Cybersecurity & Privacy

German Authorities Unmask ‘UNKN,’ Alleged Mastermind Behind GandCrab and REvil Ransomware Operations

Photo of Sagoh SagohNovember 28, 2025
0 4 6 minutes read

German authorities have officially unmasked the elusive hacker known by the moniker "UNKN" (also "UNKNOWN"), identifying him as 31-year-old Russian national Daniil Maksimovich Shchukin. Shchukin is alleged to have been the architect behind some of the most prolific and damaging ransomware operations in recent history: GandCrab and REvil. The German Federal Criminal Police (Bundeskriminalamt, or BKA) has implicated Shchukin in at least 130 acts of computer sabotage and extortion targeting victims across Germany between 2019 and 2021.

The BKA’s advisory, published on their official website, details Shchukin’s alleged leadership role in these cybercrime syndicates. Alongside a 43-year-old compatriot, Anatoly Sergeevitsch Kravchuk, Shchukin is accused of extorting nearly €2 million from victims through approximately two dozen cyberattacks. These attacks are estimated to have inflicted a staggering €35 million in total economic damage. The image released by the BKA, showing Shchukin and Kravchuk, provides a visual identity to the previously faceless threats that have plagued global cybersecurity.

The Rise of Double Extortion

Shchukin’s alleged leadership of GandCrab and REvil places him at the forefront of a significant evolution in cybercrime tactics. The BKA notes that these groups were pioneers in the practice of "double extortion." This insidious strategy involves not only encrypting a victim’s data and demanding a ransom for the decryption key but also threatening to leak sensitive, stolen information if the ransom is not paid. This dual threat significantly amplifies the pressure on victims, often forcing their hand due to the potential reputational damage and regulatory penalties associated with data breaches.

The financial implications of these operations are immense. Shchukin’s involvement is further substantiated by a U.S. Department of Justice filing from February 2023. This filing, which sought the seizure of cryptocurrency accounts linked to REvil’s activities, identified a digital wallet associated with Shchukin containing over $317,000 in illicitly obtained cryptocurrency. This provides tangible evidence of the financial gains derived from his alleged criminal enterprise.

GandCrab: A Precursor to Devastation

The GandCrab ransomware affiliate program first emerged in January 2018. It operated on a highly profitable model, rewarding hackers for infiltrating user accounts within major corporations. The GandCrab developers would then leverage this initial access to expand their reach, often siphoning vast quantities of sensitive and proprietary data. Over its operational lifespan, the GandCrab team released five major revisions of its malware, each incorporating new features and bug fixes designed to evade detection by cybersecurity firms and maintain its disruptive capabilities.

On May 31, 2019, the GandCrab group announced its disbandment, claiming to have extorted over $2 billion from victims worldwide. In a widely quoted farewell statement, the group brazenly declared, "We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit." This statement underscored the group’s perceived impunity and the immense profitability of their criminal endeavors.

REvil: The Successor and Escalation

The REvil ransomware affiliate program emerged shortly after GandCrab’s demise, fronted by the same UNKNOWN persona. The group’s leader famously announced his intentions by depositing $1 million into the escrow of a Russian cybercrime forum, a move designed to signal seriousness and attract affiliates. Many cybersecurity experts at the time concluded that REvil was, in essence, a rebranding or reorganization of the GandCrab operation, indicating a continuity of leadership and operational strategy.

UNKNOWN, later identified as Shchukin, even granted an interview to Dmitry Smilyanets, a former malicious hacker then working for the cybersecurity firm Recorded Future. In this interview, UNKNOWN painted a stark picture of his personal journey, describing a "rags-to-riches" narrative that was devoid of ethical considerations. He recounted a childhood of extreme poverty, stating, "As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire." This personal account highlights the stark contrast between his impoverished upbringing and the immense wealth he allegedly accumulated through cybercrime.

A Business Model for Cybercrime

The success of GandCrab and REvil can be attributed, in part, to their sophisticated business model, which mirrored legitimate corporate structures. As detailed in the book "The Ransomware Hunting Team" by Renee Dudley and Daniel Golden, these ransomware operations increasingly outsourced tasks to specialized third-party providers. This allowed the core developers to focus on enhancing the quality and effectiveness of their ransomware.

This approach involved a complex ecosystem of criminal service providers:

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
  • Ransomware Development: Core developers focused on creating robust and evasive malware.
  • Cryptors: Specialists who ensured ransomware could bypass standard anti-malware scanners.
  • Initial Access Brokerages: Entities that specialized in stealing credentials and identifying network vulnerabilities, then selling this access to ransomware operators.
  • Bitcoin Tumblers: Services that helped launder ransom payments by obscuring the origin and destination of cryptocurrency transactions.

This outsourcing strategy allowed gangs like GandCrab and REvil to operate with greater efficiency and sophistication, reinvesting their substantial profits into improving their infrastructure and expanding their reach. The quality of their ransomware improved, leading to higher payouts from victims. This created a lucrative "booming ransomware economy" that attracted a growing number of criminals and ancillary service providers.

REvil, in particular, evolved into a formidable "big-game-hunting" operation. The group strategically targeted larger organizations with annual revenues exceeding $100 million, often those with substantial cyber insurance policies that were more likely to pay out ransoms.

The Kaseya Attack and Downfall

REvil’s criminal trajectory reached a critical juncture over the July 4, 2021 weekend in the United States. The group launched a devastating attack against Kaseya, a company providing IT management software to over 1,500 businesses, nonprofits, and government agencies. This attack, which exploited a previously unknown vulnerability in Kaseya’s own software, had a cascading effect, impacting numerous downstream clients.

Following the Kaseya attack, the FBI revealed that they had infiltrated REvil’s servers prior to the incident but were unable to disclose their findings publicly at the time. This covert compromise, coupled with the subsequent public release of a free decryption key for REvil victims by the FBI, proved to be a significant blow from which the ransomware group never fully recovered. The loss of their infrastructure and the availability of free decryption tools severely hampered their future operations.

Identifying UNKN: From Botnets to Ransomware

While Shchukin’s name is now linked to UNKN, the connection to his earlier online activities has been pieced together through extensive cyber intelligence. Investigations suggest that Shchukin operated under the alias "Ger0n" between 2010 and 2011. During this period, Ger0n was known for operating large botnets and selling "installs" – essentially providing other cybercriminals with the ability to rapidly deploy malware to thousands of compromised PCs. Although Ger0n’s activity predates UNKNOWN’s emergence as the REvil frontman, it indicates a long-standing involvement in the cybercrime underground.

The BKA has indicated that Shchukin is from Krasnodar, Russia, and is believed to reside there. The advisory states, "Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia. Travel behavior cannot be ruled out." This suggests that while his current location is believed to be Russia, his movements are not entirely predictable.

Further corroboration of Shchukin’s identity emerged from a review of mugshots released by the BKA. An image comparison website, Pimeyes, identified a match on a public birthday celebration from 2023. The individual in the photograph, identified as Daniel, was wearing the same distinctive luxury watch that is visible in the BKA’s official photos of Shchukin, adding another layer of visual evidence.

A Conference Revelation

An update on April 6, 2024, brought to light an English-dubbed audio recording from a 2023 Chaos Communication Congress (37C3) conference held in Germany. This recording, shared by a reader, previously identified Shchukin as the REvil leader around the 24:25 mark. This academic and hacker conference presentation, often a venue for deep technical dives and investigations into cybercrime, serves as an additional, albeit indirect, confirmation of Shchukin’s alleged role.

Broader Implications and Future Pursuits

The unmasking of Daniil Maksimovich Shchukin marks a significant victory for international law enforcement agencies in their ongoing battle against sophisticated cybercrime. It demonstrates the persistent efforts to identify and hold accountable the individuals behind some of the most damaging ransomware operations. The GandCrab and REvil groups inflicted widespread economic damage, disrupted critical infrastructure, and instilled fear in businesses and individuals alike.

The identification of Shchukin as the alleged mastermind provides valuable intelligence for ongoing investigations and potential future prosecutions. However, his presumed location in Russia presents significant challenges for extradition and legal recourse, mirroring the complexities faced in bringing many cybercriminals to justice. The BKA’s advisory and the U.S. Department of Justice’s filings represent crucial steps in building an international case against him and his associates. The continued collaboration between global law enforcement, cybersecurity firms, and researchers will be paramount in dismantling these sophisticated criminal networks and mitigating the pervasive threat of ransomware. The unmasking of UNKN signifies not an end, but a critical development in the long and often arduous fight against cyber adversaries.

Related posts:

Tags
Photo of Sagoh SagohNovember 28, 2025
0 4 6 minutes read
Photo of Sagoh

Sagoh

Related Articles

The Ghost in the Machine: Unmanaged Non-Human Identities Fueling the Next Wave of Cloud Breaches

October 14, 2025

Mythos Sets the World on Edge: What Comes Next May Push Us Beyond

November 7, 2025

Friday Squid Blogging: New Giant Squid Video

October 15, 2025

Global Law Enforcement Operation "PowerOFF" Dismantles Major DDoS-for-Hire Infrastructure, Arrests Suspects

February 28, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Snapost
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.