⚖️ Risk Mgmt

Germany BKA Identifies REvil and GandCrab Leader 'UNKN' as Russian National Daniil Shchukin

Germany's federal criminal police (BKA) publicly attributed the REvil and GandCrab ransomware-as-a-service platforms to 31-year-old Russian national Daniil Shchukin, holding him responsible for 130+ attacks in Germany causing over €35 million in economic damage. Shchukin operates from Krasnodar and remains beyond extradition reach, but the attribution breaks the historical anonymity of top-tier RaaS operators and may precede US OFAC sanctions.

3 min read
#ransomware#attribution#revil#gandcrab#germany#russia#law-enforcement

Germany’s Bundeskriminalamt (BKA) publicly identified Daniil Maksimovich Shchukin — a 31-year-old Russian national — as the operator known as ‘UNKN’, the administrative lead of both GandCrab and REvil ransomware-as-a-service (RaaS) platforms. The BKA attributed to Shchukin at least 130 acts of computer sabotage and extortion targeting German organisations between 2019 and 2021, causing economic damages exceeding €35 million.

Background: GandCrab and REvil

GandCrab launched in early 2018 and became the world’s most active RaaS operation within 18 months, claiming to have generated over $2 billion in ransom payments before its operators announced “retirement” in May 2019. REvil (Sodinokibi) launched shortly after, using the same affiliate infrastructure, identical technical architecture, and the same ‘UNKN’/‘Unknown’ operator handles on Russian-language criminal forums including XSS and Exploit.

REvil was responsible for two of the most disruptive ransomware events of 2021: the JBS Foods attack (June 2021), which disrupted beef production across North America and Australia, and the Kaseya VSA supply chain attack (July 2021), which simultaneously compromised up to 1,500 managed service provider customers through a single product vulnerability.

Attribution Basis

The BKA’s attribution builds on multinational investigation including Operation GoldDust (Europol, 2021) and prior US DOJ REvil indictments, which arrested several affiliates but never publicly named the core operator. German investigators correlated cryptocurrency transaction chains across GandCrab and REvil infrastructure, domain registration patterns, and forum persona activity to identify Shchukin as the individual behind the ‘UNKN’ and ‘Unknown’ handles.

Shchukin is believed to reside in Krasnodar, Russia. Germany has issued an arrest warrant and added him to Europol’s Most Wanted list, but practical prosecution is not imminent — Russia does not extradite nationals, and existing Russia-Germany legal frameworks provide no mechanism for compelled transfer.

Why Attribution Still Matters

Public attribution of RaaS leadership — even without extradition — carries several practical consequences:

Sanctions pathway. US OFAC has previously designated individuals identified in European law enforcement actions. A US sanctions designation would make ransom payments to operations linked to Shchukin’s infrastructure legally prohibited for US persons, with significant civil and criminal penalties.

Criminal ecosystem disruption. RaaS operators depend on maintaining reputational credibility with affiliates on criminal forums. Public doxing forces operational changes — new identities, infrastructure rotation, affiliate communication disruptions — that increase cost and reduce efficiency for the operation.

Operator continuity risk. The BKA investigation found evidence that ‘UNKN’ remained active in criminal forums after REvil’s nominal 2022 disruptions (arrests of affiliates and infrastructure seizures). Top-tier operators routinely survive law enforcement actions targeting affiliates and infrastructure, then relaunch under new branding — as GandCrab → REvil demonstrated directly.

Implications for Risk Management

The formal attribution confirms what investigators have long suspected: the GandCrab/REvil succession was not a coincidence of timing but a deliberate rebranding by the same operator. Organisations that suffered GandCrab or REvil attacks between 2018 and 2022 may have relevance to ongoing victim litigation, insurance recovery proceedings, or regulatory investigations — the identified operator connects those incidents to a single accountable individual.

  • Review OFAC/EU sanctions screening protocols for ransomware payment decisions — Shchukin’s public identification may precede a US OFAC designation, which would render payments to REvil-affiliated operations legally prohibited.
  • Brief legal and risk leadership on the attribution — boards and audit committees increasingly require documentation of ransomware threat actor context for insurance, regulatory, and governance purposes.
  • Validate detection coverage against documented REvil TTPs (MITRE ATT&CK Group G0115) — given that Shchukin appears to remain operationally active, REvil-lineage campaigns should be expected to continue under new branding.

Share this article