Germany's Bundeskriminalamt (BKA) — the Federal Criminal Police Office — has publicly named two Russian nationals as the operational leaders of both the GandCrab and REvil (Sodinokibi) ransomware-as-a-service platforms, formally attributing some of the most damaging cybercrime campaigns of the 2019–2021 era to identified individuals.
The attribution links the pair to a minimum of 130 documented extortion cases against German organizations, with total estimated financial damages exceeding $40 million — and a far broader global victim tally stretching into the thousands.
The Identified Suspects
German authorities publicly named:
- Daniil Maksimovich Shchukin, age 31, known online as "UNKN" or "UNKNOWN" — the dominant public-facing operator of both GandCrab and REvil, recognized in cybercrime forums as the official representative and affiliate liaison for the ransomware platforms
- Anatoly Sergeevitsch Kravchuk, age 43 — a co-leader who managed operational aspects of the criminal enterprise
Both individuals are believed to be residing in Russia, which does not extradite its citizens to Western jurisdictions under normal circumstances. The BKA published photographs of both suspects — including tattoo photos intended to aid physical identification — and added their profiles to the EU's Most Wanted portal.
A Criminal Enterprise at Scale
GandCrab debuted in January 2018 and rapidly dominated the ransomware-as-a-service landscape. At its peak, it was responsible for an estimated 40% of global ransomware infections and generated hundreds of millions in extortion revenue. In mid-2019, its operators publicly announced a voluntary shutdown, claiming to have collected over $2 billion from victims worldwide.
The closure of GandCrab was essentially a rebranding exercise. REvil (Sodinokibi) emerged almost immediately after, inheriting GandCrab's infrastructure, affiliate network, and in many cases the same operational leadership — with Shchukin's "UNKN" alias continuing to manage the platform's public presence.
Under REvil, the operation escalated to some of the most audacious ransomware campaigns on record:
- Kaseya VSA Supply Chain Attack (July 2021) — A zero-day in Kaseya's IT management platform was weaponized to simultaneously push ransomware to approximately 1,500 businesses across the globe, with a $70 million ransom demand — the largest single ransomware demand on record at the time
- JBS Foods (June 2021) — The world's largest meat processing company was forced to pay $11 million after ransomware paralyzed operations across North America and Australia
- Quanta Computer (April 2021) — An Apple supply chain partner was targeted and threatened with release of unreleased Apple product schematics
- Travelex — The foreign currency exchange firm's global network was encrypted, causing weeks of operational disruption
In German cases alone, 25 confirmed victims paid approximately $2.2 million in ransom payments.
The BKA Investigation
Attributing the real identities behind a mature RaaS operation requires overcoming formidable operational security measures. REvil's leadership employed:
- Layered cryptocurrency obfuscation for payment processing
- Exclusive communication through dark web forums and encrypted channels
- Distributed affiliate networks designed to insulate core operators from direct exposure
- Strict prohibition on targeting CIS countries, limiting domestic law enforcement pressure
The BKA's multi-year investigation leveraged international intelligence sharing with Europol, the FBI, and partner agencies, alongside blockchain transaction analysis and signals intelligence to pierce the anonymity layers maintained by Shchukin and Kravchuk.
Why Public Attribution Matters
Germany's decision to publicly identify the individuals — rather than pursue quiet extradition requests that Russia would reject — reflects a deliberate strategic posture adopted across Western law enforcement:
Deterrence through exposure: Public attribution signals to the ransomware ecosystem that even long-running, sophisticated operators are not guaranteed permanent anonymity. The longer an operation runs, the more opportunity investigators have to accumulate identifying evidence.
Restricting freedom of movement: Named individuals face asset monitoring, international travel restrictions, and financial scrutiny that constrain their ability to operate, cash out cryptocurrency holdings, or expand criminal activities.
Enabling concurrent action: The formal identification enables partner nations to pursue simultaneous sanctions designations, asset seizures, and auxiliary intelligence operations against the individuals and their known networks.
Creating a permanent legal record: Even without immediate arrest, formal charges establish a prosecutable record that can be activated if the individuals ever travel to a jurisdiction with extradition agreements.
REvil's Aftermath
In January 2022, Russian authorities announced the arrest of 14 alleged REvil members — a rare instance of domestic Russian action against cybercriminals that followed intense US diplomatic pressure. However, most arrested were lower-level affiliates. Core leadership including "UNKN" remained publicly unidentified until the BKA's current attribution.
Following the 2022 raids, REvil activity collapsed. Former affiliates dispersed to competing platforms including BlackCat/ALPHV, LockBit 3.0, and Clop — demonstrating the familiar pattern in which disrupting a ransomware infrastructure disperses rather than eliminates the underlying criminal talent pool.
The BKA's public identification adds formal law enforcement legitimacy to prior investigative reporting, including a KrebsOnSecurity analysis published April 5, 2026 that first publicly identified Shchukin as "UNKN."
Sources: BleepingComputer, Bundeskriminalamt (BKA), KrebsOnSecurity, Europol