The Face Behind the Ransomware: Daniil Maksimovich Shchukin Identified as Leader of GandCrab and REvil
The shadowy figure operating under the moniker "UNKN," or "UNKNOWN," who helmed some of the most disruptive ransomware operations in recent history, including GandCrab and REvil, has been unmasked. German authorities have identified the elusive hacker as Daniil Maksimovich Shchukin, a 31-year-old Russian national. Investigations by the German Federal Criminal Police (Bundeskriminalamt, or BKA) indicate that Shchukin was instrumental in orchestrating at least 130 acts of computer sabotage and extortion targeting victims across Germany between 2019 and 2021.
The BKA formally named Shchukin, along with a second Russian national, 43-year-old Anatoly Sergeevitsch Kravchuk, in an official advisory. Their alleged criminal enterprise extorted nearly €2 million (approximately $2.1 million USD at the time) through approximately two dozen cyberattacks, collectively inflicting over €35 million (approximately $38 million USD) in economic damage. Shchukin is accused of leading both the GandCrab and REvil ransomware gangs, groups renowned for pioneering and popularizing the insidious "double extortion" tactic. This strategy involved not only demanding a ransom for the decryption key to restore compromised systems but also a separate payment to prevent the public release of exfiltrated sensitive data, thereby significantly amplifying the pressure on victims.
The Rise of Digital Extortion: GandCrab and REvil’s Reign
The genesis of the GandCrab ransomware affiliate program dates back to January 2018. This model offered substantial profit shares to hackers who successfully infiltrated corporate networks. The GandCrab operators would then leverage this initial access to expand their reach, often siphoning vast quantities of confidential and proprietary information. The group’s technical prowess was evident in the release of five major revisions to their malware, each incorporating sophisticated new features and bug fixes designed to evade detection by cybersecurity firms.
On May 31, 2019, the GandCrab collective announced its abrupt shutdown, claiming to have extorted over $2 billion from its victims. Their farewell message, posted on a Russian cybercrime forum, was a chilling testament to their success: "We are living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit." This statement underscored the perceived impunity enjoyed by the group and the lucrative nature of their criminal enterprise.
Coinciding with GandCrab’s demise, the REvil ransomware affiliate program emerged, spearheaded by a figure identified as UNKNOWN. This individual demonstrably signaled his commitment to the new venture by depositing $1 million into the cybercrime forum’s escrow service. Many cybersecurity experts at the time quickly surmised that REvil represented a direct evolution or reorganization of the GandCrab operation, a suspicion now substantiated by Shchukin’s alleged leadership of both entities.
A Glimpse into UNKNOWN’s Past
The persona of UNKNOWN was further illuminated through an interview conducted by Dmitry Smilyanets, a former malicious hacker now employed by Recorded Future. In this interview, UNKNOWN, believed to be Shchukin, recounted a stark rags-to-riches narrative, highlighting his impoverished upbringing in Russia: "As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire." This personal account offers a disturbing insight into the motivations that may have driven his trajectory into high-stakes cybercrime.
The operational model of these ransomware groups, as detailed in the book "The Ransomware Hunting Team" by Renee Dudley and Daniel Golden, mirrored legitimate business practices in their sophisticated approach to scaling their operations. Ransomware developers increasingly outsourced non-core functions, such as logistics and web design, to focus on enhancing the efficacy of their malware. This allowed for the creation of higher-quality ransomware, often rendering it impervious to standard anti-malware defenses. The substantial profits generated by these advanced tools were then reinvested into their enterprises, leading to the recruitment of more specialists and a self-accelerating cycle of success.
This burgeoning ransomware economy fostered a network of ancillary service providers within the criminal underworld. These included "cryptor" providers who ensured their malware evaded detection, "initial access brokerages" specializing in stealing credentials and identifying network vulnerabilities for sale to ransomware operators, and "Bitcoin tumblers" that facilitated the laundering of ransom payments. Some contractors operated indiscriminately, while others formed exclusive partnerships with specific gangs.
The Evolution to "Big-Game Hunting"
REvil, in particular, evolved into a formidable "big-game hunting" operation. The group primarily targeted large organizations with annual revenues exceeding $100 million, often those with substantial cyber insurance policies that were known to pay out ransoms. This strategic targeting maximized their potential financial gains.
A watershed moment in REvil’s history, and a significant blow to its operations, occurred over the July 4th weekend in 2021. REvil successfully infiltrated and extorted Kaseya, a company providing IT management software to over 1,500 businesses, nonprofits, and government agencies. Following this high-profile attack, the FBI revealed that they had infiltrated REvil’s servers prior to the Kaseya breach but were unable to disclose their findings publicly at the time. The subsequent compromise of REvil’s infrastructure and the FBI’s release of a free decryption key for victims proved to be a devastating setback from which the group never fully recovered.
Unmasking UNKN: Evidence and Identification
The U.S. Department of Justice had previously alluded to Shchukin’s involvement in a February 2023 filing related to the seizure of cryptocurrency accounts linked to REvil’s illicit activities. This filing indicated that a digital wallet associated with Shchukin contained over $317,000 in cryptocurrency.
While direct links between Shchukin and the UNKNOWN persona on Russian crime forums were initially scarce, intelligence gathered by the cyber firm Intel 471 revealed a strong connection between Shchukin and a hacker identity known as "Ger0in." Ger0in was active between 2010 and 2011, operating large botnets and selling "installs" that enabled other cybercriminals to rapidly deploy malware. Although Ger0in’s activity predates UNKNOWN’s emergence as the REvil frontman, this early involvement in facilitating large-scale malware distribution suggests a long-standing presence in the cybercrime ecosystem.
The identification of Shchukin as UNKN has been further corroborated through visual evidence. A review of mugshots released by the BKA, when cross-referenced with images on the facial recognition site Pimeyes, revealed a match with photographs from a 2023 birthday celebration. These images depict a young man named Daniel wearing a distinctive watch identical to one seen in the BKA’s official photographs of Shchukin. The birthday celebration, which took place in Krasnodar, Russia, where Shchukin is believed to reside, provides a concrete link between his public persona and his alleged criminal activities.
Official Statements and Broader Implications
The BKA has stated that Shchukin is believed to be located in Russia, and while his travel behavior cannot be definitively ruled out, his presumed location complicates immediate extradition efforts. The advisory from the German Federal Criminal Police serves as a critical alert to law enforcement agencies and the cybersecurity community, underscoring the persistent threat posed by sophisticated ransomware operations.
An update to the original reporting on April 6, 2024, revealed that Shchukin’s identity as the REvil leader had been previously disclosed in an English-dubbed audio recording from a 2023 Chaos Communication Congress (37C3) conference in Germany. This presentation, which discussed the "Hackback" edition of cyber warfare, mentioned Shchukin at approximately the 24:25 mark, further solidifying the evidence against him.
The unmasking of Daniil Maksimovich Shchukin represents a significant victory in the ongoing battle against cybercrime. It underscores the critical role of international law enforcement cooperation and advanced intelligence gathering in dismantling sophisticated criminal networks. The financial and economic damage inflicted by GandCrab and REvil serves as a stark reminder of the pervasive threat that ransomware poses to individuals, businesses, and governments worldwide. The identification of key figures like Shchukin is crucial not only for accountability but also for understanding the organizational structures and operational methodologies that enable these devastating attacks. As cybercrime continues to evolve, so too must the strategies and collaborative efforts employed by law enforcement and cybersecurity professionals to mitigate its impact. The case of Shchukin highlights the complex interplay between personal background, technological sophistication, and the vast economic incentives that drive individuals into the heart of global cybercriminal enterprises.
