Germany unmasks the man behind REvil and GandCrab ransomware

For years the hacker known as "UNKN" ran two of the most destructive ransomware operations on the internet. Germany's Federal Criminal Police — the Bundeskriminalamt, or BKA — now says that's Daniil Maksimovich Shchukin, a 31-year-old from Krasnodar, Russia, who authorities believe still lives there.

Shchukin allegedly ran GandCrab from its January 2018 launch until the gang voluntarily folded in May 2019, announcing it had collected over $2 billion in ransoms. REvil followed. The BKA counts 130 separate ransomware attacks on German targets between 2019 and 2021 — nearly €2 million paid directly in ransoms, with downstream losses the BKA puts above €35 million. A digital wallet linked to Shchukin held $317,000 in cryptocurrency as of a February 2023 U.S. Justice Department filing.

REvil's peak attack came when the group compromised Kaseya — a company that manages IT infrastructure for other businesses — during the July 4, 2021 holiday weekend. The ransomware cascaded through Kaseya's customer base, reaching 1,500 or more organizations: businesses, nonprofits, and government agencies. The FBI had already infiltrated REvil's servers before the Kaseya attack, but held off on tipping their hand. REvil collapsed shortly after.

The BKA also named a second suspect: Anatoly Sergeevitsch Kravchuk, 43. Both men are believed to be in Russia, which does not extradite its citizens, so the wanted notices are largely symbolic — though they do complicate international travel.

Previously:

• Identity of hacker who stole from 300+ companies revealed
• Russia-linked hacker gets prison for Yahoo breach