German law enforcement has publicly identified the alleged mastermind behind two of the most destructive ransomware families in recent history. Authorities named 31-year-old Russian national Daniil Maksimovich Shchukin as the operator behind the alias “UNKN,” who they say directed the GandCrab and REvil cybercrime syndicates.
According to Germany's Federal Criminal Police Office (BKA), Shchukin is linked to at least 130 acts of computer sabotage and extortion targeting German organizations between 2019 and 2021.
The GandCrab and REvil groups operated as highly profitable Ransomware-as-a-Service (RaaS) platforms, providing malware and infrastructure to affiliates in exchange for a cut of the profits. REvil, widely considered the successor to GandCrab, pioneered the “double extortion” tactic, where attackers not only encrypt a victim’s data but also steal it and threaten to publish it online if the ransom is not paid. These gangs were responsible for high-profile attacks against major corporations worldwide, including meat processor JBS and software provider Kaseya, causing billions of dollars in damages.
While Shchukin remains at large, the public identification is a significant step. An international arrest warrant is expected, which would severely restrict his ability to travel outside of Russia. However, prosecution remains a challenge, as Russia does not typically extradite its citizens to face charges in Western countries. The move primarily serves to disrupt the operator's activities and apply financial and social pressure.
This identification is the latest development in a sustained, multi-national effort to dismantle the ransomware ecosystem. Law enforcement agencies in Europe and North America have increasingly focused on identifying key players, seizing cryptocurrency assets, and disrupting the technical infrastructure that enables these widespread attacks. The BKA's announcement signals continued international cooperation in holding top-tier cybercriminals accountable for their actions.
