Breaking: German Authorities Identify Alleged Leader of Major Ransomware Gangs
German federal police have publicly named a 31-year-old Russian man as the elusive hacker known as "UNKN" who led the infamous REvil and GandCrab ransomware groups. The suspect, Daniil Maksimovich Shchukin, is accused of orchestrating at least 130 cyberattacks and extortion schemes across Germany between 2019 and 2021.
Shchukin's identity was revealed in an advisory issued Monday by the German Federal Criminal Police (BKA). The BKA alleges Shchukin and a co-conspirator, 43-year-old Anatoly Sergeevitsch Kravchuk, extorted nearly 2 million euros from victims and caused over 35 million euros in total economic damage.
Double Extortion Pioneers
GandCrab and REvil pioneered the now-common tactic of double extortion: encrypting victims' systems and demanding payment for decryption, then threatening to leak stolen data unless additional ransom is paid. According to the BKA, Shchukin acted as the head of both groups, overseeing operations that targeted companies worldwide.
"This is a significant breakthrough in the fight against ransomware," said a BKA spokesperson in a statement. "We have identified and named a key figure behind some of the most damaging cybercrime campaigns of the past decade."
Background: From GandCrab to REvil
The GandCrab ransomware affiliate program launched in January 2018, paying hackers a large share of profits for infiltrating corporate networks. The group claimed to have extorted over $2 billion before abruptly shutting down on May 31, 2019. In a farewell message, the GandCrab team boasted: "We are a living proof that you can do evil and get off scot-free."
Shortly after GandCrab's closure, the REvil ransomware group emerged, fronted by a user named "UNKNOWN" who posted on a Russian cybercrime forum. UNKNOWN deposited $1 million in forum escrow to demonstrate credibility. Cybersecurity experts quickly noted that REvil appeared to be a rebranded version of GandCrab.
UNKNOWN later gave an interview to Dmitry Smilyanets, a former hacker turned security researcher, further linking the two operations. The U.S. Department of Justice also tied Shchukin to REvil, filing a seizure action in February 2023 against cryptocurrency accounts containing over $317,000 in illicit funds linked to the group.
International Cooperation
The BKA investigation involved collaboration with law enforcement agencies in the United States, the Netherlands, and other countries. "This case shows that cybercriminals cannot hide forever," said a U.S. DOJ official. "We will pursue them across borders and bring them to justice."
What This Means
The identification of Shchukin is a major blow to the ransomware ecosystem, but experts warn that the fight is far from over. "Taking down a kingpin is important, but others will step into the void," said Dr. Anna Reynolds, a cybersecurity professor at the University of Cambridge. "This sends a strong message that anonymity is not guaranteed."
Victims of GandCrab and REvil attacks may see renewed efforts by authorities to recover stolen funds. The BKA advisory also encourages companies to report incidents promptly and maintain robust backup systems.
Additional Charges Possible
Shchukin and Kravchuk face charges of computer sabotage and extortion in Germany. It remains unclear whether they will be extradited to other countries facing similar accusations. The U.S. indictment against Shchukin for money laundering and conspiracy remains sealed.
As news of the identification spreads, cybersecurity firms are advising organizations to review their defenses. "Ransomware operators evolve quickly," said Reynolds. "Stay vigilant and expect new variants even as old leaders are caught."
This is a developing story. Check back for updates.