Originally reported by Krebs on Security
TL;DR
German law enforcement has identified 31-year-old Russian national Daniil Maksimovich Shchukin as "UNKN," the elusive leader of the defunct REvil and GandCrab ransomware groups. Authorities linked him to at least 130 ransomware attacks against German targets between 2019 and 2021.
While significant for attribution purposes, this identification does not indicate immediate active threat escalation or new exploitation capabilities, as both groups are no longer actively operating.
German authorities have publicly identified the individual behind one of the most prolific ransomware operations in recent history. According to Krebs on Security, German law enforcement agencies have named 31-year-old Russian national Daniil Maksimovich Shchukin as the operator known by the handle "UNKN," who led both the GandCrab and REvil ransomware groups.
German investigators attribute at least 130 acts of computer sabotage and extortion to Shchukin's operations between 2019 and 2021, targeting victims specifically within Germany. This figure likely represents only a fraction of the global impact of both ransomware families during their operational periods.
The GandCrab ransomware family emerged as one of the earliest and most successful ransomware-as-a-service (RaaS) operations before transitioning to REvil (also known as Sodinokibi), which became one of the most notorious ransomware groups before its apparent dissolution in 2021.
The identification of "UNKN" represents a significant intelligence breakthrough, given the individual's central role in establishing the RaaS model that became the dominant ransomware operational framework. Both GandCrab and REvil pioneered techniques and business models later adopted across the ransomware ecosystem.
While both groups are no longer actively operating, the attribution provides law enforcement agencies with concrete intelligence linking specific individuals to ransomware operations that generated hundreds of millions in illicit revenue and caused extensive disruption to critical infrastructure and business operations globally.
The disclosure comes years after both ransomware families ceased active operations. REvil's infrastructure went dark in late 2021 following increased law enforcement pressure and reported internal disputes. The timing and nature of this attribution suggests ongoing investigative efforts to map the leadership structures of defunct ransomware operations.
Originally reported by Krebs on Security
