The shadowy figure known as UNKN—a key architect of the notorious GandCrab and REvil ransomware operations—has finally been unmasked. German law enforcement agencies have named Daniil Maksimovich Shchukin, a 31-year-old Russian national, as the orchestrator behind these cybercrime syndicates. According to the Bundeskriminalamt (BKA), Shchukin and his accomplices carried out at least 130 acts of computer sabotage and extortion against victims in Germany between 2019 and 2021, amassing nearly $2 million euros from more than two dozen attacks and causing total economic damages exceeding 35 million euros.
Unmasking the Elusive Hacker: Daniil Maksimovich Shchukin
For years, the person behind the moniker UNKN (also known as UNKNOWN) remained a mystery to cybersecurity experts. The BKA’s recent advisory finally put a name and a face to the alias. Shchukin, along with his alleged co-conspirator Anatoly Sergeevitsch Kravchuk (43), is accused of leading two of the most prolific ransomware groups in history. The BKA stated that Shchukin acted as the head of both GandCrab and REvil, which pioneered the double extortion technique: demanding a ransom for decryption keys and an additional payment to prevent the release of stolen data.
The Rise of GandCrab and REvil
GandCrab first emerged in January 2018 as an affiliate program that recruited other hackers to breach corporate networks. These affiliates received a substantial share of the profits after infiltrating systems, often exfiltrating sensitive documents and internal data. The creators continuously updated the malware through five major versions, each introducing new stealth capabilities and fixes to evade security software.
By May 31, 2019, the GandCrab team announced they were shutting down after allegedly extorting more than $2 billion from victims. In a farewell statement, they boldly declared: “We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year.” Shortly after GandCrab’s demise, a user named UNKNOWN announced on a Russian cybercrime forum that he had deposited $1 million in escrow—a sign that he meant business with a new operation. That operation soon became REvil, which many cybersecurity experts viewed as a direct reorganization of GandCrab.
Double Extortion and Global Impact
The success of both groups stemmed from their innovative double extortion model. Instead of simply encrypting files, they stole highly sensitive data and threatened to publish it if victims refused to pay. This pressure tactic maximized revenue and pressured high-profile targets, including corporations, hospitals, and government agencies. The BKA’s investigation linked Shchukin and Kravchuk to numerous attacks within Germany, but their operations spanned the globe.
Legal Actions and Financial Seizures
Shchukin’s identity first appeared in a February 2023 filing by the U.S. Department of Justice, which sought the seizure of cryptocurrency accounts tied to REvil proceeds. The filing revealed that a digital wallet linked to Shchukin held over $317,000 in illicit funds. German authorities have since pursued charges against both Shchukin and Kravchuk, though neither has been publicly arrested as of this writing. The case underscores international cooperation in combating ransomware.
The Affiliate Model and Collaboration
Both GandCrab and REvil thrived due to their affiliate programs, which allowed even relatively low-level hackers to participate in high-stakes attacks. The organizers maintained strict control over the malware and ransom negotiation, while affiliates focused only on gaining initial access. This division of labor made the groups both profitable and resilient. UNKNOWN once gave an interview to Dmitry Smilyanets, a former Russian hacker turned security researcher, revealing details about the group’s internal structure—but until now, his real identity remained hidden.
The identification of Daniil Maksimovich Shchukin marks a significant victory for law enforcement. It demonstrates that even the most careful cybercriminals can be tracked down, and that the era of anonymous ransomware barons may be drawing to a close.