10 Key Revelations About the Russian Mastermind Behind GandCrab and REvil Ransomware

For years, the cybercriminal known only as UNKN or UNKNOWN operated in the shadows, orchestrating some of the most devastating ransomware attacks in history. Now, thanks to a breakthrough by German authorities, the man behind the mask has a name: Daniil Maksimovich Shchukin, a 31-year-old Russian national. The following listicle unpacks the top ten revelations about this elusive figure, his accomplices, and the notorious gangs they ran—GandCrab and REvil. Dive into the facts that have emerged from the investigation and understand how these cybercriminals reshaped the ransomware landscape.

1. UNKN Is Identified as Daniil Shchukin

After years of anonymity, the German Federal Criminal Police (Bundeskriminalamt or BKA) officially linked the hacker handle UNKN to Daniil Maksimovich Shchukin. Shchukin, a 31-year-old Russian, was named in an advisory as the head of both the GandCrab and REvil ransomware operations. This identification marks a significant victory for law enforcement, who had long hunted the mastermind behind hundreds of attacks. The BKA’s investigation revealed that Shchukin orchestrated at least 130 acts of computer sabotage and extortion in Germany alone between 2019 and 2021, causing massive financial damage.

2. A Trusted Partner in Crime: Anatoly Kravchuk

Shchukin did not act alone. The BKA also identified Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian, as a key accomplice. Together, the duo extorted nearly 2 million euros directly from victims across two dozen cyberattacks. The total economic damage inflicted by their operations exceeded 35 million euros. Kravchuk’s role highlights how ransomware groups often rely on a network of collaborators to handle technical operations, money laundering, and affiliate management. His arrest or identification (depending on progress) represents a critical blow to the network.

3. Pioneers of Double Extortion

GandCrab and REvil didn’t just lock victims’ files—they revolutionized ransomware with the double extortion tactic. Under Shchukin’s direction, victims were first charged a ransom for a decryption key to regain access to their systems. Then, a second payment was demanded to prevent the public release of stolen sensitive data. This aggressive strategy increased pressure on companies to pay, as they faced both operational paralysis and reputational ruin. The model became the standard for many subsequent ransomware gangs, cementing Shchukin’s legacy as a pioneer of digital extortion.

4. The GandCrab Rise: Affiliate Program and Profits

Launched in January 2018, GandCrab operated as an affiliate program that recruited hackers to breach corporate networks. These affiliates received a huge share of the profits—often up to 60-70%—just for gaining initial access. Once inside, the GandCrab team expanded their foothold, exfiltrating sensitive documents and deploying ransomware. The malware underwent five major revisions, each packed with new features and bug fixes to evade security software. This agile development cycle allowed GandCrab to stay ahead of defenders and rake in billions.

5. GandCrab’s Bold Shutdown and Farewell Message

On May 31, 2019, the GandCrab gang shocked the cyber world by announcing their retirement after extorting more than $2 billion from victims. In a famously arrogant farewell, they declared: “We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.” The message underscored their confidence and the frustration of law enforcement. The group claimed to have made a fortune in just 18 months.

6. REvil: The Seamless Successor

As GandCrab shut down, a new ransomware-as-a-service operation called REvil (also known as Sodinokibi) emerged almost immediately. Cybersecurity experts quickly concluded that REvil was essentially a rebranded and reorganized version of GandCrab. The same developers, the same affiliate model, and the same ruthless tactics appeared. REvil inherited GandCrab’s victim lists and even used similar encryption methods. This transition allowed Shchukin to continue his criminal enterprise without missing a beat, proving that the gang had simply evolved rather than disbanded.

7. A $1 Million Escrow Deposit to Prove Seriousness

When REvil’s affiliate program debuted, its leader—still using the handle UNKNOWN—took an unusual step to build trust. On a Russian cybercrime forum, UNKNOWN deposited $1 million into the forum’s escrow fund as a guarantee of legitimacy. This deposit signaled that the operator was financially sound and serious about paying affiliates their shares. It was a savvy business move that attracted top-tier hackers, helping REvil quickly become one of the most feared ransomware groups worldwide. The escrow also provided a layer of protection for affiliates against potential scammers.

8. A Rare Interview with a Former Hacker

In a surprising move, UNKNOWN granted an interview to Dmitry Smilyanets, a former member of the Russian cybercrime scene who later became a security researcher. The interview offered a glimpse into the mindset of the ransomware kingpin, though details remain sparse. Smilyanets’ unique background—familiar with both the criminal world and the security industry—made him an ideal interlocutor. The conversation helped contextualize REvil’s operations and the motivations of its leader, though it revealed no identifying information at the time.

9. German Authorities Press Charges: 130 Acts of Sabotage

The BKA’s advisory detailed Shchukin’s and Kravchuk’s crimes specifically in Germany: at least 130 acts of computer sabotage and extortion between 2019 and 2021. The direct extortion amount was nearly 2 million euros, but the broader economic damage—covering recovery costs, lost revenue, and reputational harm—exceeded 35 million euros. This level of detail shows how thoroughly German investigators tracked the ransomware attacks, linking each incident to the same core group. The charges represent a major step toward international accountability.

10. U.S. Justice Department Targets Cryptocurrency Proceeds

Shchukin’s name also appeared in a February 2023 U.S. Justice Department filing seeking forfeiture of cryptocurrency accounts tied to REvil ransom payments. One digital wallet linked to Shchukin contained over $317,000 in illicit gains. The U.S. investigation focused on tracing the flow of money from victims to the gang’s wallets, using blockchain analysis. This seizure effort underscores the international collaboration required to dismantle ransomware operations—and the growing use of financial tools to cut off criminal funding.

In conclusion, the identification of Daniil Shchukin as UNKN marks a milestone in the fight against ransomware. From pioneering double extortion to amassing billions, Shchukin and his partner Kravchuk left a trail of destruction across Europe and beyond. While their gangs may have disbanded or rebranded, the global cybersecurity community continues to learn from these revelations. The case serves as a stark reminder that even the most anonymous criminals can eventually be unmasked—and that justice, though slow, is never truly blind.