BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks

The German Federal Criminal Police Office (BKA - Bundeskriminalamt) has made a breakthrough in one of the most high-profile cybercrime investigations of recent years. The authorities have managed to identify key figures behind the REvil operation, also known as Sodinokibi. This group, operating under the Ransomware-as-a-Service (RaaS) model, terrorized digital infrastructure worldwide for years, and their activities in Germany alone led to at least 130 attacks on local enterprises and institutions.

This strike against REvil's structures is not only an operational success but, above all, a signal to the entire cybercriminal ecosystem that online anonymity is illusory. A central figure in this investigation turned out to be an actor using the pseudonym UNKN (short for Unknown). He served as the group's official representative, who as early as June 2019 was actively promoting ransomware software on the Russian-language cybercriminal forum XSS. It was UNKN who was the face of the operation, recruiting partners (so-called affiliates) and managing the communication that led to the paralysis of hundreds of IT systems.

Architects of Digital Chaos Under BKA Scrutiny

Identifying the leaders of REvil is the result of years of analytical work and international cooperation. The group became famous for its extremely aggressive approach to negotiations and the use of the "double extortion" method — not only was the victims' data encrypted, but they were also threatened with its publication if the ransom was not paid. The BKA focused on traces left in the payment infrastructure and errors in operational security (OPSEC), which ultimately led to the de-anonymization of UNKN and other gang leaders.

It is worth understanding the scale of the phenomenon: 130 confirmed attacks in Germany alone is just the tip of the iceberg. REvil was responsible for global incidents that shook supply chains and the public sector. The success of German investigators in linking specific identities to pseudonyms such as UNKN allows for the issuance of international arrest warrants, which drastically limits the criminals' room for maneuver, even if they reside in countries traditionally reluctant to extradite.

• RaaS Model: REvil provided malicious software to partners in exchange for a percentage of every ransom paid.
• Infrastructure: The group used advanced administrative panels to manage attacks and communicate with victims.
• Targets: Attacks focused on entities with high data availability, where downtime generated massive losses.

Evolution of Threats in the Era of Artificial Intelligence

While investigators settle scores with old structures like REvil, the threat landscape is evolving faster than ever. According to the Zscaler ThreatLabz 2026 VPN Risk Report, prepared in cooperation with Cybersecurity Insiders, we are on the threshold of a new era of incidents. This document points to a critical trend: AI (Artificial Intelligence) has drastically shortened the human reaction time to incidents, giving attackers an advantage they did not previously possess.

The use of artificial intelligence by cybercriminals makes remote access the fastest path to breaching an organization's security. Traditional safeguards that companies have relied on for the past decade are becoming insufficient against automated scripts capable of detecting and exploiting VPN configuration vulnerabilities in a fraction of a second. What once took hackers days or weeks now happens almost in real-time, thanks to the support of AI models.

The Zscaler ThreatLabz analysis emphasizes that digital transformation has forced a shift to remote work, making VPN (Virtual Private Network) a primary target for attacks. The 2026 report leaves no illusions: the automation of offensive processes by ransomware groups means that the window of time for effective defense and mitigation of the consequences of a breach has practically ceased to exist for traditional SOC (Security Operations Center) teams.

From Sodinokibi to Modern Strike Models

The story of REvil and their Sodinokibi ransomware is a lesson in how technology can be monetized by organized criminal groups. Although the group officially ceased operations after a series of arrests and diplomatic pressure, their methodology survived and has been refined. Today's threats, described in the 2026 VPN Risk Report, are built on the foundation laid by individuals like UNKN, but add a layer of machine intelligence to it.

Artificial intelligence has eliminated the margin of error for defenders, making remote access the fastest route to a full infrastructure takeover.

Key conclusions from the current market situation suggest that the identification of perpetrators by the BKA is a symbolic success, but the technological battle is moving to a completely different level. Cybercriminals are no longer just looking for "holes" in software; they are optimizing attack processes to stay ahead of any manual intervention attempts by administrators. In this context, the successes of law enforcement in unmasking REvil leaders must go hand in hand with a radical change in the approach to Zero Trust security architecture.

A New Paradigm of Responsibility and Defense

The effectiveness of the BKA in tracking 130 attacks linked to REvil shows that the digital footprint is permanent. However, for the global technology sector, the forecast from Zscaler data is more important. Since AI has shortened human reaction time to values close to zero, the only effective defense method becomes autonomous security that can react at machine speed.

Identifying UNKN and dismantling REvil's structures marks the close of a certain chapter in the history of ransomware, but simultaneously opens a new one, where the opponent is no longer just a human, but an algorithm. Organizations that still rely on outdated VPN systems and believe in the sufficiency of human oversight will be the first victims of Sodinokibi's successors. The future of cybersecurity will not belong to those who can chase criminals after the fact, but to those who can prevent them from acting in the milliseconds before data encryption occurs.