Unmasking the Architects of Chaos: German Authorities Identify Leaders of REvil and GandCrab Ransomware Empires

In a significant breakthrough for international cybercrime investigations, the German Federal Criminal Police (Bundeskriminalamt or BKA) has officially identified the elusive figures behind two of the most prolific ransomware operations in history. Daniil Maksimovich Shchukin, a 31-year-old Russian national, has been named as the high-ranking administrator who operated under the notorious pseudonym “UNKN” (short for “UNKNOWN”). According to German authorities, Shchukin was a central figure in both the GandCrab and REvil ransomware-as-a-service (RaaS) organizations, overseeing a criminal enterprise that systematically extorted millions of dollars from victims worldwide.

The BKA’s public advisory also identified 43-year-old Anatoly Sergeevitsch Kravchuk as a key accomplice. Together, the duo is accused of spearheading a campaign of digital sabotage and extortion that targeted at least 130 entities across Germany between 2019 and 2021. While the direct extortion payments linked to these specific German cases amounted to nearly €2 million, the broader economic impact—including system restoration, lost productivity, and forensic investigations—is estimated to exceed €35 million.

The Rise of the Ransomware Kingpin

The identification of Daniil Shchukin marks the end of a years-long game of digital cat-and-mouse. For years, "UNKN" was a shadowy figure on Russian-language underground forums, known for his professional demeanor, vast technical resources, and an apparent lack of moral restraint. Shchukin, a resident of Krasnodar, Russia, is believed to have been the primary architect of the business models that turned ransomware from a niche nuisance into a multi-billion-dollar global industry.

Investigations into Shchukin’s digital footprint suggest his involvement in cybercrime dates back over a decade. Intelligence gathered by the cybersecurity firm Intel 471 suggests that Shchukin may have previously operated under the handle “Ger0in” between 2010 and 2011. During that period, Ger0in was known for managing large-scale botnets and selling “installs,” a service that allowed other criminals to pay for the privilege of deploying malware onto thousands of compromised computers simultaneously. This early experience in infrastructure management likely provided the foundation for the sophisticated affiliate programs he would later manage.

In a rare 2021 interview with a threat intelligence researcher, the individual behind the UNKN persona described a childhood defined by extreme poverty in post-Soviet Russia. He claimed to have scrounged through trash heaps and gone days without food, experiences he cited as the primary motivation for his transition into high-stakes cybercrime. "Now I am a millionaire," he told the interviewer, framing his criminal career as a "rags-to-riches" triumph over circumstance.

From GandCrab to REvil: A Legacy of Extortion

The lineage of Shchukin’s criminal empire began with GandCrab, which emerged in January 2018. GandCrab revolutionized the ransomware industry by perfecting the affiliate model. Under this system, the core developers (led by Shchukin) provided the ransomware code and the payment infrastructure, while "affiliates" did the heavy lifting of breaching corporate networks. The profits were typically split, with the developers taking a 20% to 30% cut.

GandCrab was relentless, undergoing five major code revisions to bypass security software. In May 2019, the group made the unprecedented move of "retiring." In a gloating farewell post on a dark web forum, the operators claimed to have extorted more than $2 billion globally. They famously quipped, “We are a living proof that you can do evil and get off scot-free.”

However, the retirement was a ruse. Shortly after GandCrab’s dissolution, REvil (also known as Sodinokibi) appeared. Cybersecurity analysts quickly identified similarities in the code and operational style. UNKN surfaced as the public face of REvil, depositing $1 million in a forum’s escrow account to demonstrate the group’s massive capital reserves. REvil took the GandCrab model and refined it into "Big Game Hunting," specifically targeting large corporations with annual revenues exceeding $100 million.

Innovation in Criminal Enterprise: Double Extortion

Under Shchukin’s leadership, REvil pioneered the "double extortion" tactic. Previously, ransomware simply encrypted files, and victims who had backups could often avoid paying. To counter this, REvil began stealing sensitive data before encrypting the systems. Victims were then presented with two demands: one for the decryption key and another to prevent the public release of their proprietary data on REvil’s "Happy Blog."

This professionalization of cybercrime mirrored legitimate corporate structures. As noted in the investigative work The Ransomware Hunting Team, groups like REvil functioned like modern tech firms. They outsourced specialized tasks to "Initial Access Brokers" who sold credentials to compromised networks, hired "cryptor" providers to mask their malware from antivirus software, and utilized sophisticated money-laundering networks to tumble their cryptocurrency gains.

The Turning Point: Kaseya and the FBI Infiltration

The peak of REvil’s notoriety came during the July 4, 2021, holiday weekend in the United States. The group executed a massive supply-chain attack by exploiting a vulnerability in Kaseya VSA software, which is used by Managed Service Providers (MSPs) to monitor and manage IT infrastructure. By compromising Kaseya, REvil was able to deploy ransomware simultaneously to over 1,500 downstream businesses, including schools, grocery chains, and local governments.

This attack proved to be the group’s undoing. The scale of the disruption forced a massive response from the U.S. federal government. The FBI later revealed that it had successfully infiltrated REvil’s servers months prior to the Kaseya hack. While the bureau initially withheld action to gather more intelligence, the Kaseya incident prompted the release of a universal decryption key, effectively neutralizing the group’s leverage and leading to its eventual fragmentation.

Evidence and Digital Forensics

The identification of Shchukin was not based on a single mistake, but a culmination of digital breadcrumbs. A February 2023 filing by the U.S. Department of Justice seeking the seizure of cryptocurrency accounts directly linked Shchukin to a digital wallet containing over $317,000 in illicit funds.

Furthermore, German investigators utilized advanced facial recognition technology to bridge the gap between the digital persona and the physical man. Using the image comparison tool Pimeyes, investigators matched mugshots and surveillance photos of Shchukin with social media posts from a 2023 birthday celebration in Krasnodar. In the birthday photos, a man identified as "Daniel" is seen wearing the same luxury watch and displaying the same physical features as the individual identified by the BKA.

Official Responses and Global Implications

The German BKA has issued a formal wanted notice for Shchukin and Kravchuk, though they acknowledge the significant hurdles to an arrest. "Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia," the BKA stated in its advisory. Given the current geopolitical climate and Russia’s historical refusal to extradite its citizens for cybercrimes committed abroad, the chances of Shchukin facing a German courtroom in the near future remain slim.

However, the unmasking serves a strategic purpose. By naming and shaming these individuals, law enforcement effectively "burns" their identities, making it impossible for them to travel to any country with an extradition treaty with Germany or the United States. It also disrupts their ability to interact with the global financial system and puts pressure on their internal criminal networks.

The reaction from the cybersecurity community has been one of cautious optimism. Analysts suggest that the dismantling of the "anonymity myth" is a powerful deterrent. When the leaders of the world’s most feared ransomware gangs can be found via birthday party photos and crypto-tracing, the perceived invincibility of these actors begins to crumble.

Analysis: The Future of the Ransomware Threat

While Shchukin’s REvil may be defunct, the RaaS model he helped perfect continues to evolve. The vacuum left by REvil was quickly filled by other groups like LockBit and BlackCat (ALPHV), which have adopted even more aggressive tactics. The identification of Shchukin highlights a shift in law enforcement strategy: moving away from merely reacting to individual attacks and toward dismantling the leadership and financial infrastructure of the groups themselves.

The case also underscores the critical importance of international cooperation. The investigation involved a complex web of data sharing between the BKA, the FBI, and private intelligence firms. As ransomware continues to pose a systemic threat to global infrastructure, such collaborations will be the primary weapon against the next generation of "UNKNOWN" actors.

For now, Daniil Maksimovich Shchukin remains a fugitive, a millionaire living in the shadow of international warrants. His transition from a child scrounging through trash to the head of a global criminal enterprise is a stark reminder of the high stakes in the modern digital age, where a single individual behind a keyboard can inflict tens of millions of dollars in damage across the globe.