Germany Identifies Alleged REvil and GandCrab Leader Behind 130 Ransomware Attacks
Germany's Federal Criminal Police Office (BKA) identified 31-year-old Russian national Daniil Maksimovich Shchukin as UNKN/UNKNOWN, the alleged leader and public face of the GandCrab and REvil ransomware operations, and named Anatoly Sergeevitsch Kravchuk, 43, as an alleged developer. Authorities said the pair were involved in ransomware activity from early 2019 through at least July 2021 and linked them to 130 attacks in Germany, including about 25 cases that generated roughly €1.9 million in ransom payments and caused more than €35 million in economic damage.
German investigators described GandCrab and REvil as highly organized ransomware-as-a-service enterprises that helped popularize double extortion and relied on affiliates, access brokers, malware obfuscation providers, and money-laundering support. REvil was among the most prolific ransomware groups, hitting major victims including JBS and Kaseya, before collapsing under mounting law-enforcement pressure after the FBI infiltrated its infrastructure; the gang briefly resurfaced before disappearing in late 2021, followed by affiliate arrests in Romania and a broader disruption announced by Russia's FSB in 2022.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Germany's BKA identifies alleged REvil and GandCrab leaders
German authorities publicly identified 31-year-old Daniil Maksimovich Shchukin as the actor known as UNKN or UNKNOWN and 43-year-old Anatoly Sergeevitsch Kravchuk as a developer tied to REvil and GandCrab. The BKA alleged they were responsible for 130 ransomware attacks in Germany between 2019 and 2021.
German authorities announce further cybercrime enforcement success
German authorities announced an additional success in their fight against organized cybercrime in a case linked to alleged REvil/GandCrab actors. The notice represents a new official law-enforcement development preceding the later April 2026 public identification reporting.
Germany publicly identifies REvil figure 'UNKN'
A May 2023 report said German authorities publicly identified the actor known as UNKN, describing him as a leader tied to the REvil and GandCrab ransomware operations. The disclosure attributed the identification to German law enforcement reporting referenced by KrebsOnSecurity.
U.S. forfeiture filing names Shchukin in REvil proceeds case
A 2023 U.S. Justice Department forfeiture filing tied to REvil proceeds included Daniil Maksimovich Shchukin's name. The filing connected him to funds associated with the ransomware operation.
Romanian authorities arrest REvil affiliates
After REvil's collapse, law enforcement actions included arrests of affiliates in Romania. These arrests were part of the wider crackdown on participants in the ransomware-as-a-service operation.
Russia's FSB announces arrests of REvil members
In January 2022, Russia's FSB said it had arrested several REvil members and disrupted the ransomware gang. This followed broader international efforts targeting the group's infrastructure and affiliates.
REvil briefly resurfaces before ceasing operations
After going dark, REvil briefly returned online but had ceased operations by October 2021. Reports linked the shutdown to increasing pressure from investigators and prior infiltration of the group's servers by the FBI.
REvil goes offline in mid-July 2021
The REvil ransomware operation went offline in mid-July 2021 amid mounting law enforcement pressure. Around this period, the actor known as UNKN reportedly disappeared from cybercrime forums and another figure, REvil/0_neday, became the group's public face.
Kaseya attack accelerates pressure on REvil
In 2021, REvil's major attack on Kaseya intensified international law enforcement scrutiny of the group. The fallout from that incident was cited as part of the gang's subsequent decline.
REvil and GandCrab operators conduct German ransomware attacks
Across roughly two dozen German cases, the suspects allegedly extorted about €1.9 million in ransom payments and caused more than €35 million in economic damage. The attacks were attributed to the GandCrab and later REvil ransomware-as-a-service operations.
REvil/GandCrab activity in Germany begins
German authorities said Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk were involved in GandCrab/REvil ransomware activity affecting Germany from at least early 2019. Investigators later tied them to 130 acts of computer sabotage and extortion in Germany between 2019 and 2021.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
18 references tracked. Mallory keeps watching after this page renders.
Cyberattaques REvil et GandCrab, voici les visages des pirates qu ...
zdnet.fr
Open sourceGerman authorities want your help finding the hackers behind GandCrab and REvil | IT Pro
itpro.com
Open sourceGermany names REvil ransomware leader Shchukin - Boing Boing
boingboing.net
Open sourceGerman authorities identify alleged leader of GandCrab and REvil ransomware gangs | brief | SC Media
scworld.com
Open sourceLKA-BW: Weiterer Erfolg im Kampf gegen organisierte Cyberkriminalität: Mutmaßlicher ... | Presseportal
presseportal.de
Open sourceBKA - Fahndung nach Personen - Banden- und gewerbsmäßige Erpressung - KRAVCHUK
bka.de
Open sourceGermany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab - Infosec.Pub
infosec.pub
Open source'I scrounged through the trash heaps ... now I'm a millionaire:' An interview with REvil's Unknown | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation GoldDust Arrests REvil Affiliates and Disrupts Ransomware Network
Romanian authorities arrested two suspected **Sodinokibi/REvil** affiliates as part of **Operation GoldDust**, a multinational law-enforcement campaign targeting operators tied to both REvil and **GandCrab**. Europol said the suspects were linked to roughly **5,000 infections** and about **€500,000** in ransom payments, while the broader group of arrested affiliates was suspected of around **7,000 infections** and demands exceeding **€200 million**. Since February 2021, authorities in 17 countries, working with **Europol**, **Eurojust**, and **INTERPOL**, had arrested seven suspects connected to the two ransomware families, including a REvil affiliate associated with the **Kaseya** supply-chain attack and other suspects detained in South Korea and Kuwait. The arrests followed wider pressure on REvil’s ransomware-as-a-service operation after its infrastructure was disrupted and its public-facing sites went offline. Reporting indicated the gang shut down after **U.S. Cyber Command** hijacked one of its sites and the operators realized they had been compromised, adding to the strain from coordinated international investigations. Europol said private-sector partners including **Bitdefender**, **KPN**, and **McAfee Enterprise** supported the operation with technical analysis and decryptors distributed through **No More Ransom**, enabling more than **50,000 decryptions**, helping over **1,400 companies** recover from REvil infections, and preventing losses worth hundreds of millions of euros.
May 25, 2026
German Authorities Add Alleged Black Basta Ringleader to EU Most-Wanted List
German law enforcement added **Oleg Evgenievich Nefedov/Nefekov**, a 35-year-old Russian national, to the EU’s most-wanted list in connection with the **Black Basta** ransomware operation. German prosecutors and the Federal Criminal Police Office (**BKA**) allege he founded and led the group, acting as a “managing director” who selected targets, recruited and tasked members, participated in ransom negotiations, and managed extortion proceeds used to pay affiliates. Authorities attribute to Black Basta a large global victim set since at least early 2022; reporting cites BKA estimates of roughly **700 organizations** attacked worldwide and external researcher estimates of **$100M+** in extortion payments by the end of 2023. The manhunt follows broader disruption and scrutiny of the group after an internal leak reportedly contributed to Black Basta ceasing activity, and the EU listing includes multiple alleged aliases (e.g., `tramp`, `tr`, `gg`, `AA`, `kurva`, `Washingt0n`, `S.Jimmi`) tied to the suspect’s role in developing and operating the ransomware and related malware used for intrusion, data theft, and encryption-based extortion paid in cryptocurrency.
Mar 21, 2026
DOJ Charges REvil Operators Over Kaseya Supply-Chain Ransomware Attack
U.S. authorities charged alleged **Sodinokibi/REvil** operators Yaroslav Vasinskyi of Ukraine and Yevgeniy Polyanin of Russia over ransomware attacks that included the compromise of Kaseya's remote management software, an intrusion that cascaded to managed service providers and their customers worldwide. The Kaseya incident was reported to have affected as many as **1,500 organizations**, with attackers allegedly encrypting systems, leaving ransom notes, and directing victims to Tor-based or public payment sites to obtain decryption keys; victims that did not pay were allegedly threatened with the publication or sale of stolen data. The Justice Department said Vasinskyi was arrested in Poland, later extradited to the United States, and arraigned in Texas on charges including conspiracy to commit computer fraud, damage to protected computers, and money laundering conspiracy. In parallel, U.S. authorities seized **$6.1 million** in alleged ransom proceeds tied to Polyanin, part of a broader multinational enforcement effort involving the FBI, Europol, Eurojust, and law enforcement partners across Europe and other allied countries to disrupt the REvil ransomware operation linked to the Kaseya attack.
May 25, 2026