Germany’s Federal Criminal Police, the Bundeskriminalamt or BKA, has put a name and a face to “UNKN” — the elusive operator who ran two of the most consequential Russian-speaking ransomware crews of the late 2010s and early 2020s. According to an advisory issued by the BKA and reported by Krebs on Security and BleepingComputer, the man behind the handle is 31-year-old Daniil Maksimovich Shchukin of Krasnodar, Russia. A second Russian, 43-year-old Anatoly Sergeevitsch Kravchuk, is named as a co-conspirator.
Behind the handle
Shchukin is alleged to have led both GandCrab and its successor REvil — also tracked as Sodinokibi — between 2018 and 2021. GandCrab’s claim to historical relevance is that it pioneered the affiliate-driven ransomware-as-a-service model that the rest of the ecosystem subsequently copied. REvil then refined the playbook by introducing systematic double extortion: charge the victim once for the decryption key, then charge again — or simply leak the data — for a promise not to publish it. The model is now industry-standard among the gangs that succeeded REvil.
The BKA assessment ties Shchukin and Kravchuk to at least 130 acts of computer sabotage and extortion against German victims between 2019 and 2021. Across two dozen named cases, the pair allegedly extorted nearly €2 million in ransom payments while inflicting roughly €35 million in total economic damage on the affected organisations, per Krebs’s reading of the BKA brief. Both men are believed to remain in Russia and therefore sit beyond the reach of European extradition.
What the dox actually achieves
Naming a sanctioned ransomware operator from inside Russia rarely ends with that operator in handcuffs. What it does change is the operating cost of the alias. Public attribution narrows the suspect’s ability to travel, opens the door to Treasury and EU sanctions designations against any entities they control, and gives partner intelligence services a confirmed identity to anchor SIGINT and financial-intelligence work to. In the long arc of the GandCrab-Conti-REvil-LockBit lineage, every doxxed operator chips away at the perception that ransomware leadership is a safe career.
It also tightens the screws on affiliates. REvil affiliates have rotated through every major brand of the post-2021 ecosystem, and the BKA advisory makes clear that German prosecutors are still working backward through that affiliate graph. For threat-intel teams, the practical takeaway is that the GandCrab-and-REvil-era IOCs and TTPs remain investigative gold — the alleged principals are now matters of court record, which means evidence preservation and historical telemetry retention pay off years later.
What this means for practitioners
For defenders, the news does not change tomorrow’s detections. For policy and CTI teams, it is a reminder that the long memory of law enforcement is finally catching up to the ransomware boom. The first generation of double-extortion operators is starting to be named in public; the second is still operating in the dark. Pressure on the people, not just the infrastructure, is one of the few coercive tools that has shown a multi-year effect on ransomware activity. Today’s announcement is one more turn of that screw.
