How German Authorities Unmasked the Ransomware Kingpin Behind GandCrab and REvil

Introduction

The elusive hacker known as UNKN (UNKNOWN) who masterminded the devastating GandCrab and REvil ransomware operations was finally identified in 2023. German Federal Criminal Police (BKA) revealed the man behind the nickname: 31-year-old Russian Daniil Maksimovich Shchukin. He and his accomplice Anatoly Sergeevitsch Kravchuk are accused of orchestrating at least 130 cyberattacks in Germany between 2019 and 2021, extorting nearly €2 million and causing over €35 million in total damages. This step-by-step guide reconstructs the investigation that led to their identification, offering a blueprint for law enforcement and cybersecurity professionals tracking down ransomware leaders.

What You Need

• Access to cryptocurrency blockchain analysis tools (e.g., Chainalysis or CipherTrace)
• Cooperation with international law enforcement (e.g., Europol, FBI, DOJ)
• Monitored cybercrime forums (Russian-language forums like Exploit.in)
• Insider interviews (e.g., with former criminals or security researchers like Dmitry Smilyanets)
• Legal authority to seize digital assets and file charges across jurisdictions
• Historical malware samples and code analysis of GandCrab and REvil
• Victim reports detailing ransom notes, payment demands, and stolen data

Step-by-Step Guide

1. Step 1: Analyze the Ransomware Affiliate Programs

   GandCrab first appeared in January 2018 as a ransomware-as-a-service (RaaS) operation. Security teams needed to understand its business model: the gang recruited hackers to breach corporate networks, then expanded access and exfiltrated data. They released five major code revisions with new features to evade detection. Investigators collected these samples and traced affiliate connections. By mapping the group's takedown announcement on May 31, 2019—where GandCrab boasted of earning over $2 billion and claimed they could "do evil and get off scot-free"—analysts gleaned clues about the leadership's mindset and potential next moves.

2. Step 2: Identify the Successor Group (REvil)

   Almost simultaneously with GandCrab's closure, a new group called REvil appeared on a Russian cybercrime forum. A user named UNKNOWN announced he had deposited $1 million in escrow to prove his seriousness. Cybersecurity experts quickly concluded that REvil was a rebranding of GandCrab, as the code and tactics overlapped. Investigators focused on this forum activity, noting the unique alias and the large escrow amount. They archived the posts and tracked related cryptocurrency transactions linked to the escrow account.

3. Step 3: Conduct Deep Background via Interviews

   UNKNOWN gave a revealing interview to Dmitry Smilyanets, a former cybercriminal turned security researcher. This interview, preserved by law enforcement, provided personality traits, language patterns, and possible geographic hints. Analysts cross-referenced these details with other known Russian-speaking hackers to narrow down the suspect pool. The interview also discussed the group's double extortion method—encrypting files and threatening to leak stolen data—which became a signature of REvil.

   

4. Step 4: Trace Cryptocurrency Payments to Real Identities

   In February 2023, the U.S. Department of Justice filed a seizure request for cryptocurrency accounts linked to REvil. One wallet belonging to Daniil Shchukin held over $317,000 in illicit proceeds. By analyzing the blockchain, authorities connected the wallet to forum aliases and to the broader REvil payment infrastructure. Germany's BKA used similar forensic methods to link Shchukin to extortion payments from German victims, especially those made in 2020-2021.

5. Step 5: Coordinate with International Agencies and Issue a Public Advisory

   The BKA partnered with the FBI and other European agencies to share intelligence. Once enough evidence was collected, they published an official advisory naming Shchukin (UNKN) and Kravchuk as the alleged leaders. The advisory detailed the 130 acts of computer sabotage and the €2 million in direct extortion. This public identification not only helps future investigations but also disrupts the criminals' ability to operate under cover.

6. Step 6: Seize Assets and Prepare Charges

   With suspect names known, German authorities proceeded to seize any remaining digital assets and prepare extradition requests against Shchukin and Kravchuk. The DOJ's earlier wallet seizure was a critical precursor. Law enforcement now monitors all known aliases and wallets tied to the duo to prevent them from moving funds or starting new operations.

Tips and Conclusion

Persistence pays off. The investigation took years, starting from the first GandCrab attacks in 2018 to naming Shchukin in 2023. Follow the money—cryptocurrency leaves a trail. Blockchain analysis was essential to connect the forum alias UNKN to real bank accounts. Don't underestimate forum chatter. The announcement of REvil with a $1 million escrow was a major lead. International collaboration is non-negotiable. This case involved German, American, and possibly other European agencies sharing data across borders. Finally, public naming can deter future criminals. By exposing UNKN, authorities showed that even the most careful ransomware kingpins can be identified.