Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
German authorities have publicly identified 31-year-old Russian Daniil Maksimovich Shchukin as the operator behind the UNKN/UNKNOWN handle who led the GandCrab and REvil and REvil ransomware groups.
German law enforcement has dealt a significant blow to the lore of ransomware by publicly naming the elusive figure behind two of the most notorious Russian cybercrime gangs. The German Federal Criminal Police (BKA) identified 31-year-old Russian Daniil Maksimovich Shchukin as the operator of the handles "UNKN" and "UNKNOWN," who led both the GandCrab and REvil ransomware affiliate programs. The identification, published in a BKA advisory, marks the first time authorities have officially linked a real name and face to the shadowy figure who pioneered the double-extortion model that reshaped the cybercrime landscape.
The BKA alleges that Shchukin, alongside 43-year-old accomplice Anatoly Sergeevitsch Kravchuk, was responsible for at least 130 acts of computer sabotage and extortion against victims across Germany between 2019 and 2021. The group extorted nearly €2 million from two dozen attacks, causing over €35 million in total economic damage. The advisory notes that Shchukin is believed to be residing in his hometown of Krasnodar, Russia, and that travel behavior cannot be ruled out, effectively placing him beyond the reach of German authorities.
GandCrab first appeared in January 2018 and quickly became the dominant ransomware-as-a-service operation, paying affiliates generous shares for initial access to corporate networks. The group would then expand that access, often exfiltrating vast amounts of sensitive data before deploying the ransomware. The malware underwent five major revisions, each adding features to evade detection by security software. On May 31, 2019, the group announced its shutdown, claiming to have extorted more than $2 billion from victims. In a farewell message, the group famously boasted: "We are a living proof that you can do evil and get off scot-free."
Almost immediately after GandCrab's demise, the REvil ransomware affiliate program emerged, fronted by a user named UNKNOWN who announced on a Russian cybercrime forum that he had deposited $1 million in escrow to demonstrate his seriousness. Cybersecurity researchers quickly concluded that REvil was essentially a rebranding and reorganization of GandCrab. UNKNOWN later gave an interview to Recorded Future, describing a rags-to-riches story of growing up in poverty and becoming a millionaire through cybercrime.
REvil evolved into a feared "big-game-hunting" machine, targeting organizations with more than $100 million in annual revenues and exploiting generous cyber insurance policies. The group's most infamous attack came over the July 4, 2021 weekend in the United States, when it hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits, and government agencies. The FBI later revealed it had infiltrated the group's servers prior to the Kaseya hack but could not tip its hand at the time. REvil never recovered from that compromise or from the FBI's release of a free decryption key for victims.
Shchukin's name previously appeared in a February 2023 filing from the U.S. Justice Department seeking seizure of cryptocurrency accounts tied to REvil proceeds. The government said a digital wallet linked to Shchukin contained more than $317,000 in ill-gotten cryptocurrency. The BKA's public identification now provides a concrete target for international law enforcement efforts, though Shchukin's presumed residence in Russia makes extradition unlikely.
The doxing of UNKN represents a rare victory in the attribution of attribution in the ransomware world, where anonymity has long been a key enabler of cybercrime. By stripping away the pseudonym, German authorities have not only name a suspect but also send a message to other ransomware operators that their identities may eventually be exposed, even if prosecution remains elusive.