An elusive hacker who operated under the alias "UNKN" and led some of the most notorious Russian ransomware gangs, GandCrab and REvil, has now been identified by name and has a face, thanks to an extensive investigation by German authorities. Thirty-one-year-old Russian national Daniil Maksimovich Shchukin is alleged to have been the mastermind behind both these prolific cybercrime organizations, orchestrating at least 130 acts of computer sabotage and extortion targeting victims across Germany between 2019 and 2021. The German Federal Criminal Police (Bundeskriminalamt, or BKA) officially named Shchukin as UNKN (also known as UNKNOWN) in a public advisory, marking a significant breakthrough in the global fight against ransomware.

The BKA’s investigation, which also identified 43-year-old Russian Anatoly Sergeevitsch Kravchuk as a key accomplice, revealed that Shchukin and his associates extorted nearly €2 million (approximately $2.1 million USD) through two dozen cyberattacks. These attacks inflicted over €35 million (approximately $37.5 million USD) in total economic damage on their victims. The advisory featured photographs of both Shchukin and Kravchuk, presenting them as the alleged leaders of the GandCrab and REvil ransomware operations.

Shchukin’s alleged role as the head of GandCrab and REvil positions him at the apex of some of the world’s most impactful cybercrime syndicates. These groups are particularly noted for pioneering and popularizing the "double extortion" tactic. This insidious strategy involved not only encrypting a victim’s data and demanding a ransom for the decryption key but also threatening to leak stolen sensitive information if a second payment was not made. This dual threat significantly amplified the pressure on victims, making them more likely to comply with the criminals’ demands.

The U.S. Department of Justice also played a role in uncovering Shchukin’s activities. A February 2023 filing seeking the seizure of various cryptocurrency accounts linked to REvil’s illicit gains mentioned Shchukin by name. The filing indicated that a digital wallet attributed to him contained over $317,000 in cryptocurrency, representing the proceeds of his criminal enterprise.

The GandCrab ransomware affiliate program first emerged in January 2018, rapidly becoming a lucrative venture for its operators. The program offered substantial profit shares to hackers who successfully infiltrated major corporations. The GandCrab team would then leverage this initial access to further compromise systems, often siphoning vast amounts of sensitive and internal data. Over its operational lifespan, the GandCrab malware underwent five major revisions, each introducing sophisticated new features and bug fixes designed to evade detection by cybersecurity firms and enhance its effectiveness.

On May 31, 2019, the GandCrab group announced its disbandment, claiming to have extorted over $2 billion from victims. In a widely publicized farewell statement, the group defiantly declared, "We are a living proof that you can do evil and get off scot-free… We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit." This statement underscored the group’s success and their perceived impunity.

Shortly after GandCrab’s demise, the REvil ransomware affiliate program surfaced, with an individual known as UNKNOWN announcing his presence on a Russian cybercrime forum. To demonstrate his commitment and financial backing, UNKNOWN reportedly deposited $1 million into the forum’s escrow service. Many cybersecurity experts at the time concluded that REvil was essentially a rebranding or reorganization of GandCrab, given the similar modus operandi and the timing of their emergence.

UNKNOWN himself granted an interview to Dmitry Smilyanets, a former malicious hacker who later worked for the cyber intelligence firm Recorded Future. In this interview, UNKNOWN recounted a dramatic "rags-to-riches" narrative, painting a picture of his impoverished childhood and his ascent to wealth through illicit means. He described a life of hardship, stating, "As a child, I scrounged through the trash heaps and smoked cigarette butts… I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire."

The book "The Ransomware Hunting Team" by Renee Dudley and Daniel Golden sheds further light on the operational sophistication of REvil and its predecessors. The authors detail how ransomware developers like UNKNOWN and his associates reinvested significant earnings into improving their operations and emulating legitimate business practices. This included outsourcing tasks such as logistics and web design to specialized third-party companies, allowing them to focus on enhancing the quality and effectiveness of their ransomware. This strategy resulted in higher payout rates from victims, fueling further investment in their criminal enterprises.

The ransomware economy also saw the proliferation of ancillary services. "Cryptor" providers emerged to ensure ransomware remained undetectable by standard anti-malware scanners, while "initial access brokerages" specialized in stealing credentials and identifying network vulnerabilities, selling this access to ransomware operators. Bitcoin "tumblers" offered discounts to gangs that utilized their services for laundering ransom payments. These specialized services created a robust ecosystem that supported the growth and success of groups like GandCrab and REvil.

REvil evolved into a formidable "big-game-hunting" ransomware operation, targeting large organizations with annual revenues exceeding $100 million and those with substantial cyber insurance policies, which were more likely to result in payouts. A particularly high-profile attack occurred over the July 4, 2021 weekend in the United States, when REvil compromised Kaseya, a company that provided IT operations management for over 1,500 businesses, nonprofits, and government agencies.

Following the Kaseya attack, the FBI revealed that they had infiltrated REvil’s servers prior to the breach, though they could not act without compromising their investigation. The attack on Kaseya proved to be a critical blow to REvil, from which the group never fully recovered. The subsequent release of a free decryption key by the FBI for REvil victims further crippled the organization.

Daniil Maksimovich Shchukin is believed to be from Krasnodar, Russia, and is thought to reside there. The BKA has stated that based on current investigations, the wanted individual is presumed to be abroad, likely in Russia, and that travel outside the country cannot be ruled out.

While direct links between Shchukin and UNKNOWN’s specific forum accounts are scarce, a review of Russian crime forums by the cyber intelligence firm Intel 471 revealed substantial connections between Shchukin and a hacker identity known as "Ger0in." Ger0in was active between 2010 and 2011, operating large botnets and selling "installs"—services that allowed other cybercriminals to rapidly deploy malware to thousands of computers. Although Ger0in’s activity predates UNKNOWN’s emergence as the REvil frontman, it suggests a long-standing involvement in the cybercrime landscape.

Further corroboration of Shchukin’s identity came from a review of mugshots released by the BKA, which found a match on an image-comparison site. This match was made with a photograph from a 2023 birthday celebration, featuring a young man identified as Daniel wearing the same distinctive watch seen in the BKA’s official photos.

An update on April 6, 2024, revealed that a reader forwarded an English-dubbed audio recording from a 2023 Chaos Communication Congress (37C3) conference in Germany. This recording had previously identified Shchukin as the REvil leader, with his name mentioned at approximately 24 minutes and 25 seconds into the presentation. This independent confirmation further solidifies the evidence against Daniil Maksimovich Shchukin as the architect of significant global ransomware operations.