on May 31, 2019, it claimed to have extorted more than $2 billion from victims worldwide. In a farewell message that became infamous, the operators stated, “We are a living proof that you can do evil and get off scot-free,” and boasted of making “a lifetime of money in one year.”
Shortly after GandCrab’s closure, its successor, REvil (also known as Sodinokibi), appeared on Russian cybercrime forums. The new group was fronted by the same UNKNOWN handle, who deposited $1 million in an escrow account to demonstrate credibility. Many cybersecurity experts immediately recognized REvil as a rebranding of GandCrab, with similar tactics and likely the same leadership. REvil went on to become one of the most feared ransomware strains, targeting major corporations and critical infrastructure.
The Unmasking of UNKN
On [date of advisory], the BKA published an advisory identifying Shchukin as the person behind the UNKN alias. The agency stated that Shchukin, together with another Russian national, 43-year-old Anatoly Sergeevitsch Kravchuk, orchestrated at least two dozen cyberattacks in Germany between 2019 and 2021. These attacks resulted in extortion payments totaling nearly €2 million and caused over €35 million in overall economic damage. The BKA linked Shchukin to at least 130 separate incidents of computer sabotage and extortion within the country.
Shchukin’s name had previously appeared in a February 2023 filing by the U.S. Department of Justice, which sought seizure of cryptocurrency accounts tied to REvil proceeds. The filing indicated that a digital wallet belonging to Shchukin contained more than $317,000 in illicit funds. This international coordination highlights the collaborative efforts of law enforcement agencies to dismantle high-profile cybercrime networks.
Details of the Investigation
The BKA’s advisory described Shchukin as the head of both GandCrab and REvil, emphasizing that the groups were among the largest ransomware operations globally. They are credited with pioneering the “double extortion” technique: first encrypting victims’ systems and demanding payment for a decryption key, then threatening to publish stolen data unless an additional ransom was paid. This approach significantly increased the pressure on victims and drove up ransom amounts.
According to the BKA, Shchukin and Kravchuk personally directed attacks against German companies and institutions. The investigation involved analysis of digital evidence, cryptocurrency tracing, and cooperation with international partners. The naming of Shchukin marks a major step in attributing the anonymous handles that have long frustrated cybersecurity researchers.
The Evolution from GandCrab to REvil
The transition from GandCrab to REvil was seamless, suggesting the same core team. In an interview with former cybercriminal Dmitry Smilyanets, UNKNOWN provided insights into the group’s operations, further cementing the connection. The interview, along with technical analysis of the malware code, confirmed that REvil inherited many of GandCrab’s techniques and infrastructure.
REvil continued the double extortion model and expanded its operations globally. High-profile attacks included the breach of JBS Foods, the world’s largest meat processing company, and the attack on Kaseya, a software firm that affected up to 1,500 downstream businesses. The group demanded ransoms in the millions of dollars, and its activities prompted urgent calls for stronger cybersecurity measures and international law enforcement action.
Conclusion and Implications
The identification of Daniil Maksimovich Shchukin as UNKN represents a victory for global efforts to combat ransomware. While Shchukin and Kravchuk are Russian nationals and likely outside easy reach of Western prosecutors, the exposure strips away the anonymity that cybercriminals rely on. It also serves as a deterrent to others considering similar paths. The case underscores the importance of continued international cooperation, as ransomware remains a persistent threat to businesses, governments, and individuals worldwide.