10 Key Revelations About the UNKN Ransomware Mastermind Behind REvil and GandCrab

In a major breakthrough, German authorities have unmasked the elusive hacker known as “UNKN,” revealing him as a 31-year-old Russian national who orchestrated two of the most devastating ransomware operations in history. This listicle breaks down the crucial facts, from the doxing event to the vast financial impact and the gang’s infamous shutdown message.

1. UNKN’s True Identity Finally Exposed

For years, the ransomware world knew the mastermind only by the handles “UNKN” or “UNKNOWN.” In a recent advisory, the German Federal Criminal Police (BKA) named him as Daniil Maksimovich Shchukin, a 31-year-old Russian. This identification marked a pivotal moment in cybercrime enforcement, linking a real person to the shadowy figure who led the GandCrab and REvil gangs. The BKA’s investigation also named Anatoly Sergeevitsch Kravchuk, 43, as a key accomplice, though Shchukin was the primary target.

2. The Double Extortion Pioneer

Shchukin’s gangs are credited with pioneering the double extortion model that became standard in ransomware attacks. Victims were first forced to pay a ransom to decrypt their locked systems. Then, the attackers demanded a second payment to prevent the public release of sensitive stolen data. This ruthless strategy maximized pressure on corporations and government agencies, often leaving them with no choice but to pay huge sums. The BKA estimates that Shchukin’s operations extorted nearly €2 million directly in ransoms from German victims alone.

3. Economic Damage Exceeded €35 Million

The BKA’s report highlights the staggering economic toll of the ransomware campaigns. Over a two-year period (2019–2021), at least 130 cyberattacks were linked to Shchukin’s gangs in Germany. The total combined damage—including ransom payments, system restoration, lost productivity, and reputational harm—exceeded €35 million. This figure underscores the severe impact ransomware can have on national infrastructure and private industry.

4. GandCrab’s Rise and Five Major Revisions

GandCrab first surfaced in January 2018, quickly becoming one of the most aggressive ransomware strains. Its affiliate program recruited skilled hackers, offering them a large share of the profits in exchange for breaching corporate networks. The GandCrab team regularly updated the malware, releasing five major versions—each with new evasion techniques and features that made it harder for antivirus software to detect. This constant evolution kept the gang ahead of cybersecurity defenses for months.

5. The $2 Billion Shutdown Message

On May 31, 2019, the GandCrab team announced its shutdown in a smug farewell. They claimed to have extorted over $2 billion from victims worldwide. The message read: “We are a living proof that you can do evil and get off scot-free.” They boasted of making a lifetime of money in one year and becoming the top ransomware group by universal consensus. Despite the bravado, the announcement was widely believed to be a cover for rebranding into REvil.

6. REvil’s Emergence as GandCrab’s Successor

Almost immediately after GandCrab’s demise, a new ransomware affiliate program called REvil appeared. It was fronted by the same “UNKNOWN” handle on Russian cybercrime forums. To demonstrate credibility, UNKNOWN deposited $1 million in escrow with the forum. Cybersecurity researchers quickly noted that REvil’s code and tactics were nearly identical to GandCrab’s, leading to the conclusion that it was merely a rebranded version of the same operation.

7. The U.S. Justice Department’s Crypto Seizure

In February 2023, the U.S. Department of Justice filed a seizure action targeting cryptocurrency accounts linked to REvil’s proceeds. One wallet tied to Shchukin contained over $317,000 in ill-gotten cryptocurrency. This legal move demonstrated international coordination between U.S. and German authorities to freeze and recover assets from cybercriminals. The filing also provided additional evidence linking Shchukin to the ransomware operations.

8. Affiliate Program That Fueled a Cybercrime Empire

The success of both GandCrab and REvil stemmed from their sophisticated affiliate model. Instead of coding the ransomware themselves, affiliates were recruited to hack into corporate networks. Once inside, they would escalate privileges, steal data, and then trigger the ransomware. The affiliate program paid out huge commissions—up to 70% of the ransom. This model allowed the gang to scale rapidly by leveraging a distributed network of skilled attackers across the globe.

9. UNKNOWN Interviewed by Former Hacker Turned Journalist

During the early days of REvil, UNKNOWN gave a rare interview to Dmitry Smilyanets, a former Russian hacker who became a security journalist. In the interview, UNKNOWN discussed the business model, claimed the gang avoided attacking healthcare and education, and defended the operations as purely financial. This interview offered a glimpse into the mindset of a ransomware ringleader before his identity was known.

10. The Ongoing Fight Against Ransomware Gangs

The doxing of Shchukin marks a significant victory for law enforcement, but it also highlights the challenges ahead. Despite naming him and his accomplice, both remain at large, likely in Russia, which does not extradite its nationals. The REvil gang has also resurfaced in various forms after multiple takedowns. This case serves as a reminder that international cooperation is crucial, but more robust measures are needed to dismantle the ransomware ecosystem for good.

The unmasking of UNKN provides a rare glimpse into the human faces behind some of the most notorious ransomware attacks in history. As authorities continue to target these cybercriminal networks, the hope is that such actions deter future attackers and bring justice to the millions of victims worldwide.