[Breaking] German Police Unmask REvil/GandCrab Leader 'UNKN' as 31-Year-Old Russian
Germany's BKA identifies 31-year-old Russian Daniil Shchukin as the leader of GandCrab and REvil ransomware groups. Over €35 million in damage, 130+ attacks, and the face behind the Kaseya supply-chain attack.
News
kkm
Backend Engineer / AWS / Django
Germany's BKA identifies 31-year-old Russian Daniil Shchukin as the leader of GandCrab and REvil ransomware groups. Over €35 million in damage, 130+ attacks, and the face behind the Kaseya supply-chain attack.
Germany's Federal Criminal Police (BKA) has publicly identified the leaders of the GandCrab and REvil ransomware groups. In an advisory published on April 5, 2026, the person known by the handle "UNKN" (UNKNOWN) was identified as Daniil Maksimovich Shchukin, a 31-year-old Russian national.
GandCrab and REvil were ransomware groups that extorted organizations and government agencies worldwide between 2018 and 2021. Total economic damage exceeds €35 million ($40 million), and GandCrab alone claimed to have extorted $2 billion before shutting down. In July 2021, REvil launched a supply-chain attack against US IT management firm Kaseya, affecting over 1,500 businesses and demanding a $70 million ransom — an incident that made headlines around the world.
The Two Identified Suspects
According to the BKA advisory, two individuals have been identified as the group's leadership:
| Detail | Daniil Shchukin | Anatoly Kravchuk |
|---|---|---|
| Handle | UNKN (UNKNOWN) | Not disclosed |
| Age | 31 | 43 |
| Nationality | Russian (from Krasnodar) | Ukraine-born, Russian citizen |
| Role | Central figure of GandCrab/REvil | Developer |
| Charges | 130+ acts of cyber extortion (in Germany alone) | Conspiracy (same charges) |
| Current Location | Believed to be in Russia | Believed to be in Russia |
Shchukin deposited $1 million in escrow on a cybercrime forum to recruit affiliates — a show of financial credibility within the criminal ecosystem.
The U.S. Department of Justice filed seizure proceedings against cryptocurrency wallets linked to Shchukin in February 2023, recovering over $317,000.
Are GandCrab and REvil the Same Group?
The short answer: most security researchers consider REvil a rebrand of GandCrab.
GandCrab emerged in January 2018 as a ransomware operation using a "RaaS (Ransomware as a Service)" model. Developers built the toolkit and outsourced attacks to "affiliates" — other hackers who received 30–40% of the ransom.
On May 31, 2019, GandCrab announced its "retirement" after claiming $2 billion in total extortions. Almost immediately, REvil appeared. The code structure, affiliate roster, and operational playbook closely matched GandCrab. Multiple security firms including Palo Alto Networks' Unit 42 classified them as the same group under a new name.
Today's BKA advisory formally confirms what researchers have long suspected: Shchukin led both operations.
GandCrab/REvil Timeline
← Swipe to navigate
What Happened in the Kaseya Attack
The attack that put REvil on the global stage was the Kaseya VSA attack on July 4, 2021.
Kaseya provides IT management software to MSPs (Managed Service Providers). REvil exploited a vulnerability in this software, using Kaseya as a gateway to deploy ransomware to the MSPs' customers — a classic supply-chain attack.
According to CNN, over 1,500 businesses were affected globally. Swedish supermarket chain Coop was forced to close approximately 800 stores after their checkout systems went down, remaining shut for nearly a week. REvil demanded $70 million for a universal decryptor.
This attack epitomized REvil's "big-game hunting" strategy: targeting enterprises with over $100 million in annual revenue, prioritizing those with cyber insurance policies — because insured companies are more likely to pay.
Arrests and Trial Outcomes So Far
Multiple arrests have been made in connection with REvil, though the central figures remain at large.
The harshest sentence went to Ukrainian national Yaroslav Vasinskyi. Directly implicated in the Kaseya attack, he was arrested in Poland in October 2021 and transferred to the US in March 2022. In May 2024, a Texas court sentenced him to 13 years and 4 months, plus $16 million in restitution. He had been involved in over 2,500 attacks demanding more than $700 million.
Russian national Yevgeniy Polyanin, charged with over 3,000 cyberattacks, remains wanted by US authorities but is in Russia.
Russia's FSB arrested 14 suspects in January 2022, but the outcome was grim. According to CyberScoop, only eight went to trial — and on reduced charges of "illegal financial transactions" rather than ransomware. Several were released after time served.
Have the Identified Leaders Been Arrested?
No. The BKA believes both Shchukin and Kravchuk remain in Russia.
Russia has consistently refused to extradite its citizens. Even the 14 suspects the FSB arrested in 2022 saw their cases stall after Russia's invasion of Ukraine effectively ended law enforcement cooperation. Today's public identification is a "name-and-shame" strategy — even without an arrest, it restricts travel, freezes assets, and erodes trust within criminal networks.
Krebs on Security reports that Shchukin has travel patterns that may take him outside Russia, where he would be subject to immediate arrest.
Impact on Japanese Companies
REvil (formerly Sodinokibi) targeted Asian regions from its early days. Trend Micro's research confirms attacks against Japanese organizations.
While few Japanese companies were named publicly as victims, the Kaseya supply-chain attack caught overseas subsidiaries and MSP clients in its blast radius. Japan's manufacturing sector continues to face increasing ransomware threats — seven companies disclosed incidents in March 2026 alone.
The identification of GandCrab/REvil's leadership is a milestone, but it doesn't eliminate the threat. Multiple groups have inherited REvil's playbook, and the RaaS model has become the standard for cybercriminal operations.
What Eight Years of Pursuit Tell Us
Eight years after GandCrab first appeared in 2018, its leader's face and name have finally been revealed.
Investigations spanning Germany, the United States, Poland, and Russia have produced convictions of affiliates and seizures of cryptocurrency. Yet as long as the masterminds remain in Russia, physically apprehending them remains out of reach.
Even without an arrest, public identification carries weight: travel restrictions, asset freezes, and the collapse of anonymity that criminal networks rely upon. The message from investigators is clear — the era of operating ransomware empires behind a screen name is drawing to a close.
Sources
- ▸ Krebs on Security - Germany Doxes "UNKN," Head of RU Ransomware Gangs REvil, GandCrab (April 5, 2026)
- ▸ The Record - German police unmask two suspects linked to REvil ransomware gang (April 2026)
- ▸ Security Affairs - BKA unmasks two REvil Ransomware operators behind 130+ German attacks (April 2026)
- ▸ CNN - Member of ransomware gang sentenced to more than 13 years in prison (May 1, 2024)
- ▸ The Hacker News - Ukrainian REvil Hacker Sentenced to 13 Years (May 2024)
- ▸ CNN - Kaseya ransomware attack: Up to 1,500 businesses affected (July 6, 2021)
- ▸ Palo Alto Networks Unit 42 - Understanding REvil
- ▸ Trend Micro - Ransomware Spotlight: REvil/Sodinokibi
- ▸ CyberScoop - Russian court releases several REvil ransomware gang members
- ▸ CISA - Kaseya Ransomware Attack: Guidance for Affected MSPs (July 2021)