The German Federal Criminal Police, known as the Bundeskriminalamt (BKA), has officially identified the individual behind the notorious "UNKN" and "UNKNOWN" monikers as 31-year-old Daniil Maksimovich Shchukin. Shchukin is alleged to have served as the mastermind behind two of the most prolific and damaging ransomware-as-a-service (RaaS) operations in history: GandCrab and its successor, REvil. According to investigators, Shchukin, a resident of Krasnodar, Russia, directed a global campaign of cyber-extortion that targeted critical infrastructure, government agencies, and major corporations, resulting in tens of millions of dollars in direct losses and billions in broader economic disruption.
The identification marks a significant breakthrough in a multi-year international investigation involving law enforcement agencies across Europe and the United States. German authorities have linked Shchukin and his associate, 43-year-old Anatoly Sergeevitsch Kravchuk, to at least 130 specific acts of computer sabotage and extortion within Germany alone between 2019 and 2021. The BKA’s findings suggest that while the group’s reach was global, their impact on German medium-to-large enterprises was particularly severe, causing an estimated 35 million euros in total economic damage.
The Architect of the RaaS Revolution
To understand the significance of Shchukin’s unmasking, one must look at the evolution of the ransomware industry, which he arguably helped professionalize. Shchukin’s first major venture, GandCrab, appeared on the dark web in January 2018. Unlike previous ransomware strains that were often operated by lone individuals, GandCrab popularized the "Affiliate Program" model. In this ecosystem, Shchukin and his core team acted as the developers, maintaining the code and the payment infrastructure, while "affiliates" were recruited to perform the actual network intrusions.
Under Shchukin’s leadership, GandCrab became the first ransomware group to achieve a dominant market share through aggressive marketing and technical iteration. The group released five major versions of the malware in less than two years, each designed to bypass the latest security definitions from antivirus firms. By the time GandCrab announced its "retirement" in May 2019, the group boasted that it had extorted more than $2 billion from victims worldwide. Their farewell message on a Russian-language cybercrime forum was notoriously arrogant, stating, "We are a living proof that you can do evil and get off scot-free."
However, the retirement was short-lived and largely viewed by cybersecurity experts as a rebranding exercise. Shortly after GandCrab’s exit, a new group called REvil (short for Ransomware Evil, also known as Sodinokibi) emerged. It was fronted by the user "UNKNOWN," who established credibility by depositing $1 million in Bitcoin into a forum’s escrow account. Investigators have now confirmed that UNKNOWN was Shchukin, carrying forward the GandCrab legacy with even more sophisticated tactics.
Technical Innovations and Double Extortion
Shchukin is credited with pioneering the "double extortion" technique, a tactic that fundamentally changed the risk profile for businesses. Before REvil, ransomware groups primarily focused on encrypting data and charging for a decryption key. If a company had reliable backups, they could often ignore the ransom.
Under Shchukin’s direction, REvil began exfiltrating sensitive data before triggering the encryption. This allowed the group to demand two separate payments: one for the decryption key and another to prevent the public release of the stolen data on their "Happy Blog" leak site. This shift turned ransomware from a technical recovery issue into a major data breach and PR crisis, forcing many organizations to pay even if their systems were functional.
The BKA investigation highlights that Shchukin’s operations functioned like a legitimate corporate enterprise. The group utilized "Initial Access Brokers" to purchase entry into corporate networks, employed "cryptor" specialists to hide their malware from scanners, and used "tumbler" services to launder their cryptocurrency proceeds. This level of specialization allowed REvil to engage in "big-game hunting," specifically targeting organizations with annual revenues exceeding $100 million and those with comprehensive cyber insurance policies.
A Chronology of the Rise and Fall of REvil
The timeline of Shchukin’s alleged criminal career shows a steady escalation in both technical capability and the scale of targets:
- January 2018: GandCrab is launched, quickly becoming the most prevalent ransomware strain globally.
- May 2019: GandCrab operators announce their retirement, claiming to have earned enough money for a lifetime.
- June 2019: REvil emerges, utilizing much of the same code base as GandCrab. The user UNKN/UNKNOWN becomes the public face of the operation on forums like XSS and Exploit.
- 2020: REvil shifts focus toward large-scale corporate targets, including high-profile legal firms and technology providers.
- July 2021: The Kaseya attack. REvil exploits a vulnerability in Kaseya’s VSA software, allowing them to encrypt the systems of over 1,500 downstream customers simultaneously. This attack drew the full attention of the White House and the FBI.
- October 2021: REvil’s infrastructure is hijacked by international law enforcement. The FBI reveals it had previously compromised the group’s servers.
- February 2023: The U.S. Department of Justice files for the seizure of cryptocurrency accounts linked to REvil. Documents from this filing first mention Shchukin’s name in connection with a digital wallet containing over $317,000.
- April 2024: The German BKA officially names Shchukin and Kravchuk, releasing their photographs and identifying their roles in the GandCrab and REvil hierarchies.
Investigative Breakthroughs and Digital Footprints
The unmasking of Shchukin was not the result of a single error, but the culmination of years of digital forensics and open-source intelligence (OSINT). While Shchukin was meticulous in his role as UNKN, his earlier activities left a trail. Cyber intelligence firm Intel 471 found links between Shchukin and an older hacker handle, "Ger0in," which was active around 2010. Ger0in was known for operating botnets and selling "installs," a common entry-level role in the cybercrime world that likely provided Shchukin with the foundational knowledge needed to build GandCrab.
A critical piece of the puzzle came from facial recognition technology. Investigators used images from Shchukin’s alleged birthday celebration in Krasnodar in 2023, cross-referencing them with older identification photos. In the social media images, a man identified as "Daniel" is seen wearing a luxury watch that matched descriptions and photos obtained by the BKA. These social media "slips" provided the visual evidence needed to put a face to the UNKN handle.
Official Responses and Legal Challenges
The BKA has issued a public advisory seeking further information on Shchukin and Kravchuk. However, the prospect of an immediate arrest remains slim. Shchukin is believed to be residing in Russia, a country that famously does not extradite its citizens for cybercrimes committed abroad, provided those crimes do not target Russian interests.
In their advisory, the BKA noted, "Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia. Travel behaviour cannot be ruled out." This suggests that while Shchukin may be safe within Russian borders, he is effectively trapped there. Should he travel to any country with an extradition treaty with Germany or the United States, he would face immediate detention.
The U.S. Department of Justice has also been active in dismantling the financial infrastructure Shchukin built. The seizure of over $300,000 from a wallet directly tied to him is a fraction of the total stolen funds, but it serves as a powerful deterrent and a signal that law enforcement can track "anonymous" cryptocurrency transactions over long periods.
Broader Implications for Global Cybersecurity
The identification of Daniil Maksimovich Shchukin serves as a landmark moment in the fight against ransomware. For years, the leaders of these groups operated with a sense of total anonymity, believing that their technical prowess and geographical location made them untouchable. By naming and shaming Shchukin, the BKA has stripped away the "myth of the ghost" that surrounds high-level cybercriminals.
Furthermore, this case underscores the changing nature of law enforcement cooperation. The ability of German authorities to link a 2023 birthday party in Krasnodar to a 2019 ransomware attack in Berlin demonstrates the power of modern OSINT and international data sharing. It also highlights the "long memory" of law enforcement; even after a group like REvil disappears or rebrands, the investigation into its members continues.
For the private sector, the REvil saga remains a cautionary tale about the importance of supply chain security. The Kaseya hack proved that a single vulnerability in a trusted software provider could lead to a catastrophic "one-to-many" attack. As a direct result of Shchukin’s activities, the cyber insurance industry has drastically tightened its requirements, and many governments have reclassified ransomware as a national security threat rather than a mere economic crime.
As Shchukin remains in Krasnodar, the global security community continues to monitor his associates and the remnants of the REvil infrastructure. While the "UNKN" handle may be retired, the identification of the man behind it ensures that the history of GandCrab and REvil will end not with a boastful farewell, but with a permanent entry in the files of international criminal justice.
