{"id":13495,"date":"2026-04-06T20:55:31","date_gmt":"2026-04-06T20:55:31","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=13495"},"modified":"2026-04-06T20:55:31","modified_gmt":"2026-04-06T20:55:31","slug":"germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab-krebs-on-safety","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=13495","title":{"rendered":"Germany Doxes \u201cUNKN,\u201d Head of RU Ransomware Gangs REvil, GandCrab \u2013 Krebs on Safety"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>An elusive hacker who glided by the deal with \u201c<strong>UNKN<\/strong>\u201d and ran the early Russian ransomware teams <strong>GandCrab<\/strong> and <strong>REvil<\/strong> now has a reputation and a face. Authorities in Germany say 31-year-old Russian <strong>Daniil Maksimovich Shchukin<\/strong> headed each cybercrime gangs and helped perform at the very least 130 acts of laptop sabotage and extortion in opposition to victims throughout the nation between 2019 and 2021.<\/p>\n<p>Shchukin was named as UNKN (a.okay.a. UNKNOWN) in <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.bka.de\/DE\/IhreSicherheit\/Fahndungen\/Personen\/BekanntePersonen\/CC_BW\/DMS\/Sachverhalt.html?nn=26874#detailinformationen265540\" target=\"_blank\" rel=\"noopener\">an advisory<\/a> revealed by the <strong>German Federal Prison Police<\/strong> (the \u201cBundeskriminalamt\u201d or BKA for brief). The BKA stated Shchukin and one other Russian \u2014 43-year-old <strong>Anatoly Sergeevitsch Kravchuk <\/strong>\u2014 extorted practically $2 million euros throughout two dozen cyberattacks that brought about greater than 35 million euros in complete financial harm.<\/p>\n<div id=\"attachment_73400\" style=\"width: 765px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" aria-describedby=\"caption-attachment-73400\" decoding=\"async\" class=\"size-full wp-image-73400\" src=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/shchukin-kravchuk.png\" alt=\"\" width=\"755\" height=\"473\"\/><\/p>\n<p id=\"caption-attachment-73400\" class=\"wp-caption-text\"><span class=\"wrapper-text\"><span class=\"caption\">Daniil Maksimovich SHCHUKIN, a.okay.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware teams.<\/span><\/span><\/p>\n<\/div>\n<p>Germany\u2019s BKA stated Shchukin acted as the top of one of many largest worldwide working ransomware teams GandCrab and REvil, which pioneered the apply of double extortion \u2014 charging victims as soon as for a key wanted to unlock hacked programs, and a separate cost in alternate for a promise to not publish stolen information.<\/p>\n<p>Shchukin\u2019s identify appeared in a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/shchukin-seizure-revil.pdf\" target=\"_blank\" rel=\"noopener\">Feb. 2023 submitting<\/a> (PDF) from the U.S. Justice Division searching for the seizure of varied cryptocurrency accounts related to proceeds from the REvil ransomware gang\u2019s actions. The federal government stated the digital pockets tied to Shchukin contained greater than $317,000 in ill-gotten cryptocurrency.<\/p>\n<p>The Gandcrab ransomware associates program first surfaced in January 2018, and paid enterprising hackers enormous shares of the earnings only for hacking into consumer accounts at main companies. The Gandcrab crew would then attempt to broaden that entry, typically siphoning huge quantities of delicate and inner paperwork within the course of. The malware\u2019s curators shipped 5 main revisions to the GandCrab code, every corresponding with sneaky new options and bug fixes geared toward thwarting the efforts of laptop safety corporations to stymie the unfold of the malware.<\/p>\n<p>On Might 31, 2019, the GandCrab crew <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2019\/07\/whos-behind-the-gandcrab-ransomware\/\" target=\"_blank\" rel=\"noopener\">introduced<\/a> the group was shutting down after extorting greater than $2 billion from victims. \u201cWe&#8217;re a dwelling proof that you are able to do evil and get off scot-free,\u201d GandCrab\u2019s farewell handle famously quipped. \u201cNow we have proved that one could make a lifetime of cash in a single 12 months. Now we have proved that you could change into primary by normal admission, not in your individual conceit.\u201d<\/p>\n<p>The REvil ransomware associates program materialized across the identical as GandCrab\u2019s demise, fronted by a consumer named UNKNOWN who introduced on a Russian cybercrime discussion board that he\u2019d deposited $1 million within the discussion board\u2019s escrow to point out he meant enterprise. By this time, many cybersecurity specialists <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2019\/07\/is-revil-the-new-gandcrab-ransomware\/\" target=\"_blank\" rel=\"noopener\">had concluded<\/a> REvil was little greater than a reorganization of GandCrab.<\/p>\n<p>UNKNOWN additionally gave <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/therecord.media\/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown\" target=\"_blank\" rel=\"noopener\">an interview<\/a> to <strong>Dmitry Smilyanets<\/strong>, a former malicious hacker employed by <strong>Recorded Future<\/strong>, whereby UNKNOWN described a rags-to-riches story unencumbered by ethics and morals.<\/p>\n<p>\u201cAs a baby, I scrounged by way of the trash heaps and smoked cigarette butts,\u201d UNKNOWN advised Recorded Future. \u201cI walked 10 km one technique to the varsity. I wore the identical garments for six months. In my youth, in a communal residence, I didn\u2019t eat for 2 and even three days. Now I&#8217;m a millionaire.\u201d<span id=\"more-73394\"\/><\/p>\n<p>As described in <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.amazon.com\/Ransomware-Hunting-Team-Improbable-Cybercrime\/dp\/0374603308\" target=\"_blank\" rel=\"noopener\">The Ransomware Searching Staff<\/a> by <strong>Renee Dudley<\/strong> and <strong>Daniel Golden<\/strong>, UNKNOWN and REvil reinvested important earnings into bettering their success and mirroring practices of official companies. The authors wrote:<\/p>\n<blockquote>\n<p>\u201cSimply as a real-world producer may rent different corporations to deal with logistics or net design, ransomware builders more and more outsourced duties past their purview, focusing as an alternative on bettering the standard of their ransomware. The upper high quality ransomware\u2014which, in lots of instances, the Searching Staff couldn&#8217;t break\u2014resulted in additional and better pay-outs from victims. The monumental funds enabled gangs to reinvest of their enterprises. They employed extra specialists, and their success accelerated.\u201d<\/p>\n<p>\u201cCriminals raced to hitch the booming ransomware financial system. Underworld ancillary service suppliers sprouted or pivoted from different felony work to fulfill builders\u2019 demand for custom-made help. Partnering with gangs like GandCrab, \u2018cryptor\u2019 suppliers ensured ransomware couldn&#8217;t be detected by commonplace anti-malware scanners. \u2018Preliminary entry brokerages\u2019 specialised in stealing credentials and discovering vulnerabilities in goal networks, promoting that entry to ransomware operators and associates. Bitcoin \u201ctumblers\u201d supplied reductions to gangs that used them as a most well-liked vendor for laundering ransom funds. Some contractors have been open to working with any gang, whereas others entered unique partnerships.\u201d<\/p>\n<\/blockquote>\n<p>REvil would evolve right into a feared \u201cbig-game-hunting\u201d machine able to extracting hefty extortion funds from victims, largely going after organizations with greater than $100 million in annual revenues and fats new cyber insurance coverage insurance policies that have been identified to pay out.<\/p>\n<p>Over the July 4, 2021 weekend in the US, REvil hacked into and <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2021\/07\/kaseya-left-customer-portal-vulnerable-to-2015-flaw-in-its-own-software\/\" target=\"_blank\" rel=\"noopener\">extorted Kaseya<\/a>, an organization that dealt with IT operations for greater than 1,500 companies, nonprofits and authorities businesses. The FBI would later announce they\u2019d infiltrated the ransomware group\u2019s servers previous to the Kaseya hack however couldn\u2019t tip their hand on the time. REvil by no means recovered from that core compromise, or from the FBI\u2019s launch of a free decryption key for REvil victims who couldn\u2019t or didn\u2019t pay.<\/p>\n<p>Shchukin is from Krasnodar, Russia and is assumed to reside there, the BKA stated.<\/p>\n<p>\u201cBased mostly on the investigations to this point, it&#8217;s assumed that the wished particular person is overseas, presumably in Russia,\u201d the BKA suggested. \u201cJourney behaviour can&#8217;t be dominated out.\u201d<\/p>\n<p>There may be little that connects Shchukin to UNKNOWN\u2019s varied accounts on the Russian crime boards. However a assessment of the Russian crime boards listed by the cyber intelligence agency <strong>Intel 471<\/strong> exhibits there&#8217;s a lot connecting Shchukin to a hacker id known as \u201c<strong>Ger0in<\/strong>\u201d who operated giant botnets and offered \u201cinstalls\u201d \u2014 permitting different cybercriminals to quickly deploy malware of their option to hundreds of PCs in a single go. Nonetheless, Ger0in was solely lively between 2010 and 2011, properly earlier than UNKNOWN\u2019s look because the REvil entrance man.<\/p>\n<p>A assessment of the mugshots launched by the BKA on the picture comparability website Pimeyes discovered a match on <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/event-myata.ru\/private\/02#!\/tab\/581005712-2\" target=\"_blank\" rel=\"noopener\">this birthday celebration from 2023<\/a>, which incorporates a younger man named Daniel sporting the identical fancy watch as within the BKA pictures.<\/p>\n<div id=\"attachment_73401\" style=\"width: 760px\" class=\"wp-caption aligncenter\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/shchukin-bday.png\" target=\"_blank\" rel=\"noopener\"><img aria-describedby=\"caption-attachment-73401\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-73401\" src=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/shchukin-bday.png\" alt=\"\" width=\"750\" height=\"170\" srcset=\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/shchukin-bday.png 1525w, https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/shchukin-bday-768x174.png 768w, https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/04\/shchukin-bday-782x177.png 782w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\"\/><\/a><\/p>\n<p id=\"caption-attachment-73401\" class=\"wp-caption-text\">Pictures from Daniil Shchukin\u2019s celebration celebration in Krasnodar in 2023.<\/p>\n<\/div>\n<p><strong>Replace, April 6, 12:06 p.m. ET<\/strong>: A <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/infosec.exchange\/@odr_k4tana\" target=\"_blank\" rel=\"noopener\">reader<\/a> forwarded <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/us.mirror.ionos.com\/projects\/media.ccc.de\/congress\/2023\/mp3-translated\/37c3-12134-eng-Hirne_hacken_Hackback_Edition_mp3-2.mp3\" target=\"_blank\" rel=\"noopener\">this English-dubbed audio recording<\/a> from the a ccc.de (37C3) convention speak in Germany from 2023 that beforehand outed Shchukin because the REvil chief (Shchuckin is talked about at round 24:25).<\/p>\n<\/p><\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>An elusive hacker who glided by the deal with \u201cUNKN\u201d and ran the early Russian ransomware teams GandCrab and REvil now has a reputation and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed each cybercrime gangs and helped perform at the very least 130 acts of laptop sabotage and extortion in [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":13497,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[8541,8544,1755,6924,262,500,8543,211,8542],"class_list":["post-13495","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-doxes","tag-gandcrab","tag-gangs","tag-germany","tag-krebs","tag-ransomware","tag-revil","tag-security","tag-unkn"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13495"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13495\/revisions"}],"predecessor-version":[{"id":13496,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13495\/revisions\/13496"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/13497"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69c6f7b5190636d50e9f6768. Config Timestamp: 2026-03-27 21:33:41 UTC, Cached Timestamp: 2026-04-07 00:19:03 UTC -->