Unveiling a Cybercrime Kingpin

For years, the handle UNKN (or UNKNOWN) was synonymous with some of the most devastating ransomware operations in recent history. Now, German authorities have put a real name and face to that elusive nickname. According to an advisory from the German Federal Criminal Police (Bundeskriminalamt, or BKA), the mastermind is Daniil Maksimovich Shchukin, a 31-year-old Russian national. He is alleged to have led both the GandCrab and REvil ransomware syndicates, orchestrating a spree of digital extortion that wreaked havoc across Germany and beyond.

Alongside Shchukin, the BKA also named Anatoly Sergeevitsch Kravchuk, 43, also Russian, as a co-conspirator. The pair is accused of executing at least 130 acts of computer sabotage and extortion between 2019 and 2021, extorting nearly €2 million in ransom payments and causing total economic damages exceeding €35 million.

The BKA Advisory: Details and Charges

The BKA’s public identification of Shchukin marks a significant breakthrough in the fight against ransomware. The advisory described Shchukin as the head of two of the largest ransomware operations globally. These groups pioneered double extortion—a ruthless tactic where victims are charged once for a decryption key to unlock their systems and a second time to prevent the publication of stolen sensitive data.

Shchukin’s alleged role included overseeing the development and deployment of ransomware variants, managing the affiliate network, and coordinating attacks. The BKA statement emphasized that these activities targeted numerous German entities, causing widespread disruption to critical infrastructure and businesses.

From GandCrab to REvil: A Cybercrime Evolution

The Rise of GandCrab

The GandCrab ransomware affiliate program first appeared in January 2018. It offered hackers a lucrative business model: affiliates would infiltrate corporate networks, often via compromised credentials or phishing, and the GandCrab team would then expand access, exfiltrating vast troves of sensitive documents. The malware underwent five major revisions, each adding evasion techniques to thwart cybersecurity firms.

By May 31, 2019, the group boasted having extorted more than $2 billion from victims globally. In a notorious farewell message, the gang declared: “We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year.”

REvil: A Rebranded Menace

Coinciding with GandCrab’s shutdown, a new threat emerged: REvil (also known as Sodinokibi). It was introduced on a Russian cybercrime forum by a user named UNKNOWN, who deposited $1 million in escrow to demonstrate credibility. Many cybersecurity experts immediately recognized REvil as a reincarnation of GandCrab, sharing code and operational tactics.

UNKNOWN even granted an interview to Dmitry Smilyanets, a former hacker turned security researcher, further cementing the connection. The gang quickly became infamous for high-profile attacks, including the supply chain breach that paralyzed hundreds of organizations worldwide.

Financial Trail and International Cooperation

Shchukin’s name surfaced earlier in a February 2023 filing by the U.S. Department of Justice. That document sought the seizure of cryptocurrency accounts linked to REvil ransom proceeds. The government identified one digital wallet tied to Shchukin that contained over $317,000 in illicit funds.

This collaboration between German and U.S. authorities underscores the global effort to dismantle ransomware operations. The BKA’s ability to link Shchukin to the UNKN alias provides law enforcement with a concrete target for prosecution and asset recovery.

Implications for Cybersecurity and the Ransomware Ecosystem

The unmasking of Shchukin sends a strong message: even the most careful cybercriminals can be identified and held accountable. However, the ransomware-as-a-service (RaaS) model that GandCrab and REvil perfected continues to thrive. Affiliates often remain in the shadows, while core leaders like Shchukin face increasing scrutiny.

For organizations, this case highlights the importance of robust cybersecurity measures, including:

• Regular backups stored offline to mitigate ransomware impact.
• Employee training to recognize phishing attempts.
• Network segmentation to limit lateral movement by attackers.
• Incident response plans to quickly contain breaches.

The financial and reputational damage from ransomware can be catastrophic. While the arrest of key figures disrupts operations, new groups often fill the void. Continued vigilance and international cooperation remain essential.

Conclusion: A Step Forward, but the Battle Continues

The identification of Daniil Shchukin as UNKN is a landmark victory for law enforcement, bringing a face to one of the most damaging ransomware enterprises. Yet the broader ransomware ecosystem remains resilient. The GandCrab and REvil operations may have ended, but their legacy lives on in countless copycat groups.

As authorities seize assets and issue indictments, the cybercrime community adapts. For now, the BKA has struck a blow against impunity—a reminder that no hacker is truly invisible.