German authorities have publicly named two individuals they believe were involved in operating the now-defunct REvil and GandCrab ransomware operations, marking one of the more detailed attributions tied to the group to date. The identification centers on a figure long known online as “UNKN,” alongside another developer linked to the same ecosystem. While the claims provide insight into the structure and scale of the operation, both suspects are believed to be outside of Germany, limiting immediate legal consequences.
The Identity Behind “UNKN”
According to statements from Germany’s Federal Criminal Police Office, the individual known as “UNKN” has been identified as Daniil Maksimovich Shchukin, a 31-year-old Russian national. Investigators claim that he played a leading role in both GandCrab and its successor, REvil, and acted as a central public-facing figure within cybercrime forums.
Shchukin is said to have used multiple aliases over time, including variations such as Oneiilk2 and GandCrab, and was reportedly active in promoting ransomware services as early as 2019. Authorities claim he helped oversee a large-scale ransomware-as-a-service model, coordinating affiliates who carried out attacks in exchange for a share of the profits. Separate reporting has also linked his name to a U.S. legal filing involving the seizure of cryptocurrency wallets tied to REvil proceeds, including an account said to contain hundreds of thousands of dollars.
A Second Suspect and Developer Role
Alongside Shchukin, German investigators have named Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian citizen born in Ukraine, as a suspected developer for REvil. Authorities claim that Kravchuk contributed to the technical side of the ransomware operation during the same timeframe in which REvil was active. Both individuals have been placed on international wanted lists. Investigators have stated that they are believed to currently reside in Russia, though travel outside the country has not been ruled out.
Scale of Operations
German officials attribute a significant number of ransomware incidents to the pair, including roughly 130 attacks affecting targets within Germany between 2019 and 2021. Of those cases, around two dozen reportedly resulted in ransom payments totaling close to €2 million, while overall damages are estimated to exceed $35 million.
More broadly, earlier activity linked to GandCrab alone has been associated with far larger global profits. The group itself once claimed to have generated billions in revenue before announcing its shutdown in 2019, a move widely interpreted as either a strategic exit or transition.
From GandCrab to REvil
GandCrab appeared in early 2018 and quickly became one of the most active ransomware operations at the time, built around an affiliate model that allowed other actors to deploy the malware in exchange for a cut of the profits. It initially spread through phishing emails and malicious attachments, but later versions incorporated more advanced delivery methods and regular updates to stay ahead of security defenses. By mid-2019, the operators announced they were shutting the project down, claiming significant earnings. Despite that claim, the timing and continuity in tactics led many to view the closure as a transition rather than a true exit.
Not long after, REvil, also known as Sodinokibi, emerged, carrying forward many of the same operational patterns while shifting toward larger, more lucrative targets. The group focused on high-revenue organizations and became linked to major incidents involving companies such as Kaseya and JBS, where a single breach had widespread downstream effects. Its approach centered on double extortion, combining file encryption with the threat of leaking stolen data to increase pressure on victims. By 2021, REvil had become one of the most visible ransomware operations before its infrastructure went offline following a series of disruptions that effectively halted its activity.
The RaaS Model and Cybercrime Ecosystem
Both GandCrab and REvil operated under a ransomware-as-a-service structure, which allowed developers to distribute their malware to affiliates. These affiliates handled intrusion and deployment, while the core operators maintained and improved the ransomware itself.
This model enabled rapid scaling. Affiliates could specialize in initial access, credential theft, or lateral movement within networks, while other supporting actors provided services such as encryption evasion tools or cryptocurrency laundering. The result was a decentralized but highly coordinated cybercrime ecosystem that mirrored aspects of legitimate business operations.
Disruptions and Ongoing Uncertainty
REvil’s activities appeared to decline sharply following mid-2021, particularly after a high-profile supply chain attack and subsequent law enforcement actions. The group briefly resurfaced before disappearing again, and its infrastructure was later seized or dismantled.
In 2022, Russian authorities announced the arrest of several individuals reportedly connected to REvil, though the scope and outcome of those cases remain unclear. Reports indicate that some suspects have faced financial-related charges, while broader accountability for the group’s operations has remained limited. Despite these developments, many individuals believed to be associated with the network have not been publicly identified or apprehended.
Conclusion
The naming of Shchukin and Kravchuk represents one of the more concrete attribution efforts tied to the REvil and GandCrab operations, offering a clearer view into the people behind one of the most prominent ransomware ecosystems of recent years. At the same time, the broader network that enabled these campaigns appears only partially understood, and much of its structure remains outside the reach of authorities. As with many cases in this space, attribution does not necessarily translate into enforcement, leaving key questions unresolved.
0 Comments