What we know so far: German investigators have linked one of the most notorious operators in the modern ransomware era to a single man living in southern Russia. Germany's Federal Criminal Police Office, or Bundeskriminalamt (BKA), named Daniil Maksimovich Shchukin, a 31-year-old from Krasnodar, as the hacker known online as UNKN, who has long been suspected of orchestrating the REvil and GandCrab extortion networks that targeted thousands of victims worldwide.
Shchukin's alleged involvement marks a significant step in a years-long effort to unmask the leadership behind two of the most destructive criminal groups on the internet. According to the BKA, Shchukin oversaw GandCrab from its launch in early 2018 until it abruptly shut down in May 2019, declaring in a farewell message that its members had personally earned more than $2 billion in ransom payments. Within months, investigators say, much of GandCrab's infrastructure and personnel reemerged under a new banner: REvil.
Between 2019 and 2021, REvil carried out 130 documented attacks on German businesses and institutions. Victims collectively paid nearly €2 million in ransom demands, while overall losses – including downtime and recovery costs – exceeded €35 million, according to BKA estimates.
US authorities later linked a cryptocurrency wallet associated with Shchukin to $317,000 in holdings, according to a February 2023 Justice Department filing.
The group's most devastating operation came in July 2021 when REvil exploited software supplied by the Florida-based IT management company Kaseya. The timing, over the July 4 holiday weekend, amplified the fallout: malware spread across Kaseya's customer base, locking systems at around 1,500 organizations, including small businesses, nonprofits, and local governments.
The FBI had already infiltrated REvil's infrastructure before that attack but kept the access confidential to avoid compromising its broader investigation. Within months, REvil's servers went dark and the group largely disbanded.
In addition to Shchukin, German authorities have issued a public notice identifying a second suspect, Anatoly Sergeevitsch Kravchuk, 43, also believed to be based in Russia. Neither man is expected to face extradition, given Russia's policy of not surrendering its citizens to foreign jurisdictions, but the warrants significantly curtail their ability to travel abroad without risking arrest.
For law enforcement, the disclosures underscore how ransomware operations have evolved into global enterprises run with the scale and sophistication of legitimate software ventures. Even as individual actors are named and networks vanish, investigators warn that the criminal models built by groups like GandCrab and REvil continue to influence countless successors across the ransomware landscape.