it

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

Published: (April 5, 2026 at 10:07 PM EDT)
6 min read
Source: Krebs on Security

Source: Krebs on Security

Overview

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31‑year‑old Russian Daniil Maksimovich Shchukin headed both cyber‑crime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.

Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the Bundeskriminalamt or BKA). The BKA said Shchukin and another Russian — 43‑year‑old Anatoly Sergeevich Kravchuk — extorted nearly €2 million across two dozen cyber‑attacks that caused more than €35 million in total economic damage.

Daniil Maksimovich Shchukin (a.k.a. UNKN) and Anatoly Sergeevich Kravchuk, alleged leaders of the GandCrab and REvil ransomware groups.

Germany’s BKA said Shchukin acted as the head of one of the largest worldwide‑operating ransomware groups, GandCrab and REvil, which pioneered the practice of double extortion—charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.

Shchukin’s name appeared in a Feb. 2023 filing from the U.S. Department of Justice seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities. The government said the digital wallet tied to Shchukin contained more than $317,000 in ill‑gotten cryptocurrency.

GandCrab

  • The GandCrab ransomware affiliate program first surfaced in January 2018, paying enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.
  • The GandCrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process.
  • The malware’s curators shipped five major revisions to the GandCrab code, each adding new features and bug fixes aimed at thwarting the efforts of computer‑security firms.

On May 31, 2019, the GandCrab team announced that the group was shutting down after extorting more than $2 billion from victims. Their farewell address famously quipped:

“We are a living proof that you can do evil and get off scot‑free.
We have proved that one can make a lifetime of money in one year.
We have proved that you can become number one by general admission, not in your own conceit.”

REvil

  • The REvil ransomware affiliate program materialized around the same time as GandCrab’s demise, fronted by a user named UNKNOWN who announced on a Russian cyber‑crime forum that he’d deposited $1 million in the forum’s escrow to show he meant business.
  • By this time, many cybersecurity experts had concluded that REvil was little more than a reorganization of GandCrab.

UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein he described a rags‑to‑riches tale unencumbered by ethics and morals:

“As a child, I scrounged through the trash heaps and smoked cigarette butts.
I walked 10 km one way to the school. I wore the same clothes for six months.
In my youth, in a communal apartment, I didn’t eat for two or even three days.
Now I am a millionaire.

As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested significant earnings into improving their success and mirroring practices of legitimate businesses. The authors wrote:

“Just as a real‑world manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware.
The higher‑quality ransomware— which, in many cases, the Hunting Team could not break— resulted in more and higher payouts from victims.
The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.”

“Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted or pivoted from other criminal work to meet developers’ demand for customized support.
Partnering with gangs like GandCrab, ‘cryptor’ providers ensured ransomware could not be detected by standard anti‑malware scanners.
‘Initial‑access brokerages’ specialized in stealing credentials and finding vulnerabilities in target networks, selling that access to ransomware operators and affiliates.
Bitcoin ‘tumblers’ offered discounts to gangs that used them as a preferred vendor for laundering ransom payments.
Some contractors were open to working with any gang, while others entered exclusive partnerships.”

REvil evolved into a feared “big‑game‑hunting” machine capable of extracting hefty extortion payments from victims, largely targeting organizations with more than $100 million in annual revenues and generous cyber‑insurance policies known to pay out.

Over the July 4, 2021 weekend in the United States… REvil hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits, and government agencies. The FBI later announced they had infiltrated the ransomware group’s servers prior to the Kaseya hack but couldn’t tip their hand at the time. REvil never recovered from that core compromise, or from the FBI’s release of a free decryption key for REvil victims who couldn’t or didn’t pay.

Investigation Details

Shchukin is from Krasnodar, Russia, and is thought to reside there, the BKA said.

“Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA advised. “Travel behaviour cannot be ruled out.”

There is little that connects Shchukin to UNKNOWN’s various accounts on the Russian crime forums. However, a review of the Russian crime forums indexed by the cyber‑intelligence firm Intel 471 shows there is plenty connecting Shchukin to a hacker identity called “Ger0in” who operated large botnets and sold “installs” — allowing other cybercriminals to rapidly deploy malware of their choice to thousands of PCs in one go. Ger0in was only active between 2010 and 2011, well before UNKNOWN’s appearance as the REvil front man.

A review of the mugshots released by the BKA at the image‑comparison site Pimeyes found a match on this birthday celebration from 2023, which features a young man named Daniel wearing the same fancy watch as in the BKA photos.


Images from Daniil Shchukin’s birthday party celebration in Krasnodar in 2023.

This entry was posted on Sunday 5th of April 2026 10:07 PM

Categories:
A Little SunshineNe’er‑Do‑Well NewsRansomwareWeb Fraud 2.0

Tags:
Anatoly Sergeevitsch KravchukDaniel GoldenDaniil Maksimovich ShchukinDmitry SmilyanetsGandCrabGer0inGerman Federal Criminal PoliceIntel 471Recorded FutureRenee DudleyrEvilUNKN

0 views
#ransomware #REvil #GandCrab #UNKN #cybercrime #Germany #BKA #extortion #malware
View source
Share:
Back to Blog

Related posts

Read more »