Germany doxes “UNKN,” names alleged head of GandCrab and REvil as Daniil Shchukin

April 6, 2026
aisecuritybusinessgaming
Colorful image of a restricted canal passageway in Hamburg with a close-up of 'Wassertreppe gesperrt' sign.
Photo by Stefan Petrov on Pexels

Mystery unmasked

German authorities say they’ve pulled the curtain back on one of ransomware’s most elusive figures. The Federal Criminal Police (BKA) published an advisory naming 31‑year‑old Russian Daniil Maksimovich Shchukin as the hacker known online as “UNKN” (aka UNKNOWN), who allegedly headed the GandCrab and REvil ransomware operations and helped carry out at least 130 acts of computer sabotage and extortion across Germany between 2019 and 2021. The BKA also named 43‑year‑old Anatoly Sergeevitsch Kravchuk as a co‑actor; together, the agency says, the two extorted nearly €2 million in some two dozen attacks that inflicted more than €35 million in economic damage.

Paper trail and crypto crumbs

Shchukin’s handle isn’t just a forum legend anymore: his real name appeared in a February 2023 U.S. Justice Department filing seeking seizure of cryptocurrency wallets linked to REvil, and the government said one wallet tied to him held more than $317,000. Those links helped stitch together a longer narrative connecting the fallow years of GandCrab to the rise of REvil — a reshuffling of talent and tactics that security researchers have long suspected. Did law enforcement finally catch up? Maybe. Or maybe this is one more chapter in a global game of whack‑a‑mole.

How the gangs worked

GandCrab pioneered the affiliate model and paid big for access, then iterated its ransomware code through several major revisions. The gang famously announced a May 31, 2019 shutdown after claiming to have extorted more than $2 billion, quipping, “We are a living proof that you can do evil and get off scot‑free.” REvil emerged almost immediately afterward; UNKNOWN announced he’d deposited $1 million in forum escrow to prove his seriousness, and many experts treated REvil as GandCrab reborn, this time doubling down on the so‑called double‑extortion playbook — ransom for decryption and ransom for silence.

A human face — and a wider question

It has been reported that in at least one interview the person behind UNKNOWN spun a rags‑to‑riches tale — childhood hunger, shared apartments, then sudden online wealth — a story that jars with the scale of harm investigators attribute to these crews. That emotional pivot — from anonymous keyboard operator to named person with a childhood — is the most human and chilling moment in this saga. Naming Shchukin changes the story’s texture, but it doesn’t end the ransomware epidemic. So what now? Law enforcement has a name and some crypto evidence. The real work — prosecutions, international cooperation, and preventing the next gang from scaling — still looms.

Sources: krebsonsecurity.com, Hacker News