The Unmasking of UNKN: 10 Key Facts About the Mastermind Behind GandCrab and REvil Ransomware

For years, the cybercriminal known only as "UNKN" or "UNKNOWN" operated in the shadows, orchestrating some of the most devastating ransomware attacks in history. Now, German authorities have put a name and face to the elusive figure: 31-year-old Russian Daniil Maksimovich Shchukin. This article breaks down the ten most crucial things you need to know about UNKN, his gangs, and the global manhunt that finally brought him into the spotlight.

1. The Mysterious UNKN Finally Identified

For years, the ransomware world knew him only as UNKN—a ghostly handle that struck fear into corporations and governments. In a groundbreaking advisory, the German Federal Criminal Police (BKA) revealed that UNKN is actually Daniil Maksimovich Shchukin, a 31-year-old Russian national. Alongside a 43-year-old accomplice, Anatoly Sergeevitsch Kravchuk, Shchukin is accused of leading two of the most notorious ransomware operations: GandCrab and REvil. The identification marks the first time authorities have publicly linked a real person to these devastating cybercrime groups.

2. The Birth of GandCrab: A Ransomware Revolution

GandCrab first appeared in January 2018, quickly becoming the go-to malware for extortion. Unlike earlier ransomware that relied on chaotic distribution, GandCrab operated as a sophisticated ransomware-as-a-service (RaaS) platform. The gang recruited skilled affiliates to breach corporate networks, then deployed the malware to encrypt files and demand ransoms. Over its 17-month reign, GandCrab released five major code revisions, each adding new features and evading security defenses. The group reportedly extorted over $2 billion from victims worldwide, setting a new standard for cyber extortion.

3. Pioneering Double Extortion Tactics

GandCrab and REvil didn't just lock down systems—they introduced a cruel twist: double extortion. Victims were charged once for a decryption key, and a second time to prevent the public release of stolen data. This strategy dramatically increased pressure on organizations, especially those handling sensitive customer information. The tactic became a blueprint for other ransomware groups, transforming cybercrime into a high-stakes game of reputational damage as well as financial loss. Shchukin's gangs were among the first to perfect this ruthless method.

4. The Lucrative Affiliate Program

GandCrab's success hinged on its generous affiliate program. The gang recruited skilled hackers who earned huge shares of ransom payments—sometimes up to 70%—just for gaining initial access to corporate networks. Affiliates would break into systems, steal data, and then hand over control to the GandCrab team for encryption and negotiation. This model attracted top cybercriminals, fueling rapid expansion. The BKA estimates that between 2019 and 2021 alone, Shchukin's operations executed at least 130 acts of computer sabotage against victims in Germany.

5. GandCrab's Abrupt Shutdown and Boastful Farewell

On May 31, 2019, GandCrab suddenly announced its retirement. In a brazen farewell, the group declared: "We are a living proof that you can do evil and get off scot-free" and boasted of making "a lifetime of money in one year." The shutdown was widely seen as a strategic move—an attempt to evade law enforcement while rebranding. Despite the fanfare, the gang's activities had already caused billions in damages, leaving a trail of extorted companies and stolen data. The farewell turned out to be a misdirection, as REvil soon emerged.

6. REvil Rises from GandCrab's Ashes

Shortly after GandCrab's shutdown, a new ransomware group called REvil (also known as Sodinokibi) appeared on a Russian cybercrime forum. The group's founder, using the handle UNKM (an obvious variation of UNKN), posted a $1 million escrow deposit to prove legitimacy. Cybersecurity experts quickly noted striking similarities in code, tactics, and infrastructure between GandCrab and REvil, leading many to conclude REvil was essentially a rebranded operation. UNKN's role as the mastermind behind both gangs now confirms that suspicion.

7. German Authorities Crack the Case

The BKA's advisory identified Shchukin and his accomplice Kravchuk as the architects of a cyber extortion spree targeting German organizations. The pair are accused of extorting nearly $2 million euros across two dozen attacks, with total economic damages exceeding 35 million euros. The investigation involved international cooperation, including intelligence sharing with the United States and other allies. This breakthrough demonstrates the growing ability of law enforcement to unmask even the most careful cybercriminals.

8. The U.S. Justice Department's Role

Shchukin's name first surfaced publicly in a February 2023 filing by the U.S. Justice Department, which sought the seizure of cryptocurrency accounts linked to REvil proceeds. The filing disclosed that a digital wallet tied to Shchukin contained over $317,000 in illicit funds. This legal action was part of a broader crackdown on REvil, including the seizure of ransom payments and the arrest of other affiliates. The U.S. charges highlight how ransomware profits flow through cryptocurrency, leaving a digital trail that authorities can follow.

9. Economic Toll and Victim Impact

The true scale of damage caused by Shchukin's gangs is staggering. In Germany alone, the BKA documented at least 130 separate attacks between 2019 and 2021, with combined losses of €35 million. Globally, GandCrab and REvil extorted hundreds of millions from hospitals, schools, energy companies, and government agencies. Double extortion meant that even after paying the ransom, victims faced the threat of data leaks—a lasting blow to their reputation and customer trust. Many organizations struggled to recover, and some smaller businesses were forced to close.

10. The Ongoing Threat and Lessons Learned

While Shchukin's identification is a major victory for law enforcement, ransomware remains a persistent threat. The takedown of GandCrab and REvil disrupted operations, but other groups quickly filled the void. The case underscores the importance of proactive cyber defenses, including regular backups, employee training, and incident response plans. It also highlights the need for international collaboration to track and prosecute cybercriminals who often operate across borders. For now, the unmasking of UNKN sends a clear message: even the most careful hackers can eventually be brought to light.

The identification of Daniil Maksimovich Shchukin as UNKN is a landmark moment in the fight against ransomware. It not only exposes the human face behind two of history's most damaging cybercrime operations but also demonstrates that law enforcement agencies are improving their ability to catch high-value targets. As authorities continue to pursue Shchukin and his associates, the world watches to see if justice will finally catch up with those who thought they could "do evil and get off scot-free."