Germany’s Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identity of the main threat actors associated with the now-defunct REvil (aka Sodinokibi) ransomware-as-a-service (RaaS) operation.

The threat actor, who went by the alias UNKN, functioned as a representative of the group, advertising the ransomware in June 2019 on the XSS cybercrime forum. He has now been identified as Daniil Maksimovich Shchukin, a 31-year-old Russian national. He also went by the online monikers Oneiilk2, Oneillk2, Oneillk22, and GandCrab.

The development was reported by independent security journalist Brian Krebs.

“From early 2019 at the latest until at least July 2021, the wanted person, in cooperation with other individuals, acted as the leader of one of the largest global ransomware groups, known as GandCrab/REvil,” BKA said. “The perpetrators demanded large ransom payments in exchange for decrypting and not leaking data.”

Also added to the wanted list is Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian born in the Ukrainian city of Makiivka. He is alleged to have acted as the developer of REvil during the same time period.

Shchukin and Kravchuk are suspected of having carried out 130 ransomware attacks across Germany. Out of these, 25 cases led to the payment of €1.9 million ($2.19 million). The incidents collectively incurred financial damages exceeding €35.4 million ($40.8 million).

REvil (aka Water Mare and Gold Southfield) was one of the prolific ransomware groups that counted companies like JBS and Kaseya among its victims. An evolution of the GandCrab ransomware, the e-crime crew mysteriously went offline in mid-July 2021, only to resurface in two months later.

By October 2021, the group ceased operations, and its data leak site became inaccessible as part of a law enforcement operation. Weeks later, Romanian law enforcement authorities announced the arrest of two individuals for their roles as affiliates of the REvil ransomware family.

In a rare move, Russia’s Federal Security Service (FSB) disclosed in January 2022 that it had arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations. Four of those members were sent to several years in prison in October 2024, Russian news publication Kommersant reported.

UNKN also disappeared from the cybercrime forums coinciding with the operation, prompting another user, REvil (later renamed to 0_neday), to become the public face of the gang’s operations.

In an interview with Recorded Future’s Dmitry Smilyanets in March 2021, UNKN said he had been in the ransomware business since 2007 and that they had as many as 60 affiliates working for the group at one point.

“As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school,” he was quoted as saying. “I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”