Germany Uncovers Identities of REvil Ransomware Operators
Germany’s Federal Criminal Police Office (BKA) has revealed the true identities of two key figures linked to the now-defunct REvil ransomware-as-a-service (RaaS) operation.
One of the individuals, known as UNKN, acted as a spokesperson for the group and promoted the ransomware on the XSS cybercrime forum in June 2019. He has been identified as Daniil Maksimovich Shchukin, a 31-year-old Russian national who also used aliases such as Oneiilk2, Oneillk2, Oneillk22, and GandCrab.
According to a report by independent security journalist Brian Krebs, BKA stated that Shchukin, in collaboration with others, led the GandCrab/REvil ransomware group from early 2019 until at least July 2021, demanding large ransom payments in exchange for decrypting and not leaking data.
Another individual on the wanted list is Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian born in Makiivka, Ukraine, who is believed to have been the developer of REvil during the same period.
Shchukin and Kravchuk are suspected of carrying out 130 ransomware attacks in Germany, resulting in 25 cases where €1.9 million ($2.19 million) was paid. The financial damages from these incidents totaled over €35.4 million ($40.8 million).
REvil, also known as Water Mare and Gold Southfield, targeted companies like JBS and Kaseya before mysteriously going offline in mid-2021. The group resurfaced briefly before ceasing operations in October 2021, with its data leak site being shut down as part of a law enforcement operation. Subsequently, Romanian authorities arrested two individuals affiliated with REvil.
In January 2022, Russia’s Federal Security Service (FSB) announced the arrest of several REvil members and the dismantling of the group’s operations. Four members were sentenced to prison in October 2024, according to reports.
UNKN vanished from cybercrime forums around the same time, leading another user, later renamed 0_neday, to take over as the public face of the gang’s activities.
In a March 2021 interview with Recorded Future’s Dmitry Smilyanets, UNKN revealed that he had been involved in ransomware since 2007 and had up to 60 affiliates working for the group at one point. He shared a personal story of overcoming hardship to achieve financial success through cybercrime.
