The Unmasking of UNKN: A Step-by-Step Guide to How German Authorities Identified the Head of REvil and GandCrab Ransomware Gangs

<h2 id="overview">Overview</h2> <p>In a landmark development for cybersecurity and international law enforcement, Germany’s Federal Criminal Police (BKA) publicly identified the individual behind the pseudonym <strong>UNKN</strong> (also known as UNKNOWN) as <strong>Daniil Maksimovich Shchukin</strong>, a 31-year-old Russian national. Shchukin is alleged to have led two of the most notorious ransomware operations in history: <strong>GandCrab</strong> and <strong>REvil</strong>. This guide unpacks the investigative techniques that led to his exposure, offering a practical roadmap for understanding how cybercriminals are unmasked. By examining BKA’s advisory, cryptocurrency tracing, forum intelligence, and cross-border collaboration, you will learn the key steps that turned a shadowy handle into a concrete suspect. Whether you are a cybersecurity professional, a policy maker, or an enthusiast, this tutorial provides actionable insights into the real‑world pursuit of ransom ware kingpins.</p><figure style="margin:20px 0"><img src="https://krebsonsecurity.com/wp-content/uploads/2021/03/kos-27-03-2021.jpg" alt="The Unmasking of UNKN: A Step-by-Step Guide to How German Authorities Identified the Head of REvil and GandCrab Ransomware Gangs" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: krebsonsecurity.com</figcaption></figure> <h2 id="prerequisites">Prerequisites</h2> <p>Before diving into the step‑by‑step process, ensure you have a foundational understanding of the following concepts:</p> <ul> <li><strong>Ransomware as a Service (RaaS):</strong> Affiliate programs where developers license malware to hackers, splitting ransom payments.</li> <li><strong>Double extortion:</strong> A tactic where attackers encrypt files and threaten to leak stolen data unless a second ransom is paid.</li> <li><strong>Cryptocurrency blockchain analysis:</strong> The ability to trace transactions on public ledgers (e.g., Bitcoin) to identify wallet owners.</li> <li><strong>Dark web forums and escrow services:</strong> Platforms where cybercriminals advertise, vet affiliates, and prove credibility.</li> <li><strong>Legal instruments:</strong> How seizure warrants and mutual legal assistance treaties (MLATs) enable cross‑border evidence gathering.</li> </ul> <p>No advanced programming or hacking skills are required, but a curious mind and willingness to explore investigative logic will help.</p> <h2 id="step-by-step">Step‑by‑Step Instructions</h2> <h3 id="step1">Step 1: Identify the Key Handles and Forum Activity</h3> <p>The investigation began by tracking the alias <strong>UNKN</strong> (often written as UNKNOWN) across Russian cybercrime forums. When GandCrab shut down in May 2019, the group posted a farewell message claiming they had extorted over $2 billion and vanished “scot‑free.” Shortly after, a user named UNKNOWN deposited $1 million into a forum’s escrow to launch REvil. Security researchers already suspected REvil was a rebranding of GandCrab. The BKA focused on linking UNKNOWN’s forum posts to the original GandCrab leadership. <strong>Key action:</strong> Collect all public statements from UNKNOWN and cross‑reference timestamps and writing style with known GandCrab communications.</p> <h3 id="step2">Step 2: Correlate Cryptocurrency Transactions</h3> <p>The U.S. Department of Justice filed a seizure request in February 2023 that revealed a cryptocurrency wallet containing over $317,000 tied to Shchukin. German authorities traced ransoms paid during 130+ attacks between 2019 and 2021, totaling nearly €2 million in direct extortion and causing €35 million in economic damage. Using blockchain analytic tools, they mapped payments from victims to wallet addresses controlled by UNKN. <strong>Key action:</strong> Overlay transaction flows with forum registration IPs or other identifying metadata to link wallet ownership to the UNKN alias.</p> <h3 id="step3">Step 3: Leverage the BKA Advisory and Public Data</h3> <p>The BKA’s formal advisory named not only Shchukin but also his alleged accomplice, <strong>Anatoly Sergeevitsch Kravchuk</strong> (43 years old). The advisory detailed that the duo operated from Russia and targeted German companies exclusively (130+ cases). German investigators likely used local victim reports, ransom notes, and technical malware samples to attribute attacks to the same gang. <strong>Key action:</strong> Combine victim timelines with cryptocurrency traces to build a pattern of behavior that consistently points to UNKN.</p> <h3 id="step4">Step 4: Analyze the GandCrab Farewell Message</h3> <p>GandCrab’s farewell note boasted, “We are a living proof that you can do evil and get off scot‑free… We have proved that one can make a lifetime of money in one year.” Such hubris often leaves ego‑driven clues — for example, the author’s phrasing or specific references may match later REvil announcements. The BKA could have performed linguistic analysis to attribute the note to Shchukin. <strong>Key action:</strong> Compare the farewell message’s tone, grammar, and claims with UNKNOWN’s forum statements to confirm authorship.</p><figure style="margin:20px 0"><img src="https://krebsonsecurity.com/wp-content/uploads/2026/04/shchukin-kravchuk.png" alt="The Unmasking of UNKN: A Step-by-Step Guide to How German Authorities Identified the Head of REvil and GandCrab Ransomware Gangs" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: krebsonsecurity.com</figcaption></figure> <h3 id="step5">Step 5: Coordinate International Legal Pressure</h3> <p>Because Shchukin is Russian, German authorities worked with U.S. prosecutors (who had already seized cryptocurrency accounts) to build a case. The BKA’s advisory served as a de facto “wanted” notice, though Shchukin remains unarrested (as of the advisory). The step illustrates how public naming itself is a tactic — it disrupts the criminal’s ability to operate under anonymity. <strong>Key action:</strong> Use MLATs to request transaction details from exchanges and shared threat intelligence from private sector partners like cybersecurity firms.</p> <h3 id="step6">Step 6: Publish the Findings to Deter Future Operations</h3> <p>Finally, the BKA publicly released Shchukin’s full name, photo (presumably from passport or social media), and known aliases. The move serves two purposes: alerting potential victims and accomplices that the leader’s identity is compromised, and demonstrating that law enforcement can pierce the veil of anonymity even for sophisticated ransomware gangs. <strong>Key action:</strong> Disseminate the advisory through official channels and encourage organizations to cross‑reference the name with their own threat logs.</p> <h2 id="common-mistakes">Common Mistakes</h2> <ul> <li><strong>Assuming all ransomware actors are untraceable:</strong> Many rely on the false premise that cryptocurrencies and VPNs offer complete anonymity. In reality, blockchain transparency and metadata leaks (e.g., forum registration times, language quirks) can unravel identities.</li> <li><strong>Overlooking the value of public statements:</strong> Farewell messages or interviews (like UNKNOWN’s chat with Dmitry Smilyanets) often contain unique phrasing that can be matched to a suspect’s known writing samples.</li> <li><strong>Ignoring low‑level accomplices:</strong> Shchukin’s partner Kravchuk was named alongside him. Even secondary operators can provide a secure link to the primary suspect through shared infrastructure or joint wallet addresses.</li> <li><strong>Believing that naming alone equals capture:</strong> While doxing is a powerful tool, Shchukin remains at large. Effective takedowns require coordinated extradition requests and physical apprehension, which is often hindered by geopolitical barriers.</li> </ul> <h2 id="summary">Summary</h2> <p>The unmasking of UNKN as Daniil Maksimovich Shchukin demonstrates that determined law enforcement agencies can systematically de‑anonymize ransomware leaders through a combination of forum surveillance, cryptocurrency tracing, and international legal collaboration. The BKA’s advisory not only revealed a face behind the handle but also underscored the importance of persistence — even after groups like GandCrab claimed to have retired. This guide walked through the investigative steps: identifying online aliases, tracing illicit funds, leveraging victim reports, analyzing public taunts, cooperating across borders, and finally publicizing the identity. For cybersecurity professionals, the takeaway is clear: no cybercriminal is truly anonymous if investigators follow the money and the communication trails. The fight against ransomware continues, but each unmasking closes the gap between digital impunity and real‑world accountability.</p>