German authorities have publicly identified Daniil Maksimovich Shchukin, a 31-year-old Russian national known online as UNKN, as the alleged leader of the notorious ransomware groups GandCrab and REvil. Alongside him, Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian, has been named as a key collaborator, reportedly acting as a developer for REvil.[1][2][5] According to the German Federal Criminal Police Office (BKA), the pair coordinated at least 130 ransomware attacks against German organizations between 2019 and 2021, extorting nearly €2 million in payments while causing over €35 million in total economic damage from disruptions and recovery efforts.[1][2][5]
Shchukin, who also used aliases like Oneiilk2 and GandCrab, is accused of heading operations that pioneered the double extortion tactic—encrypting victims' systems for decryption keys while threatening to leak stolen data unless additional ransoms were paid.[1][2][5] This model, first popularized by GandCrab in early 2018 as a Ransomware-as-a-Service (RaaS) platform, allowed affiliates to deploy the malware for profit shares and dramatically boosted attackers' success rates.[1] REvil emerged around GandCrab's shutdown, with UNKN announcing its launch on Russian cybercrime forums, leading experts to view it as a rebranded continuation.[2][5] As reported by security journalist Brian Krebs, Shchukin's name had previously surfaced in a 2023 U.S. Justice Department filing linked to over $317,000 in seized cryptocurrency from REvil activities.[2]
The BKA's advisory marks a rare public unmasking of ransomware leaders, providing unprecedented insight into the groups' structure after years of anonymity.[1][2] These attacks targeted commercial enterprises, public facilities, and institutions across Germany, highlighting the vulnerability of critical infrastructure to Russian-based cybercrime.[5][6] While the identification disrupts the gangs' mystique—REvil was already crippled by a 2021 international operation involving the FBI that infiltrated its servers and distributed free decryption keys—it underscores ongoing challenges in global enforcement.[1][2]
Shchukin is believed to be living in Krasnodar, Russia, placing him outside easy extradition reach amid strained international relations.[1][6] An international search is now underway for both men on charges of gang-related extortion, with the BKA emphasizing their roles in one of the largest ransomware operations worldwide.[1][5][6] Victims and cybersecurity experts note that while GandCrab and REvil are defunct, their tactics persist in newer groups, affecting businesses and governments globally by driving up cyber insurance costs and recovery expenses.[1][7]
This development signals escalating efforts by Western law enforcement to dox and pursue ransomware operators, even if arrests remain elusive.[2][5] For affected German entities, it offers validation and potential leads for recovery, though the broader ransomware threat continues to evolve with "big-game hunting" strategies targeting high-value organizations.[7] Authorities urge vigilance, as similar RaaS models fuel ongoing attacks worldwide.