Unmasking the Mastermind: How German Authorities Identified the Leader of REvil and GandCrab Ransomware Gangs

For years, the cybercriminal known only as “UNKN” or “UNKNOWN” operated in the shadows, orchestrating some of the most notorious ransomware campaigns in history. That anonymity ended when German federal police (BKA) publicly identified the man behind the handle: Daniil Maksimovich Shchukin, a 31-year-old Russian national. Shchukin is accused of masterminding both the GandCrab and REvil ransomware groups, which pioneered double extortion and caused hundreds of millions in damages worldwide. Below, we answer key questions about this significant breakthrough in cybercrime investigations.

Who is Daniil Maksimovich Shchukin and what alias did he use?

Daniil Maksimovich Shchukin, a 31-year-old Russian, operated online under the handle UNKN (also spelled UNKNOWN). The German Federal Criminal Police (BKA) named him as the leader of two prolific ransomware groups: GandCrab and REvil. Shchukin’s true identity was revealed following a joint investigation that linked him to at least 130 acts of computer sabotage and extortion across Germany between 2019 and 2021. This unmasking marks a rare victory for law enforcement in identifying a high-level ransomware administrator who had long evaded detection.

What exactly is “double extortion” and how did these groups use it?

Double extortion is a harsh tactic pioneered by GandCrab and refined by REvil. As the name implies, victims are hit twice: first, they must pay a ransom to obtain a decryption key for their locked systems; second, they face additional payment demands to prevent the public release of stolen sensitive data. Shchukin’s groups excelled at this approach, combining encryption with data theft to maximize pressure on corporations. The BKA noted that Shchukin and his associate Anatoly Kravchuk extorted nearly €2 million from two dozen cyberattacks in Germany alone, causing over €35 million in total economic damage.

How did German authorities link Shchukin to UNKN and the ransomware attacks?

German authorities pieced together digital fingerprints from cryptocurrency transactions, forum posts, and technical analysis of the malware itself. A key piece of evidence came from a February 2023 U.S. Justice Department filing seeking seizure of cryptocurrency accounts tied to REvil proceeds. That filing revealed a wallet belonging to Shchukin containing over $317,000 in illicit funds. The BKA’s investigation also connected Shchukin to the GandCrab affiliate program, which first appeared in January 2018 and grew rapidly through aggressive recruitment of hackers who shared in the profits.

What was the GandCrab ransomware affiliate program and why did it shut down?

Launched in January 2018, GandCrab operated as an affiliate program (Ransomware-as-a-Service), where developers like Shchukin provided the malware and infrastructure while “affiliates” carried out the actual intrusions. Affiliates kept a huge percentage of the ransom payments. The group released five major updates to evade security defenses. On May 31, 2019, the GandCrab team announced their retirement, claiming to have extorted more than $2 billion from victims. Their farewell message defiantly stated: “We are a living proof that you can do evil and get off scot-free… We have proved that one can make a lifetime of money in one year.”

How did REvil emerge from GandCrab’s ashes?

Immediately after GandCrab disbanded, a new group called REvil appeared on Russian cybercrime forums, fronted by the same UNKNOWN handle. The user deposited $1 million in an escrow account to demonstrate credibility. Many cybersecurity experts saw REvil as a straightforward rebranding and reorganization of GandCrab, with the same core team behind it. UNKNOWN gave rare interviews, including one to former hacker Dmitry Smilyanets, further cementing the link. REvil continued the double extortion model and hit high-profile targets, including meat processor JBS and IT firm Kaseya, demanding ransoms in the millions.

What are the broader implications of identifying Shchukin for the fight against ransomware?

The identification of Shchukin represents a significant step in holding ransomware leaders accountable. By connecting the “UNKN” alias to a real person, law enforcement can freeze assets, issue international arrest warrants, and deter future criminals. However, because Shchukin is a Russian national, extradition may be difficult. The case also highlights the value of international cooperation: German, U.S., and other agencies shared intelligence to build the case. This unmasking may pressure other ransomware figures to operate more cautiously, though it remains to be seen whether it will disrupt the broader ransomware ecosystem.