Germany Doxes "UNKN," Head of RU Ransomware Gangs REvil, GandCrab

German law enforcement has publicly unmasked one of cybercrime's most enduring mysteries: the identity of "UNKN," the prolific operator who ran both GandCrab and its successor REvil — two of the most destructive and profitable ransomware operations in history.

Authorities in Germany have identified UNKN as Daniil Maksimovich Shchukin, a 31-year-old Russian national, and publicly attributed to him at least 130 acts of computer sabotage targeting organizations around the world.

Who Is UNKN?

Within the Russian-speaking cybercriminal underground, "UNKN" was a dominant and feared figure. The handle first emerged prominently in association with GandCrab, a Ransomware-as-a-Service (RaaS) operation that launched in January 2018 and rapidly became one of the most prolific ransomware platforms of its era.

GandCrab's operators announced a voluntary shutdown in May–June 2019, claiming to have extorted over $2 billion in ransom payments from victims. Shortly after GandCrab's closure, a new RaaS platform called REvil (also known as Sodinokibi) emerged and quickly dominated the ransomware landscape, widely believed to be a direct evolution of GandCrab's operation — with many of the same affiliates, infrastructure, and leadership structure.

UNKN served as one of REvil's most visible public-facing representatives, frequently posting in Russian underground forums to recruit affiliates, negotiate with security researchers, and manage the group's public brand.

The Attribution

German investigators worked to pierce the layers of operational security that UNKN and the broader REvil operation maintained over years of activity. The doxing — the public release of Shchukin's identity — represents a major intelligence achievement, as REvil took extensive precautions to conceal the identities of its core members.

Key details from the German attribution:

• Full name: Daniil Maksimovich Shchukin
• Age: 31
• Nationality: Russian
• Alleged crimes: At minimum 130 documented acts of computer sabotage
• Roles: Operator and public representative of GandCrab and REvil RaaS platforms

The Rise and Fall of REvil

REvil became notorious for a string of high-profile attacks, including:

• Kaseya VSA supply chain attack (July 2021) — Compromised a managed service provider platform to push ransomware to approximately 1,500 businesses simultaneously, demanding a $70 million ransom
• JBS Foods attack (June 2021) — Forced the world's largest meat processing company to pay $11 million in ransom after operations were disrupted across North America and Australia
• Quanta Computer (April 2021) — Targeted an Apple supplier and threatened to release schematics for unreleased Apple products

In January 2022, Russian authorities announced the arrest of 14 REvil members following a rare US-Russia law enforcement cooperation, seizing millions in cryptocurrency and equipment. However, most of those arrested were lower-level affiliates, and key figures including UNKN remained unidentified at that time.

Implications of the Public Identification

Germany's decision to publicly name Shchukin — rather than simply pursuing quiet extradition requests — signals a shift in law enforcement strategy toward naming and shaming ransomware operators, even when direct arrests are unlikely given Russia's non-extradition posture.

This approach serves several purposes:

1. Degrade trust in the underground ecosystem — Other cybercriminals become aware that long-term anonymity is not guaranteed
2. Restrict travel and financial operations — Public identification and likely sanctions listings make it harder for named individuals to operate internationally
3. Pressure Russia diplomatically — Public attribution creates an official record used in diplomatic discussions about Russia's tolerance of ransomware actors operating within its borders
4. Enable asset seizure — International partners can use the identification to freeze or seize cryptocurrency wallets and other assets linked to the named individual

What Happened to REvil?

Following the January 2022 FSB raids and subsequent international pressure, REvil largely went dark. The group's leak site went offline, and activity attributed to REvil tapered significantly. However, researchers have observed former REvil affiliates migrating to other ransomware platforms including BlackCat/ALPHV, LockBit, and BlackMatter — demonstrating that disrupting a RaaS operation disperses rather than eliminates the threat actors involved.

Source: KrebsOnSecurity