German Authorities Identify and Expose Leader of Infamous Ransomware Gangs REvil and GandCrab

Introduction

In a significant breakthrough against international cybercrime, German law enforcement has publicly identified the individual behind the notorious online alias "UNKN" or "UNKNOWN." For years, this figure operated in the shadows, directing two of the most destructive ransomware operations in history: GandCrab and REvil. Now, authorities have provided both a name and a face to this elusive hacker, marking a major step in holding cybercriminals accountable.

The Unmasking of UNKN

The German Federal Criminal Police, known as the Bundeskriminalamt (BKA), released an advisory naming Daniil Maksimovich Shchukin, a 31-year-old Russian national, as the mastermind behind the UNKN persona. According to the BKA, Shchukin led both GandCrab and REvil, orchestrating at least 130 acts of computer sabotage and extortion across Germany between 2019 and 2021. The advisory also named Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian, as a co-conspirator. Together, they extorted nearly €2 million from victims in 24 separate cyberattacks, causing total economic damages exceeding €35 million.

The Dual Threat: GandCrab and REvil

GandCrab: The Pioneer

The GandCrab ransomware affiliate program first emerged in January 2018. It quickly gained notoriety for its innovative affiliate model, which rewarded hackers with a large share of profits simply for breaching corporate networks. Once inside, the GandCrab team would escalate access, often stealing vast quantities of sensitive documents and internal data. The malware underwent five major revisions, each adding stealthy features and bug fixes designed to evade detection by cybersecurity firms. By the time the group announced its shutdown on May 31, 2019, it had extorted over $2 billion from victims worldwide. In its farewell message, the group famously boasted: "We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year."

REvil: The Successor

Almost immediately after GandCrab's demise, a new ransomware operation called REvil appeared on the scene. Fronted by the user UNKNOWN, the group announced its arrival on a Russian cybercrime forum by depositing $1 million in the forum's escrow account to demonstrate credibility. Many cybersecurity experts quickly recognized REvil as a rebranded version of GandCrab, given the overlapping tactics and personnel. The group continued the legacy of devastating attacks, targeting major corporations and demanding hefty ransoms.

Double Extortion and Financial Impact

Both GandCrab and REvil pioneered the now-common double extortion technique. Victims were charged once for a decryption key to unlock their hacked systems, and a second time in exchange for a promise not to publish stolen data. This strategy amplified the pressure on organizations, as the threat of data leaks added reputational risk to operational disruption. The BKA's investigation revealed that Shchukin and Kravchuk's operations caused immense financial harm, with the €35 million in damages reflecting only a portion of the global impact.

The Investigation and Legal Consequences

The identification of Shchukin was not an isolated effort. In February 2023, the U.S. Department of Justice filed a seizure petition targeting cryptocurrency accounts linked to REvil proceeds. Court documents revealed that a digital wallet tied to Shchukin contained over $317,000 in illicit cryptocurrency. This international cooperation between German and U.S. authorities underscores the growing commitment to dismantling ransomware networks. The BKA's detailed advisory not only names the suspects but also outlines their methods, providing critical intelligence for future investigations.

Furthermore, UNKNOWN (Shchukin) once gave an interview to Dmitry Smilyanets, a former cybercriminal turned security researcher, offering rare insights into the mindset of a ransomware leader. Such interactions have helped investigators piece together the hierarchy and motivations of these gangs.

The Legacy of a Cybercrime Empire

The exposure of Shchukin represents a symbolic victory in the fight against ransomware. However, the full extent of the damage caused by GandCrab and REvil is staggering. Beyond the billions extorted, these groups set a blueprint for modern cyber extortion, inspiring countless copycat operations. The BKA's actions send a clear message that even the most careful criminals can eventually be identified and held accountable. As law enforcement agencies worldwide continue to share intelligence and resources, the hope is that such unmaskings will deter future cybercriminals and protect potential victims.

Conclusion

The identification of Daniil Maksimovich Shchukin as UNKN marks a milestone in ransomware investigations. It highlights the power of cross-border cooperation and persistent forensic analysis. While the financial and reputational scars left by these gangs remain, the naming of the perpetrator brings some measure of justice. For the cybersecurity community, it is a reminder that no hacker can hide forever behind a screen name.