German Police Name GandCrab and REvil Leaders, Sparking Hackerparagraph Debate
daniil shchukinunknanatoly kravchukgandcrabrevilbkahackerparagraphcybersecurityransomwarecybercrimegermanydouble extortion

German Police Name GandCrab and REvil Leaders, Sparking Hackerparagraph Debate

By Daniel MarshApril 7, 2026

Germany's Ransomware Bust: Why the "Hackerparagraph" Makes It Harder Than It Needs To Be

Here's the thing about major cybercrime arrests: sometimes, the official announcement feels less like a breakthrough and more like a formal confirmation of what the community already knew. That's exactly the vibe I'm getting from the German Federal Criminal Police (BKA) naming Daniil Maksimovich Shchukin (alias "UNKN") and Anatoly Sergeevitsch Kravchuk as alleged leaders of the notorious GandCrab and REvil ransomware groups. This announcement by German police, while a significant step in the ongoing fight against global cybercrime, also highlights a frustrating disconnect between law enforcement and the independent researchers who often get there first. The operations of GandCrab and REvil have left a trail of destruction worldwide, making this identification particularly crucial.

The Incident: Naming Names, Years Later

On Tuesday, April 7, 2026, the BKA officially identified Shchukin as the alleged leader and Kravchuk as a developer behind the notorious GandCrab and REvil operations. These groups are accused of orchestrating over 130 cyberattacks across Germany between 2019 and 2021. The BKA puts the extorted funds at around €2 million, with total economic damages soaring past €35 million. They also credit these groups with pioneering the "double extortion" model, where attackers don't just encrypt your data; they steal it and threaten to leak it if you don't pay. The scale of these attacks by GandCrab and REvil underscores the persistent threat ransomware poses to businesses globally.

This identification is part of a broader international effort. The U.S. Justice Department has already moved to seize Shchukin's cryptocurrency assets. The problem, as always, is that both suspects are believed to be in Russia, which makes extradition a non-starter for now. This geopolitical hurdle often complicates the pursuit of justice for victims of groups like GandCrab and REvil.

But here's where it gets interesting, and frankly, a little frustrating. If you've been following the cybercrime beat, especially in the German-speaking world, you'll know that "UNKN" wasn't exactly a secret identity. Discussions on platforms like Hacker News quickly pointed out that CCC-connected hackers (Chaos Computer Club) had already unmasked one of these individuals years ago. This raises a critical question: did official investigators independently discover this, or did they eventually catch up to what the hacking community had already figured out? The delay in official recognition for the alleged leaders of GandCrab and REvil highlights a potential gap in information sharing.

How REvil and GandCrab Operated

GandCrab and REvil rose to prominence by perfecting the ransomware-as-a-service (RaaS) model, making sophisticated cyberattacks accessible to a wider network of affiliates. This allowed them to scale their operations rapidly, targeting a vast array of organizations from small businesses to large enterprises. Their success lay not just in their technical prowess, but in their efficient and ruthless operational structure. To understand the scale of what Shchukin and Kravchuk are accused of, you need to look at the attack chain these groups perfected.

The typical chain went something like this:

  1. Initial Access: They'd get in through common vectors. Think phishing campaigns targeting employees, exploiting vulnerable RDP (Remote Desktop Protocol) instances, or compromising managed service providers (MSPs) to gain access to multiple client networks. (I've seen too many incidents start with an exposed RDP port, it's a classic.)
  2. Lateral Movement: Once inside, they didn't just encrypt the first machine. They'd use tools like Mimikatz to dump credentials, exploit Active Directory weaknesses, and move across the network, escalating privileges until they had domain administrator access. This let them reach critical servers and backup systems.
  3. Data Exfiltration: This is the "double extortion" part. Before encrypting anything, they'd identify sensitive data – financial records, customer databases, intellectual property – and exfiltrate it to their own servers. This gave them extra leverage.
  4. Encryption and Ransom Note: Finally, they'd deploy the ransomware payload, encrypting files across the network. A ransom note would appear, demanding payment in cryptocurrency, often with a threat to leak the stolen data if the victim didn't comply.

This model was incredibly effective, turning a simple encryption event into a full-blown data breach, increasing the pressure on victims to pay. The tactics employed by GandCrab and REvil set a dangerous precedent for future ransomware groups.

The Unseen Impact: Beyond the Numbers

The €35 million in economic damages is a stark figure, but the real impact goes deeper. It's the operational downtime for businesses, the reputational damage, the cost of incident response, and the lingering fear of data exposure. For the victims, it's a nightmare scenario that can take months, if not years, to fully recover from, often leading to significant financial strain and even business closure. Beyond the immediate financial hit, there's the erosion of trust, both internally within an organization and externally with its customers and partners. The long-term consequences of attacks by groups like GandCrab and REvil are far-reaching, affecting supply chains and critical infrastructure.

But there's another, less obvious impact here, especially in Germany: the chilling effect of its legal framework on cybersecurity research.

The "Hackerparagraph" Problem

This is the part that really bothers me. While the BKA is doing its job, the broader context in Germany is problematic. The country's "Hackerparagraph" (§202c of the German Criminal Code) criminalizes the preparation of data espionage and data interception. On paper, it sounds like a good idea: prevent criminals from building their toolkits. In practice, it's a blunt instrument that makes life incredibly difficult for whitehat hackers and cybersecurity researchers, inadvertently hindering efforts to combat threats like GandCrab and REvil.

The law is so broadly worded that it can be interpreted to criminalize the mere possession or development of tools that could be used for malicious purposes, even if the intent is purely defensive or for research. This means:

  • Hindered Research: Researchers who want to analyze malware, develop defensive tools, or even just understand attack techniques risk legal repercussions. How do you study a ransomware like REvil effectively if the tools you need to analyze it could land you in trouble? Imagine a researcher attempting to reverse-engineer a GandCrab and REvil sample to understand its vulnerabilities, only to face potential prosecution for possessing the necessary tools.
  • Lack of Collaboration: This creates a wall between the independent cybersecurity community and law enforcement. If whitehats fear prosecution for their research, they're far less likely to share their findings or offer assistance to authorities. This is a self-imposed handicap for Germany in the fight against cybercrime, especially when dealing with sophisticated groups like GandCrab and REvil.
  • Distrust: There's a palpable distrust of law enforcement agencies among some in the hacking community, fueled by this legal ambiguity. When independent groups "unmask" criminals, they often do it because they feel official channels are too slow or legally constrained. The distinction between "doxxing" by independent groups and official identification by authorities becomes a point of contention, not just ethically, but practically.

We're talking about a situation where the very people who could help identify and track these criminals are operating under a legal cloud. It's like asking firefighters to put out a blaze but criminalizing the possession of axes and hoses. This legal environment makes the task of German police against groups like GandCrab and REvil unnecessarily complex.

What Needs to Change

The BKA's identification of Shchukin and Kravchuk is a win, even if it's a delayed one. It shows international cooperation can yield results, and it sends a message to threat actors. But we need to look beyond the headlines. The ongoing battle against ransomware, exemplified by the persistent threat of GandCrab and REvil, demands a more cohesive approach.

Germany needs to seriously re-evaluate its "Hackerparagraph." A modern legal framework for cybersecurity must distinguish between malicious intent and legitimate research. It needs to create safe harbors for whitehat activities, encouraging collaboration between the private sector, independent researchers, and law enforcement. Without that, official agencies will continue to play catch-up, missing opportunities to get ahead of the next GandCrab or REvil. The talent and insights of the cybersecurity community are an asset, not a liability to be legislated against. Reforming this law would empower German police and researchers alike in their efforts to dismantle future ransomware operations.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.