German Authorities Unmask Mastermind Behind REvil and GandCrab Ransomware Gangs

Introduction

In a significant breakthrough against international cybercrime, German law enforcement has revealed the identity of one of the most elusive figures in the ransomware underworld. The individual known by the aliases “UNKN” or “UNKNOWN,” who orchestrated the notorious GandCrab and REvil ransomware operations, has been named as Daniil Maksimovich Shchukin, a 31-year-old Russian national. The announcement came from Germany’s Federal Criminal Police Office (Bundeskriminalamt, or BKA), shedding light on a hacker who had long operated under a veil of anonymity.

The Revelation: UNKN Identified as Daniil Shchukin

The BKA’s advisory linked Shchukin to at least 130 acts of computer sabotage and extortion targeting victims across Germany between 2019 and 2021. Alongside him, authorities also named Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian, as a co-conspirator. Together, they extorted nearly €2 million from two dozen cyberattacks, causing total economic damages that exceeded €35 million. Shchukin’s role as the leader of both GandCrab and REvil placed him at the helm of operations that pioneered the practice of double extortion—demanding ransom for decrypting systems and an additional payment to prevent the publication of stolen data.

The Damage and Double Extortion Tactics

Financial Toll Across Europe

The cybercriminal enterprise orchestrated by Shchukin and Kravchuk inflicted severe financial harm. Victims ranged from small businesses to large corporations, often facing impossible choices: pay the ransom or risk exposure of sensitive information. The double extortion model, which REvil and GandCrab perfected, forced many victims to comply, ensuring a steady stream of illicit revenue. The BKA noted that the group’s operations were not limited to Germany; they had a global reach, but German authorities were particularly active in pursuing the perpetrators.

A Tale of Two Ransomware Operations

GandCrab: The Billion-Dollar Menace

The GandCrab ransomware affiliate program first appeared in January 2018, offering enterprising hackers a share of the profits for infiltrating corporate networks. Once inside, the group would expand access and exfiltrate sensitive documents before deploying the encryption. The malware evolved through five major revisions, each adding stealth features and evasion techniques to bypass security software. At its peak, GandCrab was among the most disruptive ransomware families. On May 31, 2019, the group announced its shutdown after claiming to have extorted over $2 billion. In a farewell message, they boasted: “We are a living proof that you can do evil and get off scot-free… We have proved that one can make a lifetime of money in one year.”

REvil: The Successor

Almost immediately after GandCrab’s disbandment, a new operation emerged under the banner of REvil. Fronted by the alias UNKNOWN, the group announced its arrival on a Russian cybercrime forum by depositing $1 million in escrow as a show of legitimacy. Cybersecurity experts quickly recognized REvil as a direct successor to GandCrab, adopting similar tactics and even sharing code. Shchukin, as UNKNOWN, gave a rare interview to Dmitry Smilyanets, a former hacker turned security researcher, further cementing his notoriety. REvil continued the double extortion model and targeted high-profile entities worldwide, including the Kaseya supply chain attack.

Ongoing Legal and Financial Pursuits

The BKA’s identification of Shchukin builds on earlier actions by the U.S. Department of Justice. In February 2023, a court filing sought the seizure of cryptocurrency accounts tied to REvil proceeds, revealing that a wallet linked to Shchukin contained over $317,000 in ill-gotten gains. These efforts highlight the cross-border cooperation required to dismantle sophisticated cybercrime networks. While Shchukin remains at large, the public exposure of his identity deals a blow to the myth of ransomware operators’ anonymity. German authorities continue to collaborate with international partners to bring him and his associates to justice.