An elusive and notorious cybercriminal known only by the handle "UNKN," who masterminded the devastating ransomware operations of GandCrab and REvil, has finally been unmasked by German authorities. Thirty-one-year-old Russian national Daniil Maksimovich Shchukin has been identified as the principal architect behind these prolific cybercrime syndicates, responsible for at least 130 acts of computer sabotage and extortion targeting victims across Germany between 2019 and 2021. The German Federal Criminal Police (Bundeskriminalamt, or BKA) revealed Shchukin’s identity in a public advisory, shedding light on a shadowy figure who had previously evaded direct attribution. Alongside Shchukin, authorities also named 43-year-old Russian national Anatoly Sergeevitsch Kravchuk, alleging that the duo extorted approximately €2 million from victims through two dozen cyberattacks, resulting in over €35 million in total economic damage.

The BKA’s exposé directly links Shchukin to the leadership of GandCrab and REvil, two of the most globally impactful ransomware operations. These groups were pioneers in the "double extortion" model, a particularly insidious tactic where victims were not only forced to pay a ransom to unlock their encrypted data but also faced the threat of their stolen sensitive information being leaked online if a second, separate payment was not made. This dual pressure significantly increased the leverage of the ransomware operators and the desperation of their victims. Shchukin’s alleged involvement was further substantiated by a February 2023 filing from the U.S. Department of Justice, which sought the seizure of cryptocurrency accounts linked to the REvil gang’s illicit gains. This filing specifically identified a digital wallet connected to Shchukin containing over $317,000 in ill-gotten cryptocurrency, providing concrete financial evidence of his deep entanglement with the group’s operations.

The GandCrab ransomware affiliate program first emerged in January 2018, quickly establishing a lucrative model that rewarded hackers with substantial profit shares simply for breaching corporate networks. The GandCrab developers then exploited these initial footholds to expand their access, often siphoning vast quantities of sensitive and proprietary data. Over its operational lifespan, the GandCrab team released five major iterations of their ransomware, each incorporating enhanced features and bug fixes designed to evade detection by cybersecurity firms and ensure the continued spread of their malicious software. The group’s audacious departure from the cybercrime scene was marked by a public announcement on May 31, 2019, claiming to have extorted over $2 billion from victims. Their farewell message, delivered with a chilling blend of arrogance and self-congratulation, famously stated, "We are a living proof that you can do evil and get off scot-free… We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit."

The REvil ransomware affiliate program surfaced around the same time as GandCrab’s disbandment, with its activities fronted by a user operating under the moniker UNKNOWN. On a prominent Russian cybercrime forum, UNKNOWN declared his seriousness by depositing $1 million into the forum’s escrow service. By this juncture, many cybersecurity experts had already concluded that REvil was, in essence, a rebranding or reorganization of the GandCrab operation, a seamless transition of infrastructure and personnel. UNKNOWN himself granted an interview to Dmitry Smilyanets, a former malicious hacker employed by Recorded Future, where he recounted a stark rags-to-riches narrative devoid of ethical considerations. He painted a picture of extreme poverty in his youth, stating, "As a child, I scrounged through the trash heaps and smoked cigarette butts… I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire."

The evolution of these ransomware groups, as detailed in the book "The Ransomware Hunting Team" by Renee Dudley and Daniel Golden, highlights a sophisticated business model that mirrored legitimate enterprises. UNKNOWN and REvil strategically reinvested their substantial earnings into improving their operational capabilities and adopting best practices from the legitimate business world. The authors observed that, much like a manufacturing company might outsource logistics or web design, ransomware developers increasingly delegated tasks outside their core competencies, focusing on enhancing the quality of their malicious software. This pursuit of higher-quality ransomware, which often proved more difficult for security firms to crack, led to increased payouts from victims. These monumental financial windfalls then fueled further reinvestment into their criminal enterprises, enabling them to hire more specialists and accelerate their success. The booming ransomware economy attracted a diverse array of criminal actors. Ancillary service providers emerged or pivoted from other illicit activities to meet the demand for customized support. This included "cryptor" providers who ensured ransomware evaded detection by standard anti-malware scanners, "initial access brokerages" specializing in stealing credentials and identifying network vulnerabilities to sell to ransomware operators, and Bitcoin "tumblers" that offered discounted services for laundering ransom payments. Some contractors were willing to work with any gang, while others formed exclusive partnerships.

REvil, in particular, evolved into a formidable "big-game-hunting" machine, adept at extorting massive ransom payments from large organizations. Their targets were typically companies with annual revenues exceeding $100 million, often possessing substantial cyber insurance policies that were known to pay out ransoms. The group’s most infamous attack occurred over the July 4, 2021 weekend in the United States, when REvil compromised and extorted Kaseya, a company providing IT operations management for over 1,500 businesses, nonprofits, and government agencies. Following this high-profile incident, the FBI revealed they had infiltrated REvil’s servers prior to the Kaseya attack but were unable to reveal their hand at the time. REvil never fully recovered from this critical compromise, nor from the subsequent release by the FBI of a free decryption key for victims who had been affected by their ransomware.

Shchukin hails from Krasnodar, Russia, and is believed to reside there, according to the BKA. The advisory states, "Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia. Travel behaviour cannot be ruled out." While direct links between Shchukin and UNKNOWN’s various online personas on Russian crime forums are sparse, a review of indexed forums by cyber intelligence firm Intel 471 has uncovered significant connections between Shchukin and a hacker identity known as "Ger0in." Ger0in was active between 2010 and 2011, a period predating UNKNOWN’s emergence as the REvil frontman, and was known for operating large botnets and selling "installs," which allowed other cybercriminals to rapidly deploy malware to thousands of PCs simultaneously.

Further evidence corroborating Shchukin’s identity emerged through image comparison sites. A review of mugshots released by the BKA, when cross-referenced on Pimeyes, found a match on a birthday celebration photo from 2023. This image features a young man named Daniel wearing the same distinctive, high-end watch that is visible in the official BKA photos, providing a strong visual link.

An update on April 6th at 12:06 p.m. ET added further weight to the revelations. A reader forwarded an English-dubbed audio recording from a 2023 ccc.de (37C3) conference talk held in Germany. This presentation had previously identified Shchukin as the leader of REvil, with his name specifically mentioned around the 24:25 mark of the audio file, reinforcing the findings of the German authorities.