high

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

April 6, 2026·Krebs on Security·Threat Intel
ransomwareattributionlaw-enforcementrevilgandcrabcybercrime

German Authorities Unmask "UNKN," Alleged Leader Behind REvil and GandCrab Ransomware Operations

TL;DR: German law enforcement has publicly identified 31-year-old Russian national Daniil Maksimovich Shchukin as "UNKN," the suspected mastermind behind two of the most destructive ransomware operations in recent history—GandCrab and REvil. The identification marks a rare breakthrough in attributing high-profile cybercriminal operations to specific individuals.

What Happened

According to reporting by Krebs on Security, German authorities have connected the enigmatic hacker known as "UNKN" to Daniil Maksimovich Shchukin, a 31-year-old Russian citizen. German investigators allege that Shchukin orchestrated both the GandCrab and REvil ransomware-as-a-service (RaaS) operations, which collectively caused hundreds of millions in damages worldwide.

The German investigation specifically attributes at least 130 acts of computer sabotage and extortion against German victims to Shchukin's operations between 2019 and 2021. This represents just a fraction of the global impact these ransomware families had during their active periods.

Technical Analysis

The UNKN persona operated sophisticated ransomware-as-a-service platforms that exemplified the modern cybercrime economy. GandCrab, which emerged around 2018, pioneered many techniques that became standard in the ransomware ecosystem, including:


REvil (also known as Sodinokibi) inherited and refined GandCrab's operational model after the latter's apparent retirement in 2019. REvil became notorious for high-profile attacks including the 2021 Kaseya supply chain compromise that affected thousands of downstream victims.

Both operations utilized double-extortion tactics—encrypting victim data while simultaneously exfiltrating sensitive information to pressure victims who might otherwise restore from backups.

Impact & Who's Affected

GandCrab and REvil rank among the most financially successful ransomware operations ever documented. GandCrab operators claimed over $2 billion in ransom payments before shutting down, while REvil's lifetime earnings likely exceeded similar figures.

The victim list spans critical infrastructure, healthcare systems, government agencies, and private businesses across dozens of countries. Notable REvil victims included meat processor JBS and the Kaseya managed service provider attack that cascaded to approximately 1,500 downstream companies.

What You Should Do

While this attribution doesn't immediately change defensive postures, organizations should:

1. Review historical incidents from 2018-2021 for potential GandCrab or REvil indicators that might reveal persistent access
2. Validate backup integrity and test restoration procedures, as these groups specifically targeted backup systems
3. Implement network segmentation to limit lateral movement capabilities that both operations heavily exploited
4. Strengthen email security since phishing remained a primary initial access vector for both groups
5. Monitor for infrastructure reuse as criminal networks often recycle technical resources across operations

The Bigger Picture

This identification represents a significant law enforcement victory in the typically opaque world of ransomware attribution. However, the practical impact remains limited—Shchukin operates from Russia, which has no extradition treaty with Germany and actively harbors cybercriminals targeting Western nations.

More importantly, the ransomware ecosystem has evolved beyond dependence on individual operators. New groups like BlackCat, Lockbit, and others have adopted and refined the RaaS model that UNKN helped pioneer. The infrastructure, techniques, and criminal networks established during the GandCrab/REvil era continue operating under new banners.

The identification also highlights the long timeline of cybercrime investigations. Despite REvil's apparent dismantling in 2021, authorities are still piecing together the full scope of these operations and their leadership structures.

This development underscores that while individual cybercriminals may eventually face consequences, the systemic challenges of ransomware require comprehensive defensive strategies rather than relying solely on law enforcement outcomes.

Source: This analysis is based on original reporting by Krebs on Security.

← All Threat IntelSource: Krebs on Security