Germany Identifies Alleged REvil and GandCrab Leader Behind 130 Ransomware Attacks
Germany's Federal Criminal Police Office (BKA) identified 31-year-old Russian national Daniil Maksimovich Shchukin as UNKN/UNKNOWN, the alleged leader and public face of the GandCrab and REvil ransomware operations, and named Anatoly Sergeevitsch Kravchuk, 43, as an alleged developer. Authorities said the pair were involved in ransomware activity from early 2019 through at least July 2021 and linked them to 130 attacks in Germany, including about 25 cases that generated roughly €1.9 million in ransom payments and caused more than €35 million in economic damage.
German investigators described GandCrab and REvil as highly organized ransomware-as-a-service enterprises that helped popularize double extortion and relied on affiliates, access brokers, malware obfuscation providers, and money-laundering support. REvil was among the most prolific ransomware groups, hitting major victims including JBS and Kaseya, before collapsing under mounting law-enforcement pressure after the FBI infiltrated its infrastructure; the gang briefly resurfaced before disappearing in late 2021, followed by affiliate arrests in Romania and a broader disruption announced by Russia's FSB in 2022.
Timeline
Apr 5, 2026
Germany's BKA identifies alleged REvil and GandCrab leaders
German authorities publicly identified 31-year-old Daniil Maksimovich Shchukin as the actor known as UNKN or UNKNOWN and 43-year-old Anatoly Sergeevitsch Kravchuk as a developer tied to REvil and GandCrab. The BKA alleged they were responsible for 130 ransomware attacks in Germany between 2019 and 2021.
Mar 30, 2026
German authorities announce further cybercrime enforcement success
German authorities announced an additional success in their fight against organized cybercrime in a case linked to alleged REvil/GandCrab actors. The notice represents a new official law-enforcement development preceding the later April 2026 public identification reporting.
May 8, 2023
Germany publicly identifies REvil figure 'UNKN'
A May 2023 report said German authorities publicly identified the actor known as UNKN, describing him as a leader tied to the REvil and GandCrab ransomware operations. The disclosure attributed the identification to German law enforcement reporting referenced by KrebsOnSecurity.
Jan 1, 2023
U.S. forfeiture filing names Shchukin in REvil proceeds case
A 2023 U.S. Justice Department forfeiture filing tied to REvil proceeds included Daniil Maksimovich Shchukin's name. The filing connected him to funds associated with the ransomware operation.
Jan 1, 2022
Romanian authorities arrest REvil affiliates
After REvil's collapse, law enforcement actions included arrests of affiliates in Romania. These arrests were part of the wider crackdown on participants in the ransomware-as-a-service operation.
Jan 1, 2022
Russia's FSB announces arrests of REvil members
In January 2022, Russia's FSB said it had arrested several REvil members and disrupted the ransomware gang. This followed broader international efforts targeting the group's infrastructure and affiliates.
Oct 1, 2021
REvil briefly resurfaces before ceasing operations
After going dark, REvil briefly returned online but had ceased operations by October 2021. Reports linked the shutdown to increasing pressure from investigators and prior infiltration of the group's servers by the FBI.
Jul 15, 2021
REvil goes offline in mid-July 2021
The REvil ransomware operation went offline in mid-July 2021 amid mounting law enforcement pressure. Around this period, the actor known as UNKN reportedly disappeared from cybercrime forums and another figure, REvil/0_neday, became the group's public face.
Jul 1, 2021
Kaseya attack accelerates pressure on REvil
In 2021, REvil's major attack on Kaseya intensified international law enforcement scrutiny of the group. The fallout from that incident was cited as part of the gang's subsequent decline.
Jan 1, 2019
REvil and GandCrab operators conduct German ransomware attacks
Across roughly two dozen German cases, the suspects allegedly extorted about €1.9 million in ransom payments and caused more than €35 million in economic damage. The attacks were attributed to the GandCrab and later REvil ransomware-as-a-service operations.
Jan 1, 2019
REvil/GandCrab activity in Germany begins
German authorities said Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk were involved in GandCrab/REvil ransomware activity affecting Germany from at least early 2019. Investigators later tied them to 130 acts of computer sabotage and extortion in Germany between 2019 and 2021.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
5 more from sources like the hacker news, the record media, bleeping computer, data breaches net and krebs on security
Related Stories
German Authorities Add Alleged Black Basta Ringleader to EU Most-Wanted List
German law enforcement added **Oleg Evgenievich Nefedov/Nefekov**, a 35-year-old Russian national, to the EU’s most-wanted list in connection with the **Black Basta** ransomware operation. German prosecutors and the Federal Criminal Police Office (**BKA**) allege he founded and led the group, acting as a “managing director” who selected targets, recruited and tasked members, participated in ransom negotiations, and managed extortion proceeds used to pay affiliates. Authorities attribute to Black Basta a large global victim set since at least early 2022; reporting cites BKA estimates of roughly **700 organizations** attacked worldwide and external researcher estimates of **$100M+** in extortion payments by the end of 2023. The manhunt follows broader disruption and scrutiny of the group after an internal leak reportedly contributed to Black Basta ceasing activity, and the EU listing includes multiple alleged aliases (e.g., `tramp`, `tr`, `gg`, `AA`, `kurva`, `Washingt0n`, `S.Jimmi`) tied to the suspect’s role in developing and operating the ransomware and related malware used for intrusion, data theft, and encryption-based extortion paid in cryptocurrency.
1 months ago
German and Ukrainian actions expand cyber operations: BND surveillance powers and a ransomware disruption
German lawmakers are advancing draft legislation to significantly expand the Bundesnachrichtendienst’s (**BND**) hacking and surveillance authorities, including intercepting full internet communications (not just metadata), retaining collected data for up to six months, and extending the agency’s offensive mandate to hack foreign internet service providers to obtain target information when companies do not cooperate. Reporting indicates the proposal is partly aimed at reducing reliance on the US **NSA** for threat intelligence and bringing Germany’s capabilities in line with other European services; it would also broaden who can be surveilled, including foreigners inside Germany and certain journalists tied to foreign state-run media, and would enable intrusive operations such as deploying a “federal trojan.” Separately, Ukrainian and German law enforcement reported disrupting a Russian-affiliated ransomware operation, identifying and searching two suspects in Ukraine alleged to have served as “hash cracker” specialists who extracted/cracked password hashes, used stolen credentials for lateral movement and privilege escalation, and supported ransomware deployment and data exfiltration for extortion. Authorities seized digital devices and cryptocurrency assets and said an alleged Russian organizer has been identified, with foreign partners suggesting possible links to the **Conti** ransomware ecosystem. A third item—a *Citizen Lab* job posting—does not report a specific incident and is primarily recruitment content, despite referencing prior research on targeted phishing and spyware threats.
1 months ago
Bearlyfy deploys GenieLocker in ransomware campaign against Russian companies
The pro-Ukrainian hacker group **Bearlyfy** has carried out more than 70 attacks against Russian companies, escalating from smaller intrusions and modest ransom demands into a broader campaign combining extortion with sabotage. Russian cybersecurity firm F6 said the group, active since January 2025 and also tracked as **Labubu**, initially relied on leaked ransomware code including **LockBit 3 Black**, **Babuk** for Linux, and a modified **PolyVice** variant before shifting in March to a custom Windows strain called **GenieLocker**. F6 said Bearlyfy typically gained access through exposed external services and vulnerable applications, then used tools such as **MeshAgent** for remote access and to support encryption or destructive activity. Researchers also reported cooperation with the pro-Ukrainian group **Head Mare** and tooling or infrastructure overlaps with **PhantomCore**, suggesting ties to a wider ecosystem targeting Russian and Belarusian organizations. The group’s ransom demands reportedly rose from about **€80,000** to several hundred thousand dollars, with roughly one in five victims paying, as Bearlyfy expanded from smaller businesses to larger Russian enterprises.
1 months ago