-
Leader Identified, German BKA named Daniil Shchukin as the leader of REvil and GandCrab ransomware gangs, alongside programmer Anatoly Kravchuk.
-
Massive Damage in Germany, The group carried out 130 attacks in Germany, causing several damages worth millions of euros, with victims paying €1.9 million in ransoms.
-
The authorities believe the suspects are in Russia, and Europol has issued international arrest warrants for them.
German police have ended the mystery regarding the identity of the REvil ransomware group. Authorities believe they have uncovered the identity of the leader of the REvil, Daniil Maksimovich Shchukin, with the alias “UNKN.”
He’s a 31-year-old man from Russia and lived in Russia, operating as the leader of both REvil and its predecessor Gandcrab from 2019-2021, with over 130 ransomware attacks in Germany, resulting in over €35.4m in financial losses for all the victims of the hacker gang.
In addition, investigators in Germany have identified a second suspect, 43-year-old Anatoliy Sergeevich Kravchuk from Russia, who allegedly served as the principal programmer for REvil during the same time. German authorities have declared both Shchukin and Kravchuk as wanted, they believe both suspects are residing in Russia.
From Rags to Riches UNKN Tells His Story
Shchukin’s story reflects a dark fairy tale. During an interview with Recorded Future, Shchukin explained how difficult his life was growing up in Russia, where he dug through trash looking for bottles and cigarette butts to smoke as a young boy.
He said he used to walk 10 km one way to school, he wore the same clothes for at least six months straight. Even as a youth, he lived in a communal apartment, he faced times when he went about without food for two or even three days, but he has become a millionaire.
In 2007, Shchukin started operating in the ransomware business. In January 2018, he gained notoriety as the public face of GandCrab, which became one of the most successful ransomware operations ever.
When they shut down in May 2019, they claimed to have extorted over $2 billion from the victims. While REvil made millions through high-profile ransomware attacks, the KadNap botnet operates on a different scale, hijacking over 14,000 Asus routers to build a decentralized cybercrime network, showing that the cybercriminal ecosystem includes everything from billion-dollar ransomware operations to the silent exploitation of consumer hardware. The group posted a farewell letter, stating that they are proof that anyone can do evil deeds and never be caught.
Just weeks after GandCrab closed, REvil appeared. Many security experts believe REvil was simply a rebranding of the same operation. Shchukin, now using the alias “UNKN” (short for “Unknown”), announced the new group on a Russian cybercrime forum and deposited $1 million in escrow to prove he meant business.
How REvil Operated and the Damage It Caused
The operation of REvil and its subsequent damage involved the use of double extortion, experts note this approach has become a standard operational procedure for ransomware gangs.
Hackers would breach an organization’s network, steal sensitive information, encrypt it, and subsequently request two separate payments: one for a decryption key and another to keep the sensitive information private. This method forced many of the victims into paying the ransom, even if they had backup files available.
The types of organizations the group targeted were almost exclusively larger companies with $100 million in annual revenue, particularly companies with robust cyber insurance policies.
At one point, the REvil group had approximately 60 affiliates working with them to carry out cybercriminal attacks and then split the profits they generated with the leadership of the group.
REvil launched its most famous attack on July 4, five years ago. It attacked Kaseya, a company that provides IT management software to over 1,500 businesses. The ransomware spread to Kaseya’s customers worldwide, and affected several companies in at least 17 countries.
REvil demanded $70 million for a universal decryption key. The FBI later revealed they had already infiltrated REvil’s servers before the attack, but could not tip their hand at the time.
In Germany alone, the group attacked medical equipment manufacturers, cultural institutions, and the Württemberg State Theater in Stuttgart. Victims paid about €1.9 million ($2.19 million) in ransom, their activities spread across 25 cases.
International Hunt Continues
The investigation that exposed Shchukin involved multiple countries. Authorities in Germany have traced the individuals through their analysis of cryptocurrency transactions and have worked with law enforcement agencies within Europe and North America, looking for leads.
Also, the name of Shchukin appeared in a filing from the U.S. Department of Justice, requesting a seizure of cryptocurrency they believed to be from REvil profits, which was filed three years ago. The motion identified a digital wallet that contained approximately $317,000 in cryptocurrency to Shchukin.
The operations of REvil came to a halt in October 2021, when a coordinated effort from law enforcement throughout the world shut down the REvil group’s servers. However, in January 2022, the Russian Federal Security Services (FSB) arrested several Russian citizens connected to REvil, four of these people received prison sentences for their crimes against the United States in October 2024.
Shchukin and Kravchuk are still free. The BKA presumed that Shchukin currently resides in Krasnodar, Russia – but he retains the ability to travel internationally. And German law enforcement officials have issued international arrest warrants for Shchukin and Kravchuk.
