Why Germany Naming REvil's 'UNKN' Isn't 'Doxing' – And What It Means for Ransomware Operations
Here's the thing: when Germany's Federal Criminal Police Office (BKA) publicly identified Daniil Maksimovich Shchukin as "UNKN," the alleged leader of REvil and GandCrab, a lot of people immediately jumped to "doxing." This move by Germany identifying REvil UNKN isn't some vigilante group leaking private details with malicious intent. This is a law enforcement agency, after years of investigation, formally accusing a suspect. The distinction matters for how we understand cyber justice.
The BKA isn't just throwing names out there. They're laying out a case, and it's a significant move in the ongoing fight against ransomware.
The Incident: Naming Names and Counting Costs
On Monday, April 6, 2026, the BKA announced they'd identified two key figures behind the notorious REvil (Sodinokibi) ransomware-as-a-service (RaaS) operation. The main target: Daniil Maksimovich Shchukin, 31, a Russian national known online as UNKN, Oneiilk2, and even GandCrab. They say he led GandCrab and REvil from early 2019 until at least July 2021. The second individual identified is Anatoly Sergeevitsch Kravchuk, 43, also Russian, who they allege was a developer for REvil during the same period.
The numbers are stark. The BKA accuses Shchukin of at least 130 computer sabotage and extortion acts in Germany alone. These attacks led to nearly €2 million ($2.19 million) in ransom payments across 25 cases, but the total economic damage to German organizations exceeded €35.4 million ($40.8 million). That's a lot of lost productivity, recovery costs, and reputational hits.
This isn't "doxing" in the traditional sense. This is an official accusation, backed by what the BKA claims is substantial evidence. They even matched mugshots of Shchukin to 2023 birthday celebration photos from Krasnodar, Russia, where he's presumed to reside. This isn't about private individuals revealing personal information; it's about a state agency identifying a criminal suspect. The difference is crucial for legal and public discourse, as many on Hacker News rightly pointed out.
How REvil Operated: RaaS, Double Extortion, and the FBI's Play
REvil, also known as Sodinokibi, Water Mare, or Gold Southfield, wasn't just another ransomware group. It was a direct successor to GandCrab, which shut down in May 2019 after extorting over $2 billion. REvil materialized almost immediately after GandCrab's demise, with UNKN fronting the operation and even depositing $1 million in escrow on a Russian cybercrime forum to build trust with affiliates. Cybersecurity experts quickly saw it as a reorganization of the same threat actors.
Their mechanism was simple but effective: a Ransomware-as-a-Service (RaaS) model. This meant the core developers, like Kravchuk, built and maintained the malware, while affiliates handled the actual intrusions and negotiations. The affiliates got a cut, and the developers got theirs. It's a business model, and it worked.
REvil also pioneered "double extortion." It wasn't enough to just encrypt your systems and demand a key. They'd also steal your sensitive data and threaten to publish it if you didn't pay a second ransom. This added immense pressure, especially for organizations with regulatory compliance requirements or sensitive intellectual property.
They evolved into a "big-game-hunting" operation, specifically targeting organizations with over $100 million in annual revenues. Think about the Kaseya hack in July 2021. That incident, which occurred over a holiday weekend, impacted over 1,500 businesses, nonprofits, and government agencies that relied on Kaseya's IT management software. It was a supply chain attack that sent shockwaves through the industry.
Here's what actually happened with Kaseya: the FBI had already infiltrated REvil's servers before that attack. They were watching. After the Kaseya incident, the FBI released a free decryption key for REvil victims. That was a strategic blow. REvil never really recovered from that compromise and the public release of their key. They went offline in mid-July 2021, resurfaced briefly in September, then ceased operations entirely by October when their data leak site became inaccessible due to law enforcement actions.
The Impact: A Strategic Shift in Cybercrime Enforcement
The BKA's identification of Shchukin and Kravchuk, particularly the naming of Germany REvil UNKN leader, isn't just about these two individuals; it's a clear signal to the broader cybercrime ecosystem. On Reddit, I've seen discussions highlighting this as a significant milestone that could disrupt future cybercrime strategies.
First, it shows the depth and persistence of international law enforcement investigations. These aren't quick wins; these are years of tracking, correlating, and building cases. The fact that they could match Shchukin's mugshots to recent personal photos speaks volumes about the intelligence gathering involved.
Second, it puts a face and a name to the anonymous monikers. For years, "UNKN" was just a handle on a forum. Now, it's Daniil Maksimovich Shchukin, a 31-year-old Russian national. This makes it personal for the criminals. It means their anonymity isn't guaranteed, and their digital footprints can eventually lead to their real-world identities. This could lead to further monitoring of their assets and potential new aliases, as Reddit users pointed out. The U.S. Justice Department already sought seizure of cryptocurrency accounts linked to REvil in February 2023, and a digital wallet tied to Shchukin contained over $317,000 in crypto. That's real money, and it's now a target.
Third, it's a tactical shift. Even if Shchukin and Kravchuk are currently beyond the reach of German law enforcement in Russia, this public identification creates immense pressure. It limits their ability to travel internationally, conduct overt business, or operate freely. It also serves as a warning to other ransomware operators: you might think you're anonymous, but we're watching, and we're building files.
The Response: A Multi-Agency, Long-Game Approach
This BKA announcement is just one piece of a much larger, coordinated international response. The BKA's official statement highlights the collaborative effort.
- FBI's Infiltration: The FBI's actions against REvil, infiltrating their servers and releasing a decryption key, were a direct operational countermeasure that effectively crippled the group.
- Romanian Arrests: Weeks after REvil's data leak site went dark in October 2021, Romanian authorities arrested two REvil affiliates.
- Russian FSB Actions: Even Russia's Federal Security Service (FSB) disclosed arrests of several REvil members and the neutralization of their operations in January 2022. Kommersant reported that four arrested REvil members were imprisoned in October 2024. This shows that even in complex geopolitical environments, there can be some level of cooperation or parallel action against these groups.
For organizations, the response remains consistent:
- Patching and Vulnerability Management: REvil often exploited known vulnerabilities. Keep your systems updated.
- Robust Backup Strategy: Offline, immutable backups are your last line of defense against encryption.
- Multi-Factor Authentication (MFA): Implement MFA everywhere, especially for remote access and privileged accounts.
- Network Segmentation: Limit lateral movement for attackers.
- Incident Response Plan: Have a tested plan in place. Know who to call and what to do when an incident occurs.
This isn't about immediate arrests; it's about the long game. Law enforcement agencies are getting better at connecting the digital dots to real-world identities. The public naming of UNKN is a definitive statement: the era of anonymous, consequence-free ransomware operations is ending.
