# German Police Unmask "UNKN": Architect of GandCrab and REvil Ransomware Empires Exposed
In a significant breakthrough in international cybercrime investigation, German authorities have publicly identified the elusive operator behind two of the world's most destructive ransomware organizations. The German Federal Criminal Police (Bundeskriminalamt, or BKA) revealed that Daniil Maksimovich Shchukin, a 31-year-old Russian national, operated under the pseudonym "UNKN" while orchestrating the GandCrab and REvil ransomware syndicates—responsible for hundreds of attacks, billions in extortion demands, and immeasurable damage to organizations worldwide.
## The Breakthrough: Unmasking a Cybercrime Architect
For years, "UNKN" remained one of the most wanted figures in cybersecurity, operating from the shadows of Russian criminal forums with calculated secrecy. The BKA's disclosure marks a pivotal moment in the global effort to hold ransomware operators accountable. According to the German authorities, Shchukin and an accomplice, 43-year-old Anatoly Sergeevitsch Kravchuk, orchestrated at least 130 computer sabotage and extortion attacks against German victims alone between 2019 and 2021, extracting nearly €2 million while inflicting over €35 million in total economic damage.
The identification wasn't isolated to Germany. In February 2023, the U.S. Justice Department filed documents seeking the seizure of cryptocurrency accounts tied to REvil's proceeds, specifically naming Shchukin in connection with a digital wallet containing more than $317,000 in ill-gotten cryptocurrency.
## GandCrab: The Genesis of an Affiliate Empire
To understand UNKN's significance, one must trace the origins of GandCrab, which first emerged in January 2018 as a revolutionary—and devastatingly effective—ransomware-as-a-service (RaaS) operation. Unlike earlier ransomware gangs that operated independently, GandCrab pioneered an affiliate model that democratized cybercrime:
### The $2 Billion Farewell
GandCrab's reign was remarkably profitable but short-lived. On May 31, 2019, after just 16 months of operations, the gang announced a shocking retirement. In a darkly humorous farewell message posted to Russian crime forums, they declared:
> "We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit."
The claimed total: More than $2 billion in extortion payments.
Their exit was suspicious to cybersecurity analysts. Rather than truly disbanding, evidence suggests GandCrab underwent a carefully orchestrated rebrand.
## REvil: The Successor Organization
Approximately at the time of GandCrab's shutdown, a new ransomware gang emerged under the brand REvil, claiming to be an independent operation. The operator, using the handle "UNKNOWN" (later confirmed as Shchukin), announced the new venture on Russian crime forums by depositing $1 million in escrow—a bold gesture meant to assure potential affiliates and partners of legitimacy.
Industry analysts quickly connected the dots. The technical similarities between GandCrab and REvil were too precise to be coincidental. The operational patterns, infrastructure indicators, and coding signatures pointed to the same underlying organization. REvil, it appeared, was not a successor—it was a resurrection.
### From Rags to Riches: The UNKNOWN Interview
In a revealing interview with cybersecurity researcher Dmitry Smilyanets (hired by Recorded Future as a consultant), UNKNOWN/Shchukin provided biographical context that illuminated his motivations:
> "As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn't eat for two or even three days. Now I am a millionaire."
This narrative of economic desperation-turned-criminal success reflected a broader pattern in the Russian cybercriminal underground, where poverty and opportunity gaps merged with technical sophistication to create a fertile recruiting ground for organized cybercrime.
## The Double Extortion Revolution
GandCrab and REvil are historically credited with perfecting and popularizing the double extortion model—a paradigm that fundamentally changed ransomware economics:
| Extortion Method | Details | Impact |
|---|---|---|
| First Payment | Ransom demand for decryption key to unlock encrypted files | Direct operational impact; forces urgent negotiation |
| Second Payment | Separate demand to prevent publication of stolen data | Creates reputational and regulatory pressure; often exceeds first payment |
This dual-leverage approach proved devastatingly effective. Organizations faced an impossible choice: pay twice or risk disclosure of proprietary data, customer information, trade secrets, and other sensitive materials to competitors or the public.
## The Business of Evil: Legitimizing Cybercrime
As detailed in *The Ransomware Hunting Team* by Renee Dudley and Daniel Golden, REvil and Shchukin applied corporate best practices to criminal operations. The gang invested profits into infrastructure improvements, hired specialized contractors for tasks beyond their expertise, and professionalized their operations—mirroring legitimate software companies in structure if not in purpose.
This legitimization of cybercrime management created a more resilient and harder-to-disrupt organization. Where earlier ransomware gangs might collapse when key members were arrested, REvil's distributed model and reinvestment strategy allowed it to absorb losses and continue operations.
## Implications for Organizations Worldwide
The exposure of UNKN/Shchukin carries several critical implications:
## Recommendations for Organizations
Organizations should treat this disclosure as a reminder to strengthen defenses against sophisticated adversaries:
1. Assume breach mentality: Design security around the assumption that attackers will gain initial access
2. Segment networks: Limit lateral movement capability if initial compromise occurs
3. Backup strategy: Maintain offline, immutable backups resistant to encryption and exfiltration
4. Threat intelligence: Subscribe to feeds tracking REvil successor groups and affiliate activity
5. Incident response: Develop and regularly test ransomware response playbooks
6. Data minimization: Reduce stored sensitive data to limit exfiltration impact
7. Reporting requirements: Understand legal obligations to disclose breaches in your jurisdiction
## Conclusion
The identification of Daniil Maksimovich Shchukin as the operator behind GandCrab and REvil represents a significant victory for international law enforcement. However, it serves as a reminder that the ransomware threat ecosystem continues to evolve. While individual operators may be exposed, the affiliate model and decentralized nature of modern cybercrime ensure the battle against ransomware gangs remains ongoing. Organizations must prioritize defensive resilience and assume that operators with Shchukin's sophistication and resources will continue to target their networks.