{"id":5374,"date":"2025-12-02T04:45:03","date_gmt":"2025-12-02T04:45:03","guid":{"rendered":"http:\/\/codeguilds.com\/?p=5374"},"modified":"2025-12-02T04:45:03","modified_gmt":"2025-12-02T04:45:03","slug":"the-face-of-fear-daniil-maksimovich-shchukin-the-architect-behind-gandcrab-and-revil-ransomware-empires-identified-by-german-authorities","status":"publish","type":"post","link":"https:\/\/codeguilds.com\/?p=5374","title":{"rendered":"The Face of Fear: Daniil Maksimovich Shchukin, the Architect Behind GandCrab and REvil Ransomware Empires, Identified by German Authorities"},"content":{"rendered":"<p>Authorities in Germany have unmasked the elusive hacker known by the moniker &quot;UNKN,&quot; identifying him as 31-year-old Russian national Daniil Maksimovich Shchukin. German law enforcement officials now assert that Shchukin was the mastermind behind two of the most prolific and destructive ransomware operations of recent years: GandCrab and REvil. Between 2019 and 2021, Shchukin allegedly orchestrated at least 130 acts of computer sabotage and extortion, targeting victims across Germany and inflicting substantial economic damage.<\/p>\n<p>The breakthrough in identifying Shchukin comes from an official advisory published by the German Federal Criminal Police (Bundeskriminalamt, or BKA). The BKA has named Shchukin, also known as UNKNOWN, as a key figure in these cybercrime syndicates. Alongside him, authorities have identified 43-year-old Russian national Anatoly Sergeevitsch Kravchuk as another significant player. Together, they are accused of extorting nearly \u20ac2 million from victims through two dozen cyberattacks that collectively resulted in over \u20ac35 million in economic losses.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/codeguilds.com\/?p=5374\/#The_Rise_of_Double_Extortion\" >The Rise of Double Extortion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/codeguilds.com\/?p=5374\/#A_Legacy_of_Destruction_GandCrabs_Reign\" >A Legacy of Destruction: GandCrab&#8217;s Reign<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/codeguilds.com\/?p=5374\/#The_Torch_Passed_to_REvil\" >The Torch Passed to REvil<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/codeguilds.com\/?p=5374\/#The_Industrialization_of_Ransomware\" >The Industrialization of Ransomware<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/codeguilds.com\/?p=5374\/#The_Kaseya_Attack_and_REvils_Downfall\" >The Kaseya Attack and REvil&#8217;s Downfall<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/codeguilds.com\/?p=5374\/#Identifying_the_Architect_Shchukins_Footprints\" >Identifying the Architect: Shchukin&#8217;s Footprints<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/codeguilds.com\/?p=5374\/#Visual_Confirmation_and_a_2023_Clue\" >Visual Confirmation and a 2023 Clue<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/codeguilds.com\/?p=5374\/#Implications_and_Future_Pursuits\" >Implications and Future Pursuits<\/a><\/li><\/ul><\/nav><\/div>\n<h3><span class=\"ez-toc-section\" id=\"The_Rise_of_Double_Extortion\"><\/span>The Rise of Double Extortion<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The BKA&#8217;s findings place Shchukin at the helm of GandCrab and REvil, two ransomware groups that not only deployed devastating malware but also pioneered and perfected the chilling tactic of &quot;double extortion.&quot; This insidious strategy involved demanding a ransom payment to decrypt encrypted files, and then, in a subsequent demand, threatening to publish sensitive data stolen from the victim&#8217;s systems if a second payment was not made. This dual threat significantly amplified the pressure on victims, often forcing businesses and organizations to comply with extortion demands to prevent catastrophic data breaches and reputational damage.<\/p>\n<p>Shchukin&#8217;s alleged involvement with REvil was previously hinted at in a February 2023 filing by the U.S. Department of Justice. This filing sought the seizure of various cryptocurrency accounts linked to the proceeds of REvil&#8217;s activities. The government&#8217;s documentation revealed that a digital wallet believed to be associated with Shchukin contained over $317,000 in illicitly obtained cryptocurrency, providing a tangible link between the shadowy UNKN persona and Shchukin&#8217;s financial gains.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"A_Legacy_of_Destruction_GandCrabs_Reign\"><\/span>A Legacy of Destruction: GandCrab&#8217;s Reign<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The GandCrab ransomware affiliate program first emerged in January 2018, quickly establishing itself as a highly profitable enterprise for its operators and affiliates. The model was designed to reward hackers handsomely for compromising user accounts within major corporations. Once access was gained, the GandCrab operators would then leverage this foothold to further infiltrate networks, often exfiltrating vast quantities of sensitive internal documents. The malware itself underwent significant evolution, with its developers releasing five major revisions. Each iteration incorporated sophisticated new features and bug fixes, meticulously crafted to evade detection by cybersecurity firms and ensure the malware&#8217;s continued spread.<\/p>\n<p>The operational lifespan of GandCrab was marked by its audacious success. On May 31, 2019, the group sensationally announced its disbandment, claiming to have extorted over $2 billion from victims worldwide. In a widely publicized farewell message, the GandCrab team defiantly stated, &quot;We are living proof that you can do evil and get off scot-free. We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.&quot; This statement underscored the group&#8217;s perceived impunity and the immense financial rewards reaped from their criminal endeavors.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"The_Torch_Passed_to_REvil\"><\/span>The Torch Passed to REvil<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Almost concurrently with GandCrab&#8217;s abrupt shutdown, a new ransomware operation, REvil, materialized. Fronted by a figure operating under the UNKNOWN alias on Russian cybercrime forums, REvil quickly signaled its intent to dominate the ransomware landscape. The UNKNOWN persona demonstrated this commitment by depositing $1 million into the forum&#8217;s escrow service, a clear signal of seriousness and financial backing. Many cybersecurity experts at the time quickly drew parallels between REvil and GandCrab, suspecting that REvil was, in essence, a rebranding or reorganization of the GandCrab infrastructure and its core operators.<\/p>\n<p>The UNKNOWN figure, now identified as Daniil Shchukin, even granted an interview to Dmitry Smilyanets, a former malicious hacker who later worked for the cybersecurity firm Recorded Future. In this interview, UNKNOWN painted a stark picture of his ascent from extreme poverty to immense wealth, characterizing his journey as unburdened by ethical considerations. &quot;As a child, I scrounged through the trash heaps and smoked cigarette butts,&quot; UNKNOWN recounted to Recorded Future. &quot;I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn&#8217;t eat for two or even three days. Now I am a millionaire.&quot; This narrative highlights a trajectory of desperation and ambition that fueled his participation in the lucrative, yet destructive, world of cybercrime.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"The_Industrialization_of_Ransomware\"><\/span>The Industrialization of Ransomware<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The success of GandCrab and REvil, as detailed in the book &quot;The Ransomware Hunting Team&quot; by Renee Dudley and Daniel Golden, was partly attributable to their sophisticated business models. These groups, much like legitimate corporations, began to outsource various functions to specialized service providers. This allowed the core developers to focus on enhancing the quality and effectiveness of their ransomware, mirroring the practices of real-world manufacturers who might outsource logistics or web design.<\/p>\n<p>This industrialization of ransomware meant that higher-quality malware, which was increasingly difficult for cybersecurity firms to break, resulted in more frequent and substantial payouts from victims. The monumental profits generated then enabled these criminal enterprises to reinvest heavily in their operations. They hired more specialists, further accelerating their success and expanding their reach.<\/p>\n<figure class=\"article-inline-figure\"><img src=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/shchukin-kravchuk.png\" alt=\"Germany Doxes \u201cUNKN,\u201d Head of RU Ransomware Gangs REvil, GandCrab\" class=\"article-inline-img\" loading=\"lazy\" decoding=\"async\" \/><\/figure>\n<p>The booming ransomware economy fostered a complex ecosystem of ancillary service providers. &quot;Cryptor&quot; providers emerged, ensuring ransomware could evade standard anti-malware scanners. &quot;Initial access brokerages&quot; specialized in stealing credentials and identifying vulnerabilities in target networks, selling this access to ransomware operators and their affiliates. Bitcoin &quot;tumblers,&quot; services designed to obfuscate the origin of cryptocurrency transactions, even offered discounts to gangs that utilized them for laundering ransom payments. Some contractors operated with any gang willing to pay, while others forged exclusive partnerships, creating a highly interconnected and mutually beneficial criminal underworld.<\/p>\n<p>REvil, in particular, evolved into a formidable &quot;big-game-hunting&quot; machine. The group strategically targeted larger organizations with annual revenues exceeding $100 million, often those with substantial cyber insurance policies that were known to be readily paid out. This focus on high-value targets ensured consistently lucrative returns.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"The_Kaseya_Attack_and_REvils_Downfall\"><\/span>The Kaseya Attack and REvil&#8217;s Downfall<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>One of REvil&#8217;s most significant and ultimately devastating attacks occurred over the July 4, 2021 weekend in the United States. The group successfully infiltrated and extorted Kaseya, a company providing IT operations management software to over 1,500 businesses, nonprofits, and government agencies. The scale of this attack sent shockwaves through the cybersecurity community and highlighted the supply chain risks inherent in the interconnected digital landscape.<\/p>\n<p>Following the Kaseya attack, the FBI revealed that they had infiltrated REvil&#8217;s servers prior to the incident but were unable to act without jeopardizing their ongoing investigation. This covert operation proved to be a critical blow to the ransomware group. REvil never fully recovered from this core compromise, nor from the subsequent release of a free decryption key by the FBI for victims who had been affected by REvil&#8217;s ransomware. This release significantly diminished the group&#8217;s leverage and financial incentives.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Identifying_the_Architect_Shchukins_Footprints\"><\/span>Identifying the Architect: Shchukin&#8217;s Footprints<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Daniil Maksimovich Shchukin is believed to be from Krasnodar, Russia, and likely resides there. The BKA stated, &quot;Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia. Travel behavior cannot be ruled out.&quot; While direct links between Shchukin&#8217;s known online personas and the UNKNOWN accounts on Russian crime forums are scarce, intelligence gathered by the cyber firm Intel 471 has shed light on his earlier activities.<\/p>\n<p>Intel 471&#8217;s analysis of Russian crime forums indicates a strong connection between Shchukin and a hacker identity known as &quot;Ger0in.&quot; Ger0in was active between 2010 and 2011, operating large botnets and selling &quot;installs&quot;\u2014a service that allowed other cybercriminals to rapidly deploy malware to thousands of PCs simultaneously. Although Ger0in&#8217;s activity predates UNKNOWN&#8217;s emergence as the REvil frontman, it establishes a history of Shchukin&#8217;s involvement in sophisticated cybercrime infrastructure.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Visual_Confirmation_and_a_2023_Clue\"><\/span>Visual Confirmation and a 2023 Clue<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The identification of Shchukin has been bolstered by visual evidence. A review of mugshots released by the BKA, when cross-referenced with the image comparison site Pimeyes, yielded a match with photographs from a birthday celebration in 2023. These images feature a young man named Daniel wearing a distinctive, expensive watch identical to one seen in official BKA photographs of Shchukin. This finding provides a tangible, real-world link to the identified suspect.<\/p>\n<p>Further corroboration emerged on April 6, 2024, when a reader forwarded an English-dubbed audio recording from a 37C3 conference held in Germany in 2023. This presentation, specifically at the 24:25 mark, previously identified Shchukin as the leader of REvil, adding another layer of confirmation to the German authorities&#8217; findings.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Implications_and_Future_Pursuits\"><\/span>Implications and Future Pursuits<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The identification of Daniil Maksimovich Shchukin represents a significant victory for international law enforcement in their ongoing battle against organized cybercrime. For years, figures like UNKN operated with a degree of anonymity that fostered impunity, allowing them to build and profit from vast criminal enterprises. The unmasking of Shchukin not only brings a measure of accountability but also serves as a stark warning to other cybercriminals that their identities are not as secure as they may believe.<\/p>\n<p>The German BKA&#8217;s proactive advisory and the U.S. Department of Justice&#8217;s seizure actions underscore a growing trend of international cooperation in tackling cyber threats. The continued pursuit of individuals like Shchukin, regardless of their geographical location, is crucial for disrupting the lucrative ransomware economy and protecting businesses and individuals from devastating cyberattacks. The long-term implications of these actions extend beyond the prosecution of individuals; they aim to dismantle the infrastructure and profitability that sustains these criminal networks, ultimately contributing to a more secure digital landscape. The focus now shifts to potential extradition efforts and further legal proceedings that will aim to hold Shchukin accountable for the widespread damage caused by GandCrab and REvil.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authorities in Germany have unmasked the elusive hacker known by the moniker &quot;UNKN,&quot; identifying him as 31-year-old Russian national Daniil Maksimovich Shchukin. German law enforcement officials now assert that Shchukin was the mastermind behind two of the most prolific and destructive ransomware operations of recent years: GandCrab and REvil. Between 2019 and 2021, Shchukin allegedly &hellip;<\/p>\n","protected":false},"author":13,"featured_media":5373,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[101],"tags":[729,736,19,102,726,733,724,725,730,735,103,734,727,732,731,22,728],"newstopic":[],"class_list":["post-5374","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-architect","tag-authorities","tag-behind","tag-cyber","tag-daniil","tag-empires","tag-face","tag-fear","tag-gandcrab","tag-german","tag-hacking","tag-identified","tag-maksimovich","tag-ransomware","tag-revil","tag-security","tag-shchukin"],"_links":{"self":[{"href":"https:\/\/codeguilds.com\/index.php?rest_route=\/wp\/v2\/posts\/5374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/codeguilds.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codeguilds.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codeguilds.com\/index.php?rest_route=\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/codeguilds.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5374"}],"version-history":[{"count":0,"href":"https:\/\/codeguilds.com\/index.php?rest_route=\/wp\/v2\/posts\/5374\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/codeguilds.com\/index.php?rest_route=\/wp\/v2\/media\/5373"}],"wp:attachment":[{"href":"https:\/\/codeguilds.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codeguilds.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codeguilds.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5374"},{"taxonomy":"newstopic","embeddable":true,"href":"https:\/\/codeguilds.com\/index.php?rest_route=%2Fwp%2Fv2%2Fnewstopic&post=5374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}