Breaking: German Authorities Name Alleged Ransomware Kingpin
The elusive hacker known only as "UNKN" or "UNKNOWN" now has a name and a face. Germany's Federal Criminal Police (BKA) on Tuesday identified 31-year-old Russian national Daniil Maksimovich Shchukin as the alleged leader of two notorious ransomware gangs—GandCrab and REvil.
Shchukin is accused of orchestrating at least 130 acts of computer sabotage and extortion against German victims between 2019 and 2021. The BKA said his operations extorted nearly €2 million in ransom payments, causing total economic damages exceeding €35 million.
"This identification marks a critical step in dismantling the infrastructure behind global ransomware threats," a BKA spokesperson said. The agency published an advisory naming Shchukin and a co-conspirator, 43-year-old Anatoly Sergeevitsch Kravchuk, also a Russian national.
Double Extortion and the Modus Operandi
Shchukin's gangs pioneered double extortion: first encrypting victims' data and demanding payment for decryption keys, then threatening to leak stolen files unless a second ransom was paid. This model became a blueprint for ransomware groups worldwide.
Both GandCrab and REvil targeted major corporations, siphoning sensitive documents before activating ransomware. The BKA described the group as "one of the largest worldwide operating ransomware groups."
Background: From GandCrab to REvil
The GandCrab ransomware affiliate program launched in January 2018. It quickly rose to infamy by offering hackers a lion's share of profits for simply breaching corporate networks. The group released five major updates to evade detection by security firms.
On May 31, 2019, GandCrab announced its shutdown, claiming to have extorted over $2 billion. In its farewell message, the group boasted: "We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year."
Almost simultaneously, REvil emerged on a Russian cybercrime forum. A user named UNKNOWN deposited $1 million in escrow to signal legitimacy. Cybersecurity experts quickly concluded REvil was a rebranding of GandCrab.
UNKNOWN later gave a rare interview to Dmitry Smilyanets, a former Russian hacker turned security researcher, detailing the group's structure. The BKA's identification of Shchukin confirms long-held suspicions about the mastermind behind both gangs.
What This Means
The naming of Shchukin represents a significant victory for law enforcement in the fight against ransomware. Germany has likely issued an arrest warrant, and international cooperation could lead to extradition if Shchukin is found outside Russia.
However, Russia typically does not extradite its citizens to Western nations, meaning Shchukin may remain beyond reach. Still, the identification puts pressure on him and other cybercriminals, complicating their ability to operate openly.
For cybersecurity teams, this case underscores the importance of sharing threat intelligence and tracking cryptocurrency flows. The U.S. Justice Department had already seized over $317,000 from a digital wallet linked to Shchukin in 2023, highlighting the role of blockchain analysis.
Experts warn that while a leader is named, the ransomware ecosystem will adapt. New gangs will emerge, but the unraveling of REvil and GandCrab shows that no anonymity can last forever.
This story is developing. Check back for updates.