Germany's Federal Criminal Police Office — the Bundeskriminalamt (BKA) — has officially unmasked the core leadership of one of cybercrime's most feared and lucrative ransomware enterprises, publicly attributing the REvil (Sodinokibi) and GandCrab Ransomware-as-a-Service operations to identified Russian nationals following a years-long investigation.
The German authorities linked these threat actors to a minimum of 130 documented acts of computer sabotage directed against victims in Germany, with the broader global victim count running into the thousands.
The Attribution: Unmasking "UNKN"
At the center of the BKA's attribution is the alias "UNKN" — a dominant figure in the Russian-language cybercriminal underground who served as a key operator and public-facing representative for both GandCrab and its direct successor, REvil.
UNKN was notorious on dark web forums for recruiting affiliates, mediating disputes, and managing the public brand of the REvil RaaS platform. Despite years of high-profile attacks and significant law enforcement attention, UNKN had maintained anonymity — until now.
German investigators successfully pierced the operational security layers maintained by the operators, culminating in the public identification announced by the BKA.
REvil and GandCrab: A Criminal Enterprise at Scale
GandCrab launched in January 2018 and rapidly became the dominant ransomware platform of its era, generating hundreds of millions in ransom revenue before its operators announced a voluntary shutdown in mid-2019, claiming to have extracted over $2 billion from victims globally.
The closure of GandCrab was immediately followed by the emergence of REvil (Sodinokibi), which carried over much of the same infrastructure, affiliate network, and leadership structure. REvil quickly matched and surpassed GandCrab's scale, executing some of the most disruptive ransomware campaigns on record:
- Kaseya VSA supply chain attack (July 2021) — Leveraged a zero-day in Kaseya's IT management platform to push ransomware to approximately 1,500 businesses worldwide simultaneously, with a $70 million ransom demand — the largest on record at the time
- JBS Foods (June 2021) — Forced the world's largest meat processing company to pay $11 million after operations were paralyzed across North America and Australia
- Quanta Computer (April 2021) — Targeted an Apple supply chain partner and threatened to release unreleased Apple product schematics unless a ransom was paid
- Travelex — Encrypted the foreign currency exchange firm's global network, causing weeks of operational disruption
At its peak, REvil was responsible for a significant share of global ransomware incidents, with affiliates targeting healthcare, critical infrastructure, financial services, and manufacturing sectors.
The BKA's Investigative Achievement
Attributing the identities behind a sophisticated RaaS operation of this scale is a significant intelligence and law enforcement milestone. REvil's operators employed extensive operational security measures including:
- Cryptocurrency payment channels with multiple obfuscation layers
- Communication exclusively through encrypted forums and dark web infrastructure
- Distributed affiliate networks designed to insulate core operators from direct exposure
- No-Russia policy — explicitly prohibiting attacks on CIS (Commonwealth of Independent States) countries to avoid domestic prosecution
The BKA's investigation involved multi-year intelligence gathering, analysis of blockchain transaction patterns, cooperation with international partners including Europol and the FBI, and likely signals intelligence that enabled the identification of physical individuals behind the pseudonymous operator personas.
Strategic Implications of Public Attribution
Germany's decision to publicly name and identify the individuals — rather than pursue quiet extradition requests alone — reflects a deliberate strategic shift in Western law enforcement's approach to ransomware:
Deterrence Through Exposure
Public attribution signals to other ransomware operators that long-term anonymity is not guaranteed, even for actors who have operated for years behind sophisticated OPSEC.
Restricting Operational Freedom
Named individuals face international travel restrictions, asset freezing, and financial surveillance that limit their ability to operate, cash out cryptocurrency, or move internationally.
Diplomatic Pressure
Official public attribution creates a formal record used in diplomatic negotiations with Russia regarding its tolerance — and some allege, tacit support — of ransomware actors operating from within its borders.
Enabling Partner Action
International partners including the US, EU member states, and allied intelligence agencies can use the identification to pursue concurrent sanctions designations, asset seizures, and further intelligence operations against the individuals and their known associates.
The Aftermath of REvil's Disruption
In January 2022, Russian authorities announced the arrest of 14 alleged REvil members following coordinated US-Russia law enforcement cooperation — a rare instance of Russian domestic action against cybercriminals. However, most of those arrested were lower-level affiliates. Key leadership figures including UNKN remained publicly unidentified at that time.
Following the raids, REvil activity largely collapsed. The group's public-facing leak site went dark, and ransomware researchers observed former REvil affiliates dispersing to competing platforms including BlackCat/ALPHV, LockBit 3.0, and Clop — demonstrating a familiar pattern in which disrupting a RaaS infrastructure disperses rather than eliminates the underlying threat actor pool.
The BKA's current attribution links those same core operators to a continued pattern of offenses and establishes an official legal record for eventual prosecution, extradition proceedings, or further coordinated international action.
Connection to the April 5 KrebsOnSecurity Report
This announcement from Germany's BKA expands on a related report published on April 5 by KrebsOnSecurity, which first identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as UNKN — the same alias referenced in the BKA's official attribution. The BKA's public communication adds the official law enforcement dimension, formalizing the identification and placing it into the context of specific criminal charges related to attacks on German victims.
Sources: The Hacker News, BKA (Bundeskriminalamt), KrebsOnSecurity