German law enforcement has publicly identified a key figure in the global ransomware ecosystem, moving a notorious online alias into the real world. The German Federal Criminal Police Office (Bundeskriminalamt or BKA) has named 31-year-old Russian national Daniil Maksimovich Shchukin as the individual behind the handle "UNKN" (also known as "UNKNOWN"). According to the BKA advisory, Shchukin operated as the head of the GandCrab and REvil ransomware groups, two of the most prolific and damaging cybercrime syndicates in recent years. The agency alleges that between 2019 and 2021, Shchukin was involved in at least 130 acts of computer sabotage and extortion targeting German entities, causing widespread disruption and financial harm.
The BKA advisory also names a second individual, 43-year-old Anatoly Sergeevitsch Kravchuk, as an accomplice. Together, the two are accused of orchestrating approximately two dozen high-impact cyberattacks that netted nearly 2 million euros in ransom payments. The total economic damage from these incidents, including recovery costs, operational downtime, and data loss, is estimated to exceed 35 million euros. The GandCrab and REvil groups were pioneers of the "double extortion" tactic, now a ransomware industry standard. This method involves not only encrypting a victim's files and demanding payment for a decryption key but also exfiltrating sensitive data and threatening to publish it unless a separate payment is made, significantly increasing pressure on organizations to pay.
Shchukin's identification by German authorities follows prior action by the United States. His name appeared in a February 2023 U.S. Department of Justice filing seeking the forfeiture of cryptocurrency accounts linked to REvil's activities. That document alleged a digital wallet controlled by Shchukin contained over $317,000 in illicit proceeds. The GandCrab ransomware-as-a-service (RaaS) operation first emerged in early 2018, distinguishing itself by offering affiliate hackers an unusually large share of the profits—reportedly up to 80%—for successfully breaching corporate networks. This aggressive affiliate model fueled its rapid growth and widespread deployment.
The operational history of these groups reveals a pattern of relentless adaptation. The GandCrab developers released five major versions of their ransomware, each incorporating evolutions to bypass security software and improve encryption. After GandCrab's purported retirement in mid-2019, many of its core members and infrastructure reportedly transitioned to the REvil (also known as Sodinokibi) operation, which continued and escalated their criminal campaigns. The public naming of Shchukin and Kravchuk represents a significant step in international efforts to dismantle ransomware networks by moving beyond indictments of faceless aliases to attributing attacks to specific individuals, thereby increasing investigative and diplomatic pressure on their home countries.
