For years, one of the most feared names in cybercrime belonged to no one — at least, no one with a face or a real identity. That changed this week. Germany’s Federal Criminal Police Office, the Bundeskriminalamt (BKA), has publicly identified two Russian nationals as the men who ran both GandCrab and REvil ransomware — the criminal operations that extorted hundreds of millions from businesses, hospitals, and governments worldwide. After years of hiding behind online aliases, the bosses of REvil ransomware now have names, faces, and entries on the EU’s Most Wanted list.
From Anonymous to Identified: Who Are These Men?
The primary suspect is Daniil Maksimovich Shchukin, a 31-year-old Russian national who operated online under the alias UNKN — also written as UNKNOWN. For years, UNKN was a known presence on cybercrime forums, openly advertising REvil’s affiliate program and acting as a public-facing representative of the group. Despite that visibility, his real identity stayed hidden. Now it hasn’t.
The second suspect is Anatoly Sergeevitsch Kravchuk, 43, a Ukraine-born Russian citizen who served as a key technical developer for the operations. Together, the BKA links both men to at least 130 ransomware attacks targeting victims in Germany between 2019 and 2021. At least 25 of those victims paid a combined total of roughly $2.2 million in ransom. The broader economic damage caused by their campaigns in Germany alone exceeded $40 million.
Authorities believe both men are currently in Russia. The BKA has released photographs of each suspect, including tattoo images, to assist with identification. Neither has been arrested.
GandCrab Came First
To understand REvil ransomware, you need to go back one step further. GandCrab launched in January 2018 and was one of the first major ransomware operations to run on a ransomware-as-a-service (RaaS) model. That means the people behind it did not carry out attacks themselves. Instead, they built the malware, then rented access to it. Other hackers — called affiliates — paid to use the tool, launched their own attacks, and handed back a cut of whatever ransom they collected.
It was, in effect, a criminal franchise. And it worked. By May 2019, GandCrab’s operators claimed the operation had earned over $2 billion before they shut it down voluntarily.
Shchukin is believed to have been central to both GandCrab and its successor. When GandCrab closed, the same infrastructure, the same people, and the same tactics resurfaced under the REvil name.
REvil Raised the Stakes
REvil, also known as Sodinokibi, built on everything GandCrab had established — and then pushed further. The group shifted its focus to larger targets, deliberately pursuing organizations with annual revenues above $100 million. They called this approach “big-game hunting,” and it allowed them to demand ransoms that dwarfed what smaller operations ever attempted.
REvil also popularized what is now a standard criminal tactic: double extortion. Victims were hit twice. First, their systems were encrypted and held for ransom. Then, the attackers threatened to publish the stolen data publicly unless a second payment came through. Paying once was no longer enough.
High-Profile Victims
The group’s reach was significant. REvil attacked Acer, multiple Texas local governments, and the law firm representing celebrities including Lady Gaga. Its most damaging operation was the 2021 attack on Kaseya, a software provider whose product is used by managed service providers around the world. That single attack cascaded through the supply chain and impacted an estimated 1,500 businesses, nonprofits, and public institutions downstream.
The Kaseya attack accelerated REvil’s downfall. Law enforcement agencies had already gained access to the group’s infrastructure before the attack. By mid-July 2021, REvil went dark. The group briefly resurfaced before shutting down entirely. In January 2022, Russian authorities arrested more than a dozen members. Four were later convicted and sentenced.
Crypto Trails and Prior Flags
Shchukin’s name was not entirely new to investigators. A 2023 filing from the U.S. Department of Justice, related to the seizure of cryptocurrency linked to REvil, already flagged a digital wallet connected to him. That wallet held more than $317,000 in traced illicit funds. The BKA’s public identification now puts a full name and photograph to what was previously just a flagged account.
Part of a Wider European Push
This announcement does not stand alone. Earlier in 2026, German law enforcement identified two Ukrainian suspects linked to the Black Basta ransomware group and placed that group’s alleged Russian leader on an international wanted list. The BKA’s move against the REvil ransomware suspects fits a broader pattern — European authorities are increasingly naming ransomware operators publicly, even when arrests remain out of reach.
Placing suspects on the EU’s Most Wanted list and releasing identifying photographs serves a purpose beyond symbolism. It limits their movement, complicates their financial activity, and signals to the broader criminal ecosystem that anonymity has a shelf life.
Final Thoughts
The men behind REvil ransomware hid in plain sight for years. UNKN gave interviews, advertised openly on forums, and built a criminal empire worth hundreds of millions — all without anyone knowing his real name. The BKA has now changed that. Daniil Shchukin and Anatoly Kravchuk are publicly named, internationally wanted, and entered on the EU’s Most Wanted list. They remain in Russia and beyond immediate reach. But their anonymity — the most valuable asset any cybercriminal possesses — is gone. For operations that ran on reputation and fear, losing that may matter more than people think.
