The notorious ransomware gangs GandCrab and REvil have long plagued businesses and governments worldwide, but their elusive leader remained hidden behind the alias "UNKN" for years. Now, German federal police have put a name and face to the mystery: 31-year-old Russian Daniil Maksimovich Shchukin. In a detailed advisory, the Bundeskriminalamt (BKA) revealed how Shchukin and his accomplice Anatoly Sergeevitsch Kravchuk orchestrated devastating cyberattacks that extorted millions and caused hundreds of millions in damages. This Q&A delves into the takedown, the gangs' tactics, and what this means for cybersecurity.
Who is UNKN and what was his role in ransomware groups?
UNKN, also known as UNKNOWN, was the online alias of Daniil Maksimovich Shchukin, a 31-year-old Russian national. The German Federal Criminal Police (BKA) identified him as the head of two of the most prolific ransomware operations: GandCrab and REvil. Shchukin didn't just participate in these gangs; he ran them, overseeing affiliate programs that recruited hackers to breach corporate networks. His leadership spanned from 2018 through 2021, during which he and his team carried out at least 130 acts of computer sabotage and extortion in Germany alone. Under his command, the groups pioneered aggressive strategies like double extortion and amassed fortunes from victims across the globe. The BKA's advisory paints Shchukin as a central figure in the cybercrime ecosystem, directly responsible for orchestrating attacks and managing the illicit proceeds.
How did German authorities identify Daniil Shchukin as UNKN?
German investigators pieced together Shchukin's identity through a combination of forensic analysis, cryptocurrency tracing, and international cooperation. A key breakthrough came from a February 2023 U.S. Justice Department filing that sought to seize cryptocurrency wallets linked to REvil proceeds. One wallet contained over $317,000 in illicit funds tied to Shchukin. The BKA's advisory explicitly named Shchukin and his accomplice, Anatoly Sergeevitsch Kravchuk, after linking them to two dozen cyberattacks that extorted nearly €2 million, causing over €35 million in total damage. German law enforcement also used evidence from GandCrab's operations, including server logs and financial records, to connect the alias UNKN to Shchukin's real-world identity. This meticulous work by the BKA, alongside the FBI and Europol, finally unmasked the man behind one of ransomware's most enduring mysteries.
What were GandCrab and REvil, and how did they operate?
GandCrab first appeared in January 2018 as a ransomware-as-a-service (RaaS) affiliate program. It allowed hackers to lease the malware, infecting victims' systems, while the core team—led by Shchukin—handled ransom negotiations and data extortion. The gang rapidly evolved, releasing five major revisions of GandCrab's code, each adding stealthier features and patches to evade security software. After GandCrab 'retired' in May 2019—claiming over $2 billion in ransoms—many of its members resurfaced under a new banner: REvil. REvil debuted on a Russian cybercrime forum with a bold $1 million escrow deposit by UNKNOWN (Shchukin) to prove his credibility. REvil followed the same RaaS model but with enhanced double-extortion tactics: encrypting data and threatening to leak it publicly unless victims paid both a decryption key fee and a separate 'data leak' ransom. The groups targeted major corporations and critical infrastructure globally.
What is double extortion, and how did these gangs use it?
Double extortion is a ransomware tactic where attackers demand two separate payments from their victims. First, they charge a fee for a cryptographic key to unlock encrypted files—the traditional ransomware demand. Second, they extort an additional payment under threat of publishing stolen sensitive data. GandCrab and REvil pioneered this approach, dramatically increasing pressure on victims. For example, if a company refused to pay the decryption ransom, the gangs would leak confidential documents, customer records, or intellectual property on public 'leak sites,' causing reputational and regulatory damage. This dual threat made compliance more likely, as victims faced not just operational paralysis but also public exposure. The BKA noted that Shchukin's groups used this method in attacks across Germany between 2019 and 2021, extorting nearly €2 million directly while causing over €35 million in broader economic losses from downtime and cleanup costs.
How did GandCrab shut down with a bold farewell?
On May 31, 2019, the GandCrab team announced they were immediately shutting down after a remarkably lucrative two-year run. Their farewell message, posted on underground forums, boasted: "We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit." The group claimed to have extorted over $2 billion from victims worldwide. This retirement was widely seen as a strategic move—possibly to evade law enforcement—as many cybersecurity experts suspected they would either rebrand or retire. Indeed, just months later, the REvil ransomware operation emerged, led by the same core figure, UNKNOWN. The gang's audacious exit underlined their confidence and the immense profitability of the ransomware business model at the time.
What is the connection between GandCrab and REvil?
Cybersecurity researchers long suspected that REvil was essentially a rebranding or reorganization of GandCrab. The evidence became clear when UNKNOWN (the same alias used by Shchukin) announced REvil on a Russian cybercrime forum shortly after GandCrab's shutdown. UNKNOWN deposited $1 million in forum escrow to demonstrate seriousness—a level of capital that strongly suggested behind-the-scenes connections to the GandCrab enterprise. Furthermore, the technical DNA of REvil's malware shared similarities with GandCrab, and both groups employed the same double-extortion model. The BKA's identification of Shchukin as the leader of both operations confirms the link: he ran the GandCrab affiliate program, then transitioned to running REvil, likely bringing many of the same affiliates and infrastructure with him. This continuity allowed the criminal syndicate to bypass law enforcement heat on GandCrab while continuing its lucrative attacks.
Who is Anatoly Kravchuk and what was his role?
Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian, was named by the BKA as Shchukin's key accomplice. Together, they extorted nearly €2 million from German victims alone in two dozen cyberattacks, causing over €35 million in total economic damage. While Shchukin is described as the head of the gangs, Kravchuk likely oversaw operations or managed money laundering and cryptocurrency handling. The BKA advisory did not detail their exact division of labor, but the joint indictment suggests Kravchuk was instrumental in the groups' logistics and extortion schemes. Both men are believed to be Russian nationals, and German authorities are pursuing their arrest—though their current location and legal status remain unclear. The identification of Kravchuk alongside Shchukin underscores the collaborative nature of these ransomware operations and the international effort required to untangle their criminal networks.