German authorities identify REvil and GandCrab ransomware bosses
Source: Bleeping Computer
Investigation by German Federal Police
The Federal Police in Germany (BKA) identified two Russian nationals as the leaders of the GandCrab and REvil ransomware operations from at least the beginning of 2019 until July 2021.
Daniil Maksimovich Shchukin, 31 years old – known online as UNKN/UNKNOWN.
BKA profileAnatoly Sergeevitsch Kravchuk, 43 years old.
BKA profile
Shchukin posted on cyber‑crime forums and acted as a spokesperson for the ransomware operation. The authorities say the two participated in at least 130 extortion cases targeting German companies. At least 25 victims paid a total of $2.2 million in ransom, while the overall financial damage is estimated at over $40 million.
GandCrab ransomware
GandCrab began distribution in early 2018. Its leader announced retirement in June 2019 after claiming $2 billion in ransom payments, though only $150 million was reportedly cashed out and invested in legitimate businesses.
GandCrab leader announces retirement
source: BleepingComputer
REvil (Sodinokibi) ransomware
Following GandCrab’s shutdown, a new operation called REvil (also known as Sodinokibi) emerged, adopting the affiliate model pioneered by GandCrab. Former GandCrab affiliates and operators formed REvil, later adding public leak sites and data‑auction services to pressure victims.
Notable REvil victims include:
- Multiple local governments in Texas – details
- Computer giant Acer – details
- The Kaseya supply‑chain attack, affecting roughly 1,500 downstream businesses – details
After the massive Kaseya hack, REvil paused operations for two months. During that time, law‑enforcement agencies breached their servers and began monitoring the group. Several infrastructure disruptions were recorded, and in mid‑January 2022 Russia arrested more than a dozen REvil members, who were later released in 2025 after serving time on carding charges – source.
Legal actions and current status
It remains unclear whether Shchukin or Kravchuk joined other ransomware operations after REvil’s apparent demise in 2021. BKA believes both are currently in Russia and has asked the public to share any information that could lead to their whereabouts. Their entries also appear on the EU’s Most Wanted portal – link.
The police released several images, including tattoo photos, to aid in locating the two threat actors.