German authorities have identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as a key figure behind the REvil ransomware gang and its predecessor, the GandCrab ransomware network.
Shchukin, known by the aliases “UNKN” or “UNKNOWN,” allegedly led both gangs and was involved in at least 130 cyberattacks targeting victims in Germany between 2019 and 2021. The identification marks a significant milestone in efforts to hold accountable individuals in financially motivated cybercrime.
According to the German Federal Criminal Police (BKA), Shchukin and another suspect, Anatoly Sergeevitsch Kravchuk, executed coordinated attacks that extorted nearly €2 million and caused over €35 million in economic losses. The bands of criminals popularized the “double extortion” tactic, forcing victims to pay not only for decryption keys but also to prevent data from being publicly released.
The GandCrab ransomware operation first appeared in 2018, utilizing an affiliate model that incentivized hackers with a share of the profits for breaching corporate systems. The affiliate approach, along with continuous updates to the malware, led the group to claim earnings exceeding $2 billion by May 2019, before ceasing operations.
Following GandCrab’s shutdown, the REvil gang emerged, operating under the same alias. The group shifted focus to larger organizations, with a strategy aimed at “big-game hunting.” This approach targeted enterprises with significant revenues and cyber insurance, enhancing the potential for substantial payouts.
REvil distinguished itself by operating like a business, with specialized actors involved in various roles such as access brokers and crypto laundering services. This operational model facilitated rapid scaling, reinvestment of profits, and continuous advancements in their tools and tactics.
The REvil gang is linked to the 2021 Kaseya attack, which affected over 1,500 businesses globally, showcasing how ransomware can disrupt supply chains. The incident also contributed to REvil’s decline, with the FBI having gained access to the group’s infrastructure prior to the attack, ultimately weakening its operations.
Shchukin’s connection to REvil emerged in a 2023 U.S. Department of Justice filing that detailed cryptocurrency seizures related to the gang. Authorities traced him to digital wallets holding over $317,000 in illicit funds. German officials suspect that he is currently in Russia, limiting their ability to apprehend him. The BKA stated, “Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia.”
The identification of Shchukin represents a notable achievement for law enforcement amid challenges in cybercrime attribution. The operational frameworks established by GandCrab and refined by REvil continue to influence current ransomware activities, illustrating that ransomware has evolved into an organized criminal industry rather than merely a technical threat.
