In a significant breakthrough against cybercrime, German authorities have publicly identified a key figure behind two of the most notorious ransomware operations in recent history: GandCrab and REvil. The individual, previously known only by the online alias "UNKN" or "UNKNOWN," is now named as 31-year-old Russian national Daniil Maksimovich Shchukin. According to the German Federal Criminal Police (Bundeskriminalamt, or BKA), Shchukin is accused of leading both ransomware groups and being directly involved in at least 130 acts of computer sabotage and extortion targeting victims across Germany between 2019 and 2021.
The BKA advisory also named a second Russian, 43-year-old Anatoly Sergeevitsch Kravchuk, as a co-conspirator. Together, the pair allegedly extorted nearly €2 million from over two dozen cyberattacks, causing total economic damages exceeding €35 million. The identification of Shchukin marks a rare unmasking of a high-level ransomware operator who had long operated in the shadows.
The Identification of UNKN
For years, cybersecurity researchers tracked the activities of an individual using the handle UNKN (or UNKNOWN), who emerged as a prominent figure in the Russian-speaking cybercrime underground. UNKN was believed to be the administrator of the GandCrab ransomware affiliate program and later the founder of REvil. The BKA's announcement on [date] finally put a real name and face to the alias: Daniil Maksimovich Shchukin.
Daniil Maksimovich Shchukin
Shchukin, a 31-year-old Russian, is accused of orchestrating ransomware campaigns that affected numerous organizations worldwide. His name first appeared in a February 2023 filing by the U.S. Justice Department, which sought the seizure of cryptocurrency accounts linked to REvil proceeds. That filing revealed that a digital wallet tied to Shchukin contained over $317,000 in illicit cryptocurrency gains.
The Double Extortion Tactic
GandCrab and REvil are credited with pioneering the double extortion model, a strategy that became a hallmark of modern ransomware. Under this scheme, attackers encrypt a victim's data and demand a ransom for the decryption key. However, they also exfiltrate sensitive information and threaten to publish it online unless an additional payment is made. This tactic increased pressure on victims to pay, as data leaks could cause reputational damage and regulatory penalties.
The GandCrab Era
The GandCrab ransomware affiliate program first surfaced in January 2018. It operated as a ransomware-as-a-service (RaaS) model, allowing hackers—known as affiliates—to use the malware in exchange for a share of the profits. Affiliates would breach corporate networks, steal data, and deploy GandCrab. The malware's developers released five major versions, each adding stealthy features and evasive techniques to bypass security software.
By May 2019, GandCrab claimed to have extorted over $2 billion from victims worldwide. In a farewell message, the group audaciously stated: "We are a living proof that you can do evil and get off scot-free… We have proved that one can make a lifetime of money in one year." Despite this bravado, many experts suspected the group was not disbanding but rather rebranding.
The Rise of REvil
Coinciding with GandCrab's announced shutdown, a new ransomware operation called REvil (also known as Sodinokibi) appeared. The individual behind the REvil affiliate program, using the handle UNKNOWN, posted on a Russian cybercrime forum that he had deposited $1 million in escrow to demonstrate credibility. This move signaled that the new group was well-funded and serious. Cybersecurity researchers quickly noted significant overlaps between GandCrab and REvil, including code similarities and operational tactics, leading to the conclusion that REvil was essentially a rebranded version of its predecessor.
UNKNOWN also gave a rare interview to Dmitry Smilyanets, a former hacker turned security researcher, further cementing his profile. Under Shchukin's alleged leadership, REvil executed high-profile attacks, including the 2021 assault on meat processing giant JBS and the compromise of Kaseya, a software provider used by thousands of businesses worldwide. These attacks demanded ransoms in the tens of millions of dollars.
Legal and Financial Fallout
The BKA's identification of Shchukin and Kravchuk is part of a broader international effort to dismantle ransomware networks. In addition to the German charges, Shchukin faces scrutiny from U.S. authorities, as evidenced by the 2023 seizure filing. The cryptocurrency wallet linked to him contained over $317,000, a fraction of the total illicit proceeds estimated to be in the hundreds of millions.
German prosecutors allege that between 2019 and 2021, Shchukin and Kravchuk carried out at least 130 acts of computer sabotage and extortion. The economic damage—€35 million—only accounts for the direct costs; the broader impact on affected businesses, including downtime and reputational harm, likely far exceeds that figure.
Conclusion
The unmasking of Daniil Maksimovich Shchukin as the alleged head of GandCrab and REvil represents a significant step in holding ransomware kingpins accountable. While the identities of many cybercriminals remain hidden, international law enforcement collaboration has shown that even the most elusive operators can be brought into the light. As legal proceedings continue, the case serves as a warning that the anonymity of the dark web is not absolute.