31-year-old Daniil Maksimovich Shchukin is UNKN. That’s not a placeholder. It’s not a rumor. It’s not a theory floated in some encrypted chat log. It’s a fact, confirmed by Germany’s Bundeskriminalamt on April 27, 2026, and it lands like a hammer blow in the underground world of Russian-speaking ransomware.
Key Takeaways
- Daniil Maksimovich Shchukin, 31, has been publicly identified as UNKN — the operator behind both REvil and GandCrab.
- German authorities tie him to 130 acts of computer sabotage between 2019 and 2021, causing over 35 million euros in economic damage.
- Shchukin and co-conspirator Anatoly Sergeevitsch Kravchuk extorted nearly 2 million euros across two dozen attacks in Germany alone.
- The BKA’s advisory marks the first official doxxing of the mythologized figure who once declared, “We are a living proof that you can do evil and get off scot-free.”
- U.S. authorities previously named Shchukin in a February 2023 seizure filing, citing a crypto wallet holding more than $317,000 from REvil operations.
The Fall of a Ransomware Myth
For years, UNKN wasn’t a person. He was an idea. A digital specter who surfaced on Russian cybercrime forums with the authority of a warlord and the anonymity of a ghost. He fronted REvil like a CEO who never showed his face. He claimed credit for GandCrab’s billion-dollar blitz. And when GandCrab vanished in 2019, he didn’t mourn it — he replaced it.
Now, that myth is dead. German federal police have torn down the alias. They’ve tied Shchukin directly to both groups, not just through forensic trails but through a pattern of behavior so consistent it borders on arrogance. The BKA didn’t just name him — they pinned 130 separate acts of sabotage on him. That’s not a hack here and there. That’s a sustained campaign of digital siege.
And the damage? 35 million euros. That’s hospitals unable to access patient records. Factories halting production. Municipal systems paralyzed. All because one man, operating from the shadows, decided to monetize chaos.
From GandCrab to REvil: The Rebrand Was the Tell
Here’s the thing most missed at the time: REvil didn’t emerge from nowhere. It appeared immediately after GandCrab shut down. Same tactics. Same affiliate model. Same double extortion playbook: encrypt your data, steal your files, then charge you twice.
GandCrab launched in January 2018 as a ransomware-as-a-service (RaaS) platform, paying affiliates a huge cut — often 60% — just for breaching corporate networks. The core team, led by UNKN, would then weaponize that access, moving laterally, exfiltrating data, and locking systems with increasingly sophisticated payloads. Five major versions rolled out in just 17 months, each packed with anti-analysis tricks and evasion techniques.
Then, on May 31, 2019, GandCrab’s operators posted a farewell message that reeked of triumph:
“We are a living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”
That wasn’t a surrender. It was a victory lap.
Within months, a new figure — UNKNOWN — appeared on the same underground forums, depositing $1 million into escrow to prove his financial credibility. The message was clear: I’m well-funded, I’m serious, and I’m open for business. That business? REvil. The continuity wasn’t subtle. It was practically a press release.
Double Extortion: The Business Model That Changed Cybercrime
UNKN didn’t invent ransomware. But he perfected its most profitable evolution: double extortion. Before, attackers encrypted data and demanded a ransom for the decryption key. Simple. Direct. But limited by the victim’s ability to restore from backups.
UNKN’s innovation was to add a second lever: threaten to publish stolen data. Now, even if you had backups, you still had to pay — or risk reputational collapse, regulatory fines, or exposure of trade secrets. That turned ransomware from a disruption into a blackmail engine.
GandCrab used it. REvil weaponized it. And under Shchukin’s leadership, it became standard across the entire ransomware ecosystem. Today, nearly every major ransomware group uses some form of it. That’s his legacy — a playbook so effective it’s now industry standard.
The German Case: Precision Over Hype
What makes the BKA’s announcement remarkable isn’t the scale — though 130 attacks and 35 million euros in damages are staggering — but the specificity. This isn’t a vague attribution. It’s a surgical strike.
The BKA tied Shchukin and his alleged co-conspirator, 43-year-old Anatoly Sergeevitsch Kravchuk, to two dozen cyberattacks in Germany alone. They didn’t just say “linked to” — they said “carried out.” That’s a prosecutorial distinction. It implies evidence that goes beyond IP logs or wallet addresses. It suggests human intelligence, forensic timelines, or insider cooperation.
And the $2 million in extorted funds? That’s just the German slice. REvil’s global haul was far larger. But Germany’s focus on its domestic impact avoids the bluster of broader international claims. It’s quiet, methodical, and damning.
U.S. Already Had His Name — And His Crypto
Shchukin wasn’t invisible to Western law enforcement before today. The original report notes that his name appeared in a U.S. Justice Department filing from February 2023, seeking seizure of cryptocurrency accounts tied to REvil.
That filing specifically identified a digital wallet linked to Shchukin containing more than $317,000 in proceeds. Not Bitcoin mined in 2012. Not Monero with layered obfuscation. A traceable wallet. Connected to a name.
Yet, until now, that name remained buried in legal documents. The BKA’s decision to publish it publicly — on April 27, 2026 — changes everything. It turns a shadowy figure into a fugitive with a face. It invites scrutiny. It enables tracking. It makes extradition — however unlikely under current Russia-EU relations — a formal possibility.
- GandCrab operated from January 2018 to May 31, 2019.
- Extorted over $2 billion globally before shutdown.
- REvil emerged immediately after, with UNKNOWN depositing $1M in forum escrow.
- BKA attributes 130 sabotage acts to Shchukin in Germany (2019–2021).
- Shchukin’s crypto wallet seized by U.S. authorities held $317,000+.
What This Means For You
If you’re a developer building internal systems or cloud infrastructure, this isn’t just a crime story — it’s a case study in persistence. Shchukin didn’t win because he was the most technically brilliant hacker. He won because he ran ransomware like a business: scalable, reliable, and relentlessly optimized for profit. The affiliate model he used — paying others to breach networks — turned cybercrime into a franchise operation. That model is still alive. It’s still dangerous. And it’s still targeting companies like yours.
For founders and CTOs, the lesson is about assumptions. We assume ransomware actors are scattered, short-term players. But UNKN operated at scale for years, across multiple brands, with institutional memory and strategic planning. Your security model must assume the same: not random attackers, but organized, funded, and adaptive adversaries. That means zero trust isn’t optional. That means air-gapped backups matter. That means incident response plans need to account for data exposure — not just encryption.
One thing hasn’t changed since 2019: the core weakness isn’t the malware. It’s the human chain of access. Shchukin’s empire was built on phishing, weak credentials, and unpatched systems. The tools evolve. The playbook doesn’t.
Sources: Krebs on Security, Deutsche Welle (via BKA press release)
