![\"\"\/](\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/user-icon.svg\"){kind=icon}
Pierluigi Paganini<\/a>\n\t\t\t\t\t\t\t
![\"\"\/](\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\"){kind=icon}
April 06, 2026<\/p>\n\t\t\t\t\t\t![\"\"\/](\"https:\/\/www.europesays.com\/germany\/wp-content\/uploads\/2026\/04\/image-7.png\")
<\/p>\n
German police BKA identified two key REvil ransomware members, linking them to over 130 attacks in Germany.<\/p>\n
Germany\u2019s Federal Criminal Police (BKA) has identified two key figures behind the REvil ransomware<\/a> group, linking them to more than 130 attacks in the country. The first suspect is Daniil Maksimovich Shchukin (31), a Russian national known online as UNKN, who promoted ransomware on cybercrime forums.<\/p>\n \u201cDaniil Maksimovich Shchukin is wanted internationally on suspicion of numerous organized and commercial ransomware extortions targeting businesses, public institutions, and other organizations.\u201d reads the BKA\u2019s Announcement<\/a>. \u201cFrom at least the beginning of 2019 until at least July 2021, he and others acted as the leader of one of the world\u2019s largest ransomware groups, known as GandCrab\/REvil.\u201d<\/p>\n Between early 2019 and July 2021, Shchukin promoted the ransomware on the popular XSS cybercrime forums.<\/p>\n \u201cAn elusive hacker who went by the handle \u201cUNKN\u201d and ran the early Russian ransomware groups\u00a0GandCrab<\/a>\u00a0and\u00a0REvil\u00a0now has a name and a face. Authorities in Germany say 31-year-old Russian\u00a0Daniil Maksimovich Shchukin\u00a0headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.\u201d reported<\/a> the popular cybersecurity investigator Brian Krebs. \u201cShchukin was named as UNKN (a.k.a. UNKNOWN) in\u00a0an advisory<\/a>\u00a0published by the\u00a0German Federal Criminal Police\u00a0(the \u201cBundeskriminalamt\u201d or BKA for short). The BKA said Shchukin and another Russian \u2014 43-year-old\u00a0Anatoly Sergeevitsch Kravchuk\u00a0\u2014 extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.\u201d<\/p>\n Krebs remarked that Shchukin\u2019s name appeared in a 2023 U.S. case<\/a> tied to crypto funds from REvil, including a wallet with over $317,000.<\/p>\n On May 31, 2019, the GandCrab group shut down after earning over $2 billion from ransomware attacks and openly bragged about its success. Around the same time, REvil appeared, led by a figure known as UNKNOWN, who promoted the group on a Russian cybercrime forum and backed it with a $1 million escrow deposit.<\/p>\n Experts see REvil as a rebrand of GandCrab, continuing the same model. UNKNOWN described how he rose from poverty to wealth through cybercrime and reinvested profits to expand and improve the operation like a business.<\/p>\n REvil grew into a powerful ransomware group that targeted large organizations with high revenues and cyber insurance. In July 2021, it attacked Kaseya<\/a>, impacting over 1,500 organizations. The FBI had already infiltrated REvil\u2019s systems and later released a free decryption key, weakening the group.<\/p>\n In October 2021, the REvil ransomware gang shut down<\/a> its operation once again after a threat actor had hijacked their Tor leak site and payment portal. The news of the hack was shared by the REvil representative \u20180_neday\u2019 on the XSS hacking forum. He initially confirmed that someone has compromised their server, but later denied it.<\/p>\n The news of the hack was first reported by\u00a0Dmitry Smilyanets<\/a>\u00a0from Recorded Future.<\/p>\n 0_neday added that someone brought up the REvil hidden services using their private keys. He also said that the gang did not find signs of compromise to their servers; anyway, they have decided to shut down the operation.\u00a0<\/p>\n Authorities link Shchukin to the operation and believe he now lives in Russia. Investigators also connect him to earlier cybercrime activity under the alias \u201cGer0in,\u201d tied to botnets and malware distribution.<\/p>\n German police also added Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian, to the wanted list, accusing him of developing REvil during the same period.<\/p>\n \u201cAnatoly Sergeevich Kravchuk is wanted internationally on suspicion of numerous organized and commercial ransomware extortions targeting businesses, public institutions, and other organizations.\u201d states BKA<\/a>. \u201cFrom at least the beginning of 2019 until at least July 2021, he and others acted as the head of one of the world\u2019s largest ransomware groups, known as GandCrab\/REvil.\u201d<\/p>\n In October 2024, four former members of the REvil ransomware group were sentenced<\/a> in Russia for hacking and money laundering, marking a rare case of Russian gang members being convicted in the country.<\/p>\n The four men are Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov. They were convicted of illegal payment handling, with Puzyrevsky and Khansvyarov also found guilty of malware use and distribution.<\/p>\n They were found guilty of illegal payment handling, while Puzyrevsky and Khansvyarov were also convicted of using and distributing malware.<\/p>\n \u201cOn Friday, October 25, the St. Petersburg Garrison Military Court announced the verdict against Artem Zayets, Aleksey Malozemov, Daniil Puzyrevsky and Ruslan Khansvyarov. The court found them guilty of illegal circulation of means of payment (Part 2 of Article 187 of the Criminal Code of the Russian Federation).\u201d\u00a0reported<\/a>\u00a0Russian news outlet Kommersant. \u201cPuzyrevsky and Khansvyarov were also found guilty of using and distributing malicious programs (Part 2 of Article 273 of the Criminal Code of the Russian Federation), a Kommersant-SPb correspondent reports from the courtroom.\u201d<\/p>\n Zayets and Malozemov received 4.5 and 5 years, while Khansvyarov and Puzyrevsky were sentenced to 5.5 and 6 years in a general regime penal colony.<\/p>\n The four men were identified as part of an investigation on the REvil ransomware group, prompted by a U.S. request linking the group\u2019s leader to cyberattacks on foreign tech firms. The authorities initially identified 14 suspects who were detained, with eight brought to trial and four more \u2013 Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev \u2013 facing separate charges of illegal computer access. The cases have been sent to the Russian Prosecutor General\u2019s Office for consolidation, and all defendants have been held since early 2022.<\/p>\n On May 2024, the Ukrainian national,\u00a0Yaroslav Vasinskyi<\/a>\u00a0(24), aka Rabotnik,\u00a0was sentenced<\/a>\u00a0to more than 13 years in prison and must pay $16 million in restitution for conducting numerous ransomware attacks and extorting victims.<\/p>\n The man is a member of the\u00a0REvil ransomware gang<\/a>\u00a0and was sentenced for his role in carrying out more than 2,500 ransomware attacks and demanding over $700 million in ransom payments.<\/p>\n In November 2021, the US Department of Justice charged Vasinskyi, REvil ransomware affiliate, for orchestrating the\u00a0ransomware attacks on\u00a0Kaseya MSP platform<\/a>\u00a0that took place on July 4, 2021.<\/p>\n Vasinskyi (aka Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) was arrested on October 8, 2021, while he was trying to enter Poland. Vasinskyi was\u00a0extradited\u00a0to the U.S. in March 2022.<\/p>\n Vasinskyi is a\u00a0REvil ransomware<\/a>\u00a0affiliate since at least March 1st, 2019.<\/p>\n Follow me on Twitter:\u00a0@securityaffairs<\/a>\u00a0and\u00a0Facebook<\/a>\u00a0and\u00a0Mastodon<\/a><\/p>\n Pierluigi\u00a0Paganini<\/a><\/p>\n (SecurityAffairs<\/a>\u00a0\u2013\u00a0hacking,\u00a0cybercrime)<\/p>\n \t\t\t\t\t\t\t\t\t\t\t