For years, the figure known only as “UNKN” operated as a ghost in the machinery of global cybercrime, steering two of the most prolific ransomware operations in history. Now, that anonymity has vanished. German authorities have identified the elusive hacker as 31-year-old Russian national Daniil Maksimovich Shchukin, providing a name and a face to the leadership of the GandCrab and REvil ransomware gangs.
The identification comes via an advisory from the Bundeskriminalamt (BKA), Germany’s Federal Criminal Police, which alleges that Shchukin headed both organizations. According to the BKA, Shchukin and a collaborator, 43-year-old Russian national Anatoly Sergeevitsch Kravchuk, were responsible for at least 130 acts of computer sabotage and extortion within Germany between 2019 and 2021. The duo is accused of extorting nearly 2 million euros across two dozen attacks, which caused an estimated 35 million euros in total economic damage.
The unmasking of Daniil Maksimovich Shchukin REvil GandCrab leadership marks a significant milestone in the effort to map the hierarchy of Russian-speaking cybercrime. Shchukin’s influence extended far beyond German borders, as he helped pioneer the “double extortion” model—a predatory tactic where hackers charge victims once to decrypt their files and a second time to prevent the public release of stolen sensitive data.
The Blueprint of a Ransomware Empire
The trajectory of Shchukin’s operations reveals a sophisticated evolution of the ransomware business model. It began in January 2018 with the launch of the GandCrab affiliate program. Rather than conducting every attack themselves, the GandCrab curators operated as a platform, paying “affiliates” large shares of profits for successfully compromising corporate networks. This allowed the group to scale rapidly, deploying five major revisions of their code to bypass security software.
By the time GandCrab announced its shutdown on May 31, 2019, the group claimed to have extorted more than $2 billion from its victims. In a brazen farewell message, the group asserted they were “living proof that you can do evil and get off scot-free,” boasting that they had earned a lifetime of wealth in a single year.
Almost immediately after GandCrab’s demise, the REvil program emerged. It was fronted by a user named “UNKNOWN” (or UNKN), who signaled his seriousness to the underworld by depositing $1 million into a Russian cybercrime forum’s escrow. Security analysts quickly noted that REvil was not a new entity, but rather a reorganization of the GandCrab infrastructure under new branding.
| Period | Entity/Alias | Key Milestone |
|---|---|---|
| 2010–2011 | Ger0in | Operated botnets and sold malware “installs” |
| 2018–2019 | GandCrab | Scaled affiliate model; extorted over $2 billion |
| 2019–2021 | REvil (UNKN) | Pioneered double extortion and “sizeable-game hunting” |
| July 2021 | REvil | Kaseya attack and subsequent FBI infiltration |
Industrializing Cybercrime
As a former software engineer, I uncover the most striking aspect of REvil’s operation to be its mirroring of legitimate corporate structures. Shchukin did not just write code; he managed a supply chain. REvil outsourced specialized tasks to third-party criminals to increase their efficiency.
This ecosystem included “cryptor” providers who ensured the ransomware remained undetected by antivirus scanners, and “initial access brokers” who specialized in stealing credentials to sell the “front door” of a company to the ransomware operators. By treating cybercrime as a professional service, REvil shifted toward “big-game hunting,” targeting organizations with annual revenues exceeding $100 million and comprehensive cyber insurance policies that ensured high payouts.
This professionalization peaked during the July 4, 2021, weekend, when REvil targeted Kaseya, an IT management software provider. The attack potentially impacted over 1,500 businesses and government agencies. However, this high-profile strike became REvil’s undoing. The FBI later revealed they had infiltrated the group’s servers, eventually releasing a free decryption key that neutralized the gang’s leverage over its victims.
From Trash Heaps to Luxury Watches
The persona of UNKN was built on a narrative of ruthless social mobility. In a recorded interview with a former hacker, UNKN described a childhood of extreme poverty in Russia, claiming he once “scrounged through the trash heaps and smoked cigarette butts” and often went days without food. He framed his transition to a millionaire as a triumph of will over ethics.
This transition from poverty to opulence left a digital trail. While the BKA notes that direct links between Shchukin and the UNKN forum accounts are sparse, other evidence has surfaced. Intelligence from the firm Intel 471 linked Shchukin to an earlier identity, “Ger0in,” active around 2010. More recently, image comparison tools matched BKA mugshots to photos from a 2023 birthday celebration in Krasnodar, Russia, showing a young man—identified as Daniel—wearing a luxury watch identical to one seen in police photos.
The U.S. Justice Department also stepped in, filing a motion in February 2023 to seize cryptocurrency accounts tied to REvil. Documents from that filing identified a digital wallet associated with Shchukin containing more than $317,000 in illicit cryptocurrency.
The Path to Justice
Despite the identification, the prospect of an arrest remains complicated. The BKA believes Shchukin currently resides in Krasnodar, Russia, and noted that while “travel behaviour cannot be ruled out,” he is presumed to be abroad. Given the current geopolitical climate and the lack of extradition treaties between Russia and Western nations for cybercriminals, Shchukin may remain out of reach of German and U.S. Authorities for the foreseeable future.
The identification serves as a warning to other operators: the “scot-free” era of the GandCrab farewell address is ending. Through a combination of server infiltrations, cryptocurrency tracking, and open-source intelligence, the veil of anonymity is thinning.
Law enforcement continues to monitor Shchukin’s movements and financial assets. The next critical checkpoint will be any further updates from the U.S. Justice Department regarding the seizure of the remaining REvil-linked cryptocurrency wallets.
Do you have insights on the evolution of ransomware affiliate models? Share your thoughts in the comments below.
Disclaimer: This article is for informational purposes only and does not constitute legal advice regarding cybersecurity law or criminal proceedings.
