BKA unmasks REvil and GandCrab leaders behind 130 German attacks
Table of contents
Germany’s Federal Criminal Police Office (BKA) has officially identified the person behind the handle “UNKN” — the public face and operator of the GandCrab and REvil ransomware groups — as 31-year-old Russian national Daniil Maksimovich Shchukin. A second suspect, 43-year-old Anatoly Sergeevitsch Kravchuk, believed to be REvil’s developer, has also been named. Both are wanted internationally and believed to be in Russia.
What the BKA investigation revealed
The BKA advisory published on 5 April 2026 names Shchukin and Kravchuk as the heads of the GandCrab and REvil operations from at least early 2019 until at least July 2021. According to Krebs on Security, German authorities linked the pair to at least 130 acts of computer sabotage and extortion against organisations across Germany during that period. In 25 confirmed cases, victims paid ransom — totalling approximately €1.9 million (~$2.2M) in direct payments. Total economic damage from the German cases alone is estimated at more than €35 million (~$40M).
Shchukin operated under the aliases UNKN, UNKNOWN, and several others, serving as the public representative of the operation — recruiting affiliates on forums like XSS and acting as spokesman for the RaaS programme. Kravchuk is suspected of being the technical developer behind REvil itself. Both are believed to currently reside in Russia. The BKA has added their details, including tattoo photographs, to the EU’s Most Wanted portal.
A 2023 US Justice Department filing independently connected Shchukin to a cryptocurrency wallet holding over $317,000 in proceeds linked to REvil activity.
Who REvil and GandCrab were
GandCrab launched in January 2018 and operated as one of the first sophisticated ransomware-as-a-service platforms, allowing criminal affiliates to deploy the malware in exchange for a share of ransom proceeds. By May 2019, its operators voluntarily shut it down, claiming to have collected over $2 billion globally. REvil — widely assessed as GandCrab’s direct successor — emerged almost simultaneously and continued the same model.
REvil’s most significant attack came in July 2021, when the group compromised Kaseya, an IT management platform, affecting more than 1,500 downstream organisations in a single supply chain incident. The group went offline shortly after. In January 2022, Russian authorities arrested several members — in a rare move that reflected the geopolitical pressures of the moment. Four members were sentenced in Russia in October 2024. The group has not conducted significant operations since late 2021.
The BKA’s identification of Shchukin and Kravchuk is therefore not a response to active attacks — it is the completion of a long-running attribution investigation into the architects of the ransomware-as-a-service model that shaped the entire threat landscape that followed.
Why this matters beyond REvil
REvil’s operational blueprint — affiliate networks, double extortion, dark web recruitment, and targeting companies by revenue and insurance coverage — became the template for every major ransomware group that followed. BlackCat, LockBit, RansomHub, and others are direct descendants of the model Shchukin and Kravchuk built and scaled.
The BKA investigation reveals how that model operated in practice. German organisations were not randomly selected. The group systematically identified companies with exposed remote access points, publicly available credentials, and high-value data — then ran reconnaissance for weeks before deploying ransomware. The extended dwell time before encryption is a consistent pattern across modern ransomware operations: access is established, backup systems are mapped, and deployment is timed for maximum impact.
This attribution also provides a clearer picture of how RaaS operators compartmentalise risk. Shchukin’s role as the public-facing recruiter and spokesman was deliberately separated from the technical development handled by Kravchuk. This structure is now standard — and it means that even when law enforcement dismantles or identifies core operators, affiliate networks continue operating under different banners.
What security teams should take from this
The targeting methodology REvil used against German organisations is the same methodology in use today across the ransomware ecosystem. The specific indicators worth auditing:
- Exposed remote access systems — RDP, VPN endpoints, and remote management interfaces visible from the internet remain the most common initial access vector across all major ransomware groups
- Credential exposure — REvil affiliates purchased access from initial access brokers and sourced credentials from dark web markets. Monitoring for your organisation’s credentials in these channels provides early warning before access is weaponised
- Backup system accessibility — REvil affiliates specifically mapped backup infrastructure before deployment to maximise leverage. Backup systems reachable from compromised network segments remain a critical exposure
- Third-party and vendor access — supply chain entry points were central to REvil’s most damaging attacks, including Kaseya. Vendor connections with excessive network access are a persistent blind spot
How CybelAngel addresses these exposures
The attack patterns REvil pioneered — credential theft, exposed remote access, dark web targeting — are exactly the threat vectors that CybelAngel’s external threat intelligence platform monitors continuously.
Our Credential Intelligence module detects compromised credentials linked to your domains across dark web sources, underground forums, and initial access broker markets — the same channels REvil affiliates used to purchase access to German targets. Early detection of exposed credentials is the intervention point that prevents access from becoming a breach.
Dark Web Monitoring tracks mentions of your organisation, leaked data, and threat actor discussions targeting your sector across sources that internal security operations cannot reach. When ransomware groups are active in your industry, that intelligence appears in dark web channels before it reaches your perimeter.
Attack Surface Management gives you the outside-in view of your organisation that attackers use during reconnaissance — identifying exposed remote access systems, misconfigured infrastructure, and internet-facing assets before they appear on a threat actor’s target list.
For more on the ransomware groups that emerged from REvil’s blueprint, read our 2025 cyber threats review or explore how external threat intelligence gives security teams early warning of targeting activity.
About the author
