Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

For years, the cybersecurity industry treated the figure hiding under the pseudonym UNKN (also known as UNKNOWN) as an almost mythical architect of digital chaos. As the leader of infamous Russian ransomware groups such as GandCrab and REvil, UNKN was behind audacious attacks that paralyzed global corporations and public institutions. Today, that anonymity has crumbled. German investigative services have made a breakthrough, publicly unmasking the man behind these operations. He is no longer just an anonymous user of dark forums, but a specific person with a name, surname, and a history, who has just become a target of international justice.

The German Federal Criminal Police Office (Bundeskriminalamt, abbreviated as BKA) has officially announced that the person behind the pseudonym UNKN is a 31-year-old Russian, Daniil Maksimovich Shchukin. He is alleged to have led both criminal groups, which revolutionized the cybercrime business model by introducing the Ransomware-as-a-Service (RaaS) scheme. Thanks to this model, groups like REvil not only attacked targets themselves but also shared their malicious software with partners in exchange for a percentage of the extorted ransoms, leading to an unprecedented scale of infections worldwide.

The architect of digital extortion and his accomplice

The investigation led by the BKA sheds light on the scale of activities of Shchukin and his closest associates. Alongside the leader, 43-year-old Anatoly Sergeevitsch Kravchuk was also named. According to the investigators' findings, this duo played a key role in carrying out at least 130 acts of computer sabotage and extortion in the period between 2019 and 2021 alone. Although their activities were global in nature, German services focused on documenting the losses suffered by entities operating on their territory, which allowed for specific charges to be brought and arrest warrants to be issued.

The figures presented by the BKA are staggering, though they likely represent only the tip of the iceberg. Shchukin and Kravchuk are alleged to have directly extorted nearly 2 million euros in just two dozen attacks. However, the ransom amount is not the most severe part. Total economic damages caused by their activities in these specific cases were estimated at over 35 million euros. These costs include production downtime, data recovery processes, security audits, and the loss of customer trust for the attacked companies.

The GandCrab group, which Shchukin managed in the first phase of his "career," was a pioneer in the mass exploitation of vulnerabilities in Windows systems. After its official "closure" in 2019, these structures seamlessly transitioned into the REvil (Sodinokibi) formation, which became even more aggressive. REvil became famous for the double extortion technique: not only was the victim's data encrypted, but they were also threatened with its publication on special blogs if the ransom was not paid. It was UNKN who often acted as the group's spokesperson on Russian-language hacking forums, building an aura of elusiveness and professionalism.

A precise strike at the command structure

The public disclosure of Shchukin's identity is a powerful blow to the morale of the ransomware ecosystem. The "doxing" strategy used by law enforcement agencies aims not only to facilitate arrest but, above all, to burn the criminal's operational bridges. Once the leader's face and personal data become public, he loses the ability to move freely, use legal financial infrastructure, or even communicate safely with his associates, who may begin to fear they are next in line for exposure.

The BKA operation also demonstrates the evolution of investigative methods. Tracking down UNKN required complex analysis of cryptocurrency flows, monitoring metadata left in malware code, and painstaking intelligence work within closed cybercriminal communities. The fact that German services decided on such an open communication suggests they possess irrefutable evidence linking Shchukin to specific attacks, which is a rare achievement in a digital world full of red herrings and proxy servers.

It is worth noting the technical specifications of the activities of the GandCrab and REvil groups, which under Shchukin's leadership utilized, among others:

• Exploit kits to automatically infect users browsing compromised websites.
• Supply chain attacks, the most high-profile example being the attack on the company Kaseya.
• Advanced code obfuscation techniques, which for a long time allowed them to bypass traditional antivirus systems.
• Utilization of the RDP (Remote Desktop Protocol) to take control of corporate servers.

The end of the era of impunity in Russia's shadow?

Although Daniil Maksimovich Shchukin is likely residing in the territory of the Russian Federation, which makes his physical detention difficult, his "wanted by Interpol" status drastically changes his situation. History shows that cybercriminals of this rank often get caught while vacationing in countries that maintain extradition treaties with the West or become bargaining chips in larger geopolitical games. For Pixelift and observers of the AI and creative technology sectors, this case is a reminder that behind the most advanced data-destroying algorithms are people who can be identified.

The unmasking of UNKN is a signal to the entire industry: the time of absolute anonymity on the web is coming to an end. Even the most sophisticated methods of hiding identity, from cryptocurrency mixers to multi-layered VPNs, leave traces that, with sufficient determination from authorities and international cooperation, create a complete picture of the perpetrator. Shchukin, who for years built an empire based on fear and digital extortion, has now become a symbol of the effectiveness of modern digital forensics. His case defines a new reality in which a digital footprint becomes a digital sentence, regardless of how deep in the web a given criminal tries to hide.