Germany doxes Russian ransomware leader UNKN, revealing the true identity behind the notorious GandCrab and REvil cybercrime syndicates. Authorities in Germany have identified Daniil Maksimovich Shchukin, a 31-year-old Russian, as the mastermind behind at least 130 acts of computer sabotage and extortion across the country between 2019 and 2021.
The German Federal Criminal Police (Bundeskriminalamt or BKA) officially named Shchukin, also known as UNKNOWN, in a recent advisory. Alongside 43-year-old Anatoly Sergeevitsch Kravchuk, Shchukin is accused of extorting nearly €2 million through two dozen cyberattacks, inflicting economic damages exceeding €35 million. This unprecedented unmasking sheds critical light on the individuals driving global cyber threats, particularly those targeting financial institutions and major corporations.
The Evolution of GandCrab and REvil Ransomware
Shchukin’s alleged role as the head of GandCrab and REvil signifies his central position in shaping modern ransomware tactics. These groups were pioneers of ‘double extortion,’ a menacing strategy where victims pay not only for a decryption key but also a separate fee to prevent the publication of their stolen sensitive data. This innovation dramatically increased the pressure on compromised entities, often forcing their hand to pay substantial ransoms.
The GandCrab ransomware affiliate program emerged in January 2018, offering significant profit shares to hackers who successfully breached major corporations. The group continuously refined its malware, releasing five major revisions with advanced features designed to circumvent cybersecurity defenses. Their audacious farewell message in May 2019, claiming over $2 billion in extorted funds and boasting about escaping justice, sent shockwaves through the cybersecurity community.
“We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year.”
Shortly after GandCrab’s supposed demise, the REvil ransomware affiliate program materialized, spearheaded by a user named UNKNOWN who made a $1 million escrow deposit on a Russian cybercrime forum to establish credibility. Many cybersecurity experts quickly concluded that REvil was essentially a rebranding or reorganization of GandCrab, maintaining the same aggressive and sophisticated modus operandi. This transition underscored the adaptability and persistence of these cybercrime networks.
UNKN’s Rags-to-Riches Narrative and Strategic Operations
In an interview with Dmitry Smilyanets of Recorded Future, UNKNOWN painted a vivid picture of a ruthless rags-to-riches journey, devoid of ethical constraints. “As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN recounted, describing a childhood of extreme poverty that fueled an insatiable drive for wealth. “Now I am a millionaire.” This personal narrative, while stark, highlights the motivations that often underpin high-stakes cybercrime.
The authors of “The Ransomware Hunting Team,” Renee Dudley and Daniel Golden, detailed how UNKNOWN and REvil strategically reinvested their illicit gains, mirroring legitimate business practices to enhance their operations. This included hiring specialists, improving ransomware quality, and outsourcing tasks like ‘cryptor’ services to evade anti-malware detection and ‘initial access brokerages’ to acquire network vulnerabilities. Bitcoin ‘tumblers’ were also employed to launder ransom payments, creating a sophisticated ecosystem of criminal enterprise. This professionalization of cybercrime illustrates the significant threat these groups pose to global financial stability.
REvil quickly evolved into a formidable ‘big-game-hunting’ machine, specifically targeting organizations with over $100 million in annual revenues and robust cyber insurance policies known for payouts. A notable attack occurred in July 2021, when REvil compromised Kaseya, a company managing IT operations for over 1,500 businesses. The FBI’s subsequent infiltration of REvil’s servers and the release of a free decryption key dealt a significant blow, from which the group never fully recovered, marking a turning point in the fight against this particular syndicate.
The Investigation and Future Implications for Cybercrime
Shchukin, believed to reside in Krasnodar, Russia, faces international scrutiny following the BKA’s announcement. While direct links between Shchukin and UNKNOWN’s online personas are still being solidified, cyber intelligence firm Intel 471 noted connections between Shchukin and a hacker identity named “Ger0in,” active in 2010-2011, who operated large botnets and sold ‘installs’ for malware deployment. This connection, though predating UNKNOWN’s prominence, suggests a long-standing involvement in cybercriminal activities.
The unmasking of Germany doxes Russian ransomware leader UNKN represents a significant victory for international law enforcement. It underscores a growing trend of authorities successfully penetrating the anonymity of the dark web to identify and prosecute high-profile cybercriminals. This development sends a strong message to other ransomware operators that their illicit activities will not go unpunished, potentially deterring future attacks and enhancing global cybersecurity efforts. The financial sector, in particular, will be watching closely for the ripple effects of this critical breakthrough.




