{"id":2641,"date":"2026-04-06T21:29:16","date_gmt":"2026-04-06T21:29:16","guid":{"rendered":"https:\/\/www.europesays.com\/germany\/2641\/"},"modified":"2026-04-06T21:29:16","modified_gmt":"2026-04-06T21:29:16","slug":"germany-unmasks-alleged-revil-mastermind-unkn-in-cybercrime-crackdown","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/germany\/2641\/","title":{"rendered":"Germany Unmasks Alleged REvil Mastermind \u2018UNKN\u2019 in Cybercrime Crackdown"},"content":{"rendered":"<p>Germany has publicly identified the alleged operator behind one of the most infamous ransomware ecosystems, marking a significant development in the global fight against organized cybercrime.<\/p>\n<p>The German Federal Criminal Police Office (BKA) has named 31-year-old Russian national Daniil Maksimovich Shchukin as the individual operating under the alias \u201cUNKN,\u201d a figure long associated with the GandCrab and REvil ransomware groups. <\/p>\n<p>The attribution, based on extensive investigations, provides rare insight into the leadership structure of two operations that reshaped the modern ransomware landscape.<\/p>\n<p><a href=\"https:\/\/krebsonsecurity.com\/2026\/04\/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab\/\" type=\"link\" id=\"https:\/\/krebsonsecurity.com\/2026\/04\/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to authorities, <\/a>Shchukin worked closely with 43-year-old Anatoly Sergeevitsch Kravchuk, coordinating at least 130 cyberattacks targeting organizations across Germany between 2019 and 2021. <\/p>\n<p>These campaigns reportedly generated approximately \u20ac2 million in ransom payments while inflicting more than \u20ac35 million in broader economic damage through operational disruption and recovery costs.<\/p>\n<p>Under Shchukin\u2019s alleged leadership, GandCrab and its successor REvil pioneered the now widely adopted \u201cdouble extortion\u201d model. <\/p>\n<p>This approach significantly increased pressure on victims by combining two tactics: encrypting critical systems to halt operations and exfiltrating sensitive data for use as additional leverage. <\/p>\n<p>Victims were forced to pay not only for decryption keys but also to prevent public data leaks, dramatically improving attackers\u2019 success rates.<\/p>\n<p>GandCrab first emerged in early 2018 as a <a href=\"https:\/\/cyberpress.org\/raas-becomes-the-dominant-framework-for-cyberattacks\/\" type=\"post\" id=\"27186\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Ransomware-as-a-Service (RaaS)<\/a> platform, allowing affiliates to deploy the malware in exchange for a share of ransom profits. <\/p>\n<p>This scalable, franchise-like model accelerated adoption among cybercriminals. When GandCrab abruptly shut down in 2019, claiming over $2 billion in illicit earnings, REvil quickly appeared, reusing much of the same infrastructure, tooling, and affiliate network. <\/p>\n<p>Security researchers widely viewed REvil as a direct evolution rather than a new operation.<\/p>\n<p>REvil operated with a level of organization comparable to a legitimate enterprise. The group reinvested profits into development and outsourced key functions within the cybercriminal ecosystem. <\/p>\n<p>Initial network access was often purchased from specialized brokers, while financial flows were handled by professional money launderers. <\/p>\n<p>This division of labor enabled core developers to focus on refining encryption techniques designed to evade detection by traditional security tools.<\/p>\n<p>The group also adopted a \u201cbig-game hunting\u201d strategy, targeting large enterprises with substantial financial resources and cyber insurance coverage. <\/p>\n<p>One of the most damaging incidents attributed to REvil occurred during the July 4 weekend in 2021, when attackers compromised Kaseya, a widely used IT management platform. <\/p>\n<p>The resulting supply chain attack disrupted more than 1,500 businesses globally, underscoring the systemic risk posed by ransomware groups targeting service providers.<\/p>\n<p>However, this high-profile campaign contributed to REvil\u2019s eventual downfall. Law enforcement agencies, including the FBI, managed to infiltrate the group\u2019s infrastructure and obtain decryption keys, which were later distributed to victims. <\/p>\n<p>The operation significantly weakened REvil\u2019s capabilities and marked a turning point in coordinated international responses to ransomware.<\/p>\n<p>Despite the identification of Shchukin, enforcement challenges remain. German authorities believe he is currently residing in Krasnodar, Russia, placing him beyond the immediate reach of extradition. <\/p>\n<p>Nevertheless, financial disruption efforts continue. In 2023, the U.S. Department of Justice seized more than $317,000 in cryptocurrency linked to wallets allegedly controlled by Shchukin.<\/p>\n<p>The unmasking of \u201cUNKN\u201d highlights both progress and limitations in combating transnational cybercrime, where attribution is improving but jurisdictional barriers still hinder prosecution.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\">Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqKQgKIiNDQklTRkFnTWFoQUtEbU41WW1WeWNISmxjM011YjNKbktBQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>\u00a0,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cyberpress-org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>\u00a0and\u00a0<a href=\"https:\/\/x.com\/The_Cyber_News\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates.\u00a0Set Cyberpress as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cyberpress.org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Germany has publicly identified the alleged operator behind one of the most infamous ransomware ecosystems, marking a significant&hellip;\n","protected":false},"author":2,"featured_media":2642,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[2856,2857,5],"class_list":{"0":"post-2641","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-germany","8":"tag-cyber-security","9":"tag-cyber-security-news","10":"tag-germany"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/posts\/2641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/comments?post=2641"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/posts\/2641\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/media\/2642"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/media?parent=2641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/categories?post=2641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/germany\/wp-json\/wp\/v2\/tags?post=2641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}