Germany's federal law enforcement identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as "UNKN," the operator behind two prolific ransomware groups that terrorized organizations across Europe for years. Shchukin directed both GandCrab and REvil, successor operations that executed at least 130 extortion and sabotage campaigns against German targets alone between 2019 and 2021.
GandCrab emerged in 2018 as one of the first ransomware-as-a-service platforms, forcing victims to pay millions in Bitcoin ransoms. REvil inherited GandCrab's infrastructure and operations after GandCrab's supposed shutdown in 2020, becoming one of the most destructive ransomware families of 2020 and 2021. REvil operators targeted major corporations, government agencies, and critical infrastructure worldwide, including the Kaseya supply chain attack that affected thousands of downstream victims.
The German authorities' identification represents a rare public attribution of a high-level Russian cybercriminal operator. Shchukin's exposure links him directly to breaches affecting hospitals, municipalities, and industrial firms across Germany. The ransomware campaigns extracted tens of millions of euros from victims through encryption attacks and data exfiltration threats.
Law enforcement cooperation between Germany and international partners enabled the identification. The disclosure demonstrates growing capability among Western agencies to penetrate Russian-language cybercriminal forums and track sophisticated threat actors operating from Russian territory.
REvil itself largely disappeared from public view after mid-2021 following US law enforcement operations and international pressure. However, the group's infrastructure influenced subsequent ransomware campaigns. Tracking Shchukin's role establishes operational continuity between major ransomware families and provides evidence for potential prosecution.
Organizations that fell victim to