Germany has publicly identified the alleged operator behind one of the most infamous ransomware ecosystems, marking a significant development in the global fight against organized cybercrime.
The German Federal Criminal Police Office (BKA) has named 31-year-old Russian national Daniil Maksimovich Shchukin as the individual operating under the alias “UNKN,” a figure long associated with the GandCrab and REvil ransomware groups.
The attribution, based on extensive investigations, provides rare insight into the leadership structure of two operations that reshaped the modern ransomware landscape.
According to authorities, Shchukin worked closely with 43-year-old Anatoly Sergeevitsch Kravchuk, coordinating at least 130 cyberattacks targeting organizations across Germany between 2019 and 2021.
These campaigns reportedly generated approximately €2 million in ransom payments while inflicting more than €35 million in broader economic damage through operational disruption and recovery costs.
Under Shchukin’s alleged leadership, GandCrab and its successor REvil pioneered the now widely adopted “double extortion” model.
This approach significantly increased pressure on victims by combining two tactics: encrypting critical systems to halt operations and exfiltrating sensitive data for use as additional leverage.
Victims were forced to pay not only for decryption keys but also to prevent public data leaks, dramatically improving attackers’ success rates.
GandCrab first emerged in early 2018 as a Ransomware-as-a-Service (RaaS) platform, allowing affiliates to deploy the malware in exchange for a share of ransom profits.
This scalable, franchise-like model accelerated adoption among cybercriminals. When GandCrab abruptly shut down in 2019, claiming over $2 billion in illicit earnings, REvil quickly appeared, reusing much of the same infrastructure, tooling, and affiliate network.
Security researchers widely viewed REvil as a direct evolution rather than a new operation.
REvil operated with a level of organization comparable to a legitimate enterprise. The group reinvested profits into development and outsourced key functions within the cybercriminal ecosystem.
Initial network access was often purchased from specialized brokers, while financial flows were handled by professional money launderers.
This division of labor enabled core developers to focus on refining encryption techniques designed to evade detection by traditional security tools.
The group also adopted a “big-game hunting” strategy, targeting large enterprises with substantial financial resources and cyber insurance coverage.
One of the most damaging incidents attributed to REvil occurred during the July 4 weekend in 2021, when attackers compromised Kaseya, a widely used IT management platform.
The resulting supply chain attack disrupted more than 1,500 businesses globally, underscoring the systemic risk posed by ransomware groups targeting service providers.
However, this high-profile campaign contributed to REvil’s eventual downfall. Law enforcement agencies, including the FBI, managed to infiltrate the group’s infrastructure and obtain decryption keys, which were later distributed to victims.
The operation significantly weakened REvil’s capabilities and marked a turning point in coordinated international responses to ransomware.
Despite the identification of Shchukin, enforcement challenges remain. German authorities believe he is currently residing in Krasnodar, Russia, placing him beyond the immediate reach of extradition.
Nevertheless, financial disruption efforts continue. In 2023, the U.S. Department of Justice seized more than $317,000 in cryptocurrency linked to wallets allegedly controlled by Shchukin.
The unmasking of “UNKN” highlights both progress and limitations in combating transnational cybercrime, where attribution is improving but jurisdictional barriers still hinder prosecution.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
Click Here For The Original Source.
