BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks

Summary

Germany's Federal Criminal Police Office (BKA) has identified two key figures behind the REvil ransomware-as-a-service operation: Daniil Maksimovich Shchukin (alias UNKN, 31, Russian) and Anatoly Sergeevitsch Kravchuk (alias developer, 43, Russian-born Ukrainian). The pair is suspected of conducting 130 ransomware attacks across Germany, resulting in €35.4 million in damages and €1.9 million in confirmed ransom payments.

Full text

BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks Ravie LakshmananApr 06, 2026Cybercrime / Financial Crime Germany's Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identities of two of the key figures associated with the now-defunct REvil (aka Sodinokibi) ransomware-as-a-service (RaaS) operation. One of the threat actors, who went by the alias UNKN, functioned as a representative of the group, advertising the ransomware in June 2019 on the XSS cybercrime forum. He has now been identified as Daniil Maksimovich Shchukin, a 31-year-old Russian national. He also went by the online monikers Oneiilk2, Oneillk2, Oneillk22, and GandCrab. The development was reported by independent security journalist Brian Krebs. "From early 2019 at the latest until at least July 2021, the wanted person, in cooperation with other individuals, acted as the leader of one of the largest global ransomware groups, known as GandCrab/REvil," BKA said. "The perpetrators demanded large ransom payments in exchange for decrypting and not leaking data." Also added to the wanted list is Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian born in the Ukrainian city of Makiivka. He is alleged to have acted as the developer of REvil during the same time period. Shchukin and Kravchuk are suspected of having carried out 130 ransomware attacks across Germany. Out of these, 25 cases led to the payment of €1.9 million ($2.19 million). The incidents collectively incurred financial damages exceeding €35.4 million ($40.8 million). REvil (aka Water Mare and Gold Southfield) was one of the prolific ransomware groups that counted companies like JBS and Kaseya among its victims. An evolution of the GandCrab ransomware, the e-crime crew mysteriously went offline in mid-July 2021, only to resurface in two months later. By October 2021, the group ceased operations, and its data leak site became inaccessible as part of a law enforcement operation. Weeks later, Romanian law enforcement authorities announced the arrest of two individuals for their roles as affiliates of the REvil ransomware family. In a rare move, Russia's Federal Security Service (FSB) disclosed in January 2022 that it had arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations. Four of those members were sent to several years in prison in October 2024, Russian news publication Kommersant reported. UNKN also disappeared from the cybercrime forums coinciding with the operation, prompting another user, REvil (later renamed to 0_neday), to become the public face of the gang's operations. In an interview with Recorded Future's Dmitry Smilyanets in March 2021, UNKN said he had been in the ransomware business since 2007 and that they had as many as 60 affiliates working for the group at one point. "As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school," he was quoted as saying. "I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cybercrime, cybersecurity, data breach, Financial Crime, law enforcement, Malware, ransomware, REvil Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — REvil
• malware — GandCrab

Entities