German authorities have unmasked the individual they believe to be "**UNKN**," the leader of the notorious **GandCrab** and **REvil** ransomware groups. The **German Federal Criminal Police** (Bundeskriminalamt or BKA) has identified 31-year-old Russian national **Daniil Maksimovich Shchukin** as the alleged mastermind behind these operations. ### Allegations and Impact The **BKA** alleges that **Shchukin**, along with 43-year-old **Anatoly Sergeevitsch Kravchuk**, extorted nearly $2 million euros through two dozen cyberattacks, causing over 35 million euros in economic damage.  **GandCrab** and **REvil** are known for pioneering the double extortion tactic, demanding payment for decryption keys and a separate fee to prevent the publication of stolen data. **Shchukin**'s name also surfaced in a Feb. 2023 filing from the **U.S. Justice Department**, seeking the seizure of cryptocurrency accounts linked to **REvil**'s activities. The filing stated that a digital wallet connected to **Shchukin** held over $317,000 in illicit cryptocurrency. ### GandCrab's Rise and Fall The **GandCrab** ransomware affiliate program emerged in January 2018, offering substantial profits to hackers for compromising user accounts at major corporations. The group expanded access, often exfiltrating sensitive data. Five major revisions to the **GandCrab** code were released, each incorporating new features and bug fixes designed to evade detection by security firms. In May 2019, the **GandCrab** team announced its shutdown, claiming to have extorted over $2 billion from victims. ### REvil's Emergence The **REvil** ransomware affiliate program appeared around the same time as **GandCrab**'s demise. Fronted by a user named **UNKNOWN**, who deposited $1 million in escrow on a Russian cybercrime forum. Many cybersecurity experts believed **REvil** was a reorganization of **GandCrab**. **UNKNOWN** gave an interview to **Dmitry Smilyanets** of **Recorded Future**, detailing a rags-to-riches story lacking ethical constraints. ### Evolution of Ransomware Tactics As detailed in "The Ransomware Hunting Team" by **Renee Dudley** and **Daniel Golden**, **UNKNOWN** and **REvil** reinvested significant earnings to improve their operations, mirroring legitimate business practices. They outsourced tasks like logistics and web design, focusing on enhancing the quality of their ransomware. This led to larger payouts, which were reinvested into hiring specialists and accelerating their success. ### The Kaseya Attack and REvil's Downfall **REvil** evolved into a "big-game-hunting" operation, targeting organizations with high revenues and cyber insurance policies. The group gained notoriety for hacking **Kaseya** over the July 4, 2021 weekend, impacting over 1,500 businesses, nonprofits, and government agencies. The **FBI** had infiltrated **REvil**'s servers prior to the **Kaseya** attack but could not reveal their hand at the time. The core compromise and the **FBI**'s release of a free decryption key ultimately led to **REvil**'s downfall. ### Shchukin's Whereabouts and Possible Connection to "Ger0in" According to the **BKA**, **Shchukin** is from Krasnodar, Russia, and is believed to reside there. "Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia," the **BKA** stated. While direct connections between **Shchukin** and **UNKNOWN** are scarce, **Intel 471**'s analysis of Russian crime forums suggests a link between **Shchukin** and a hacker identity called "**Ger0in**." **Ger0in** operated large botnets and sold "installs" between 2010 and 2011, allowing cybercriminals to deploy malware to thousands of PCs.  A review of mugshots released by the **BKA** found a match on a birthday celebration from 2023, featuring a man named Daniel wearing the same watch as in the **BKA** photos.