Germany’s Federal Criminal Police Office has identified key individuals behind the now-defunct REvil ransomware operation, a group once associated with large-scale global cyberattacks and ransom demands.
The agency said the individual known by the alias UNKN, who had acted as a public representative of the group and advertised its ransomware on the XSS cybercrime forum in June 2019, has been identified as Daniil Maksimovich Shchukin, a 31-year-old Russian national. He was also known online by several monikers, including Oneillk2, Oneillk2, Oneillk22, and GandCrab. The development was reported by independent security journalist Brian Krebs.
Identities Behind REvil Operation
Authorities also added Anatoly Sergeevitch Kravchuk, a 43-year-old Russian born in Makiivka, Ukraine, to the wanted list, alleging that he served as a developer for REvil during the same period. Shchukin and Kravchuk are suspected of involvement in 130 ransomware attacks across Germany.
Investigators said that 25 of those cases resulted in ransom payments totaling €1.9 million, or approximately $2.19 million. The broader set of incidents is estimated to have caused financial damage exceeding €35.4 million, or about $40.8 million.
Rise and Structure of a Ransomware Network
REvil, also known as Sodinokibi and previously associated with the GandCrab ransomware lineage, was described as one of the more prolific ransomware groups, targeting companies including JBS and Kaseya. The group operated under a ransomware-as-a-service model, allowing affiliates to deploy its tools in exchange for a share of proceeds.
According to statements attributed to UNKN in a March 2021 interview with Recorded Future’s Dmitry Smilyanets, the individual had been active in ransomware operations since 2007 and at one point oversaw as many as 60 affiliates. In the same account, he described a childhood marked by poverty, recounting periods of hunger and hardship before later achieving financial success.
Collapse and Law Enforcement Action
The group’s operations began to unravel in mid-2021, when its online infrastructure went offline in July, only to briefly resurface two months later. By October 2021, REvil had ceased operations, and its data leak site became inaccessible as part of a law enforcement effort.
Subsequent actions followed across multiple jurisdictions. Romanian authorities announced the arrest of two individuals linked to the group. In January 2022, Russia’s Federal Security Service disclosed that it had detained several REvil members and neutralized the group’s activities. Four members were later sentenced to several years in prison in October 2024, according to the Russian publication Kommersant.
German authorities said the suspects had acted as leaders within one of the largest global ransomware groups, demanding substantial payments in exchange for decrypting systems and withholding stolen data.
Click Here For The Original Source.
