Russian Cybercriminal Behind GandCrab and REvil Ransomware Operations Identified
German authorities have unmasked 31-year-old Russian national Daniil Maksimovich Shchukin as the mastermind behind two of the most notorious ransomware groups: GandCrab and REvil. Operating under the alias "UNKN" (or UNKNOWN), Shchukin led cybercrime operations that extorted nearly €2 million from German victims between 2019 and 2021, causing over €35 million in economic damage through at least 130 attacks.
Shchukin’s groups pioneered "double extortion" demanding payment both to unlock encrypted systems and to prevent the public release of stolen data. GandCrab, which emerged in January 2018, became one of the first ransomware-as-a-service (RaaS) operations, paying affiliates a share of profits for breaching corporate networks. The group claimed to have extorted $2 billion before shutting down in May 2019, boasting in a farewell message that they had "made a lifetime of money in one year."
REvil, which surfaced shortly after GandCrab’s demise, was widely believed to be a rebrand of the same operation. Shchukin, as UNKNOWN, deposited $1 million in a Russian cybercrime forum’s escrow to establish credibility. In an interview with Recorded Future, he described a rise from poverty to cybercrime wealth, claiming childhood hardships while flaunting his criminal success.
REvil evolved into a "big-game-hunting" operation, targeting organizations with $100 million+ in revenue and cyber insurance policies likely to pay ransoms. The group’s most high-profile attack came over the July 4, 2021, weekend, when it breached Kaseya, a managed IT services provider, disrupting 1,500+ businesses and government entities. The FBI later revealed it had infiltrated REvil’s servers before the attack but withheld action to avoid tipping off the group. The operation collapsed after the FBI released a free decryption key, leaving REvil unable to recover.
Shchukin, a resident of Krasnodar, Russia, has no direct digital footprint linking him to UNKNOWN on Russian crime forums. However, cybersecurity firm Intel 471 found connections to an earlier hacker alias, "Ger0in", who sold malware "installs" via botnets in 2010–2011. A 2023 birthday photo matching BKA-released images further corroborated his identity.
The U.S. Justice Department previously sought to seize $317,000 in cryptocurrency tied to Shchukin’s REvil-linked wallet in a February 2023 filing. German authorities believe he remains in Russia, with no indication of travel outside the country.
Source: https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/
Revil cybersecurity rating report: https://www.rankiteo.com/company/revilcit
"id": "REV1775449802",
"linkid": "revilcit",
"type": "Ransomware",
"date": "1/2018",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,500+ businesses and '
'government entities',
'industry': 'Technology/IT Services',
'name': 'Kaseya',
'type': 'Managed IT services provider'},
{'location': 'Germany (primary victims)',
'size': 'High-revenue organizations ($100M+ revenue)',
'type': 'Corporate networks'}],
'attack_vector': 'Ransomware-as-a-Service (RaaS), Double Extortion',
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes (double extortion tactic)',
'sensitivity_of_data': 'High (used for double extortion)',
'type_of_data_compromised': 'Corporate data, sensitive '
'information'},
'description': 'German authorities have unmasked 31-year-old Russian national '
'Daniil Maksimovich Shchukin as the mastermind behind two of '
'the most notorious ransomware groups: GandCrab and REvil. '
"Operating under the alias 'UNKN' (or UNKNOWN), Shchukin led "
'cybercrime operations that extorted nearly €2 million from '
'German victims between 2019 and 2021, causing over €35 '
'million in economic damage through at least 130 attacks. The '
"groups pioneered 'double extortion' tactics and targeted "
'high-revenue organizations.',
'impact': {'data_compromised': 'Stolen data used for double extortion',
'financial_loss': '€35 million (economic damage), €2 million '
'extorted from German victims',
'operational_impact': 'Disruption of managed IT services (Kaseya '
'attack)',
'systems_affected': '1,500+ businesses and government entities '
'(Kaseya attack)'},
'initial_access_broker': {'high_value_targets': 'Organizations with $100M+ '
'revenue and cyber insurance'},
'investigation_status': 'Ongoing (Shchukin remains in Russia)',
'motivation': 'Financial gain, cybercrime wealth',
'post_incident_analysis': {'root_causes': 'Ransomware-as-a-Service (RaaS) '
'model, double extortion tactics, '
'lack of attribution due to Russian '
'safe haven'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (double extortion)',
'ransom_paid': 'Nearly €2 million (German victims)',
'ransomware_strain': ['GandCrab', 'REvil']},
'references': [{'source': 'Recorded Future'},
{'source': 'Intel 471'},
{'source': 'U.S. Justice Department'},
{'source': 'German authorities (BKA)'}],
'regulatory_compliance': {'legal_actions': 'U.S. Justice Department seized '
'$317,000 in cryptocurrency '
'(February 2023)'},
'response': {'containment_measures': 'FBI released free decryption key '
'(REvil)',
'law_enforcement_notified': 'FBI, German authorities'},
'threat_actor': 'Daniil Maksimovich Shchukin (alias: UNKN/UNKNOWN, Ger0in)',
'title': 'Russian Cybercriminal Behind GandCrab and REvil Ransomware '
'Operations Identified',
'type': 'Ransomware'}