Identified the Bosses of REvil and GandCrab: German Police Reveals the Faces of Ransomware

The Federal Criminal Police Office of Germany (BKA) has officially lifted the veil of anonymity protecting the leaders of two of the most aggressive ransomware operations in recent history. The investigations, focused on the period between the beginning of 2019 and July 2021, have led to the identification of two Russian nationals: 31-year-old Daniil Maksimovich Shchukin and 43-year-old Anatoly Sergeevitsch Kravchuk.

Kravchuk, Anatoly Sergeevitsch - Shchukin, Daniil Maksimovich

The two are accused of orchestrating the criminal activities of GandCrab and its direct successor, REvil (also known as Sodinokibi), turning cyber extortion into a multi-million dollar industry. Shchukin, in particular, has been identified as the face behind the alias UNKN (or UNKNOWN). For years, this figure operated as the official spokesperson of the group on major cybercrime forums, managing public relations, recruiting new affiliates, and publishing stolen data to force ransom payments.

Identifying the top figures of GandCrab and REvil: the German investigation reaches a turning point

The identification of UNKN represents a crucial turning point, as Shchukin was not just a technical administrator, but the communicative linchpin that allowed REvil to acquire a reputation for ruthless efficiency in the underbelly of the deep web.

The activities of the two suspects have precisely struck German territory. According to data released by the BKA, Shchukin and Kravchuk are responsible for at least 130 extortion cases specifically targeting companies and institutions in Germany. Although only 25 victims have actually succumbed to the ransom, paying a total of $2.2 million, the real economic damage is exponentially higher. Official estimates speak of financial losses exceeding $40 million, considering the costs of system restoration, loss of intellectual property, and production downtime of the affected entities.

The rise of GandCrab in early 2018 had already marked a shift thanks to the massive adoption of the Ransomware-as-a-Service (RaaS) model. When the original leader announced his withdrawal in June 2019, stating that he had amassed a fortune sufficient to pursue legal businesses, the infrastructure was not dismantled. Instead, it was restructured under the REvil brand, integrating even more aggressive tactics like “double extortion.” Shchukin and Kravchuk capitalized on the experience of GandCrab affiliates, scaling operations to target giants like Acer and orchestrating the Kaseya supply-chain attack, which paralyzed around 1,500 companies worldwide.

However, the effectiveness of German countermeasures collides with a complex geopolitical reality. Despite the issuance of international arrest warrants and the inclusion of the two Russians in the EU Most Wanted portal, Shchukin and Kravchuk are currently in Russia, a country that has no intention of proceeding with their extradition. Additionally, it is worth noting that other gang members arrested by Russian authorities in January 2022, after being convicted of minor offenses related to credit card fraud, were released during 2025 for the end of their sentences, potentially returning to operational status in cybercrime.

To counter this de facto impunity, the BKA has undertaken a strategy of “public pressure,” disseminating wanted posters and detailed photographs of tattoos belonging to the suspects. The aim is to make Shchukin and Kravchuk international pariahs, preventing them from any movement outside Russian borders and complicating any financial interactions. The German police have reiterated that the hunt remains open, urging anyone with information about their whereabouts to collaborate, in the hope of bringing them before a European court.