The End of Anonymity for a Cybercrime Kingpin
For years, the hacker known only as “UNKN” or “UNKNOWN” operated in the shadows, directing two of the most destructive ransomware operations in history. Now, thanks to a coordinated investigation by German authorities, that alias has a real name: Daniil Maksimovich Shchukin, a 31-year-old Russian national. The German Federal Criminal Police (Bundeskriminalamt, BKA) publicly identified Shchukin as the leader of the GandCrab and REvil ransomware groups, revealing his role in at least 130 acts of computer sabotage and extortion across Germany between 2019 and 2021.
The Man Behind the Moniker
According to the BKA advisory, Shchukin—operating under the online handle UNKN—ran the affiliate programs that fueled both ransomware families. He was joined by a fellow Russian, Anatoly Sergeevitsch Kravchuk, 43, in a criminal partnership that squeezed victims for nearly 2 million euros across two dozen attacks. The total economic damage from their campaigns exceeded 35 million euros. The duo pioneered double extortion: encrypting victims' data and demanding a ransom for the decryption key, while also threatening to leak sensitive information unless a separate payment was made.
GandCrab's Rise and Fall
GandCrab first appeared in January 2018 as a ransomware-as-a-service operation. Affiliates—independent hackers—broke into corporate networks, and the core team expanded access, often exfiltrating massive troves of internal documents. The malware underwent five major revisions, each adding stealth capabilities and countermeasures against security software. On May 31, 2019, the GandCrab team shocked the cybersecurity world by announcing their retirement, claiming to have extorted over $2 billion from victims. In a farewell message, they bragged: “We are a living proof that you can do evil and get off scot-free.”
The REvil Resurrection
Almost immediately after GandCrab's shutdown, a new ransomware strain named REvil (also known as Sodinokibi) emerged on Russian-language cybercrime forums. A user called UNKNOWN posted a bond of $1 million in escrow to demonstrate credibility. Many cybersecurity experts suspected REvil was simply a rebranded GandCrab, and the BKA's identification of Shchukin as the leader of both groups confirms that theory. UNKNOWN also gave a rare interview to Dmitry Smilyanets, a former cybercriminal turned security researcher, further cementing his notoriety.
Legal Actions and Seizures
The U.S. Department of Justice had previously named Shchukin in a February 2023 filing seeking forfeiture of cryptocurrency wallets tied to REvil proceeds. One wallet linked to him held over $317,000 in illicit gains. German authorities are now pursuing charges for the 130 confirmed attacks, and international arrest warrants are likely. The doxxing of UNKN marks a significant victory for law enforcement in disrupting high-profile cybercrime networks.
The Ripple Effects of Double Extortion
The tactics perfected by Shchukin and his associates—double extortion, affiliate models, and rapid code iteration—have become standard in the ransomware ecosystem. Their operations targeted corporations, hospitals, and municipalities, causing operational chaos and financial loss. The unmasking of UNKN serves as a deterrent and a reminder that even the most elusive hackers can eventually be identified.
Conclusion
The BKA's announcement pulls back the curtain on a shadowy figure who once claimed to be untouchable. While the full extent of Shchukin's criminal career is still being documented, his identification marks a turning point. For victims of GandCrab and REvil, there is now a face behind the ransom notes—and a path toward accountability.