Listen to this Post
Introduction: A Cybercrime Empire Exposed
For years, the REvil ransomware gang operated in the shadows, extorting millions from corporations across the globe while remaining virtually untouchable. Known for its precision, scale, and ruthlessness, the group became a symbol of how cybercrime had evolved into a structured, profit-driven industry. Now, in a major breakthrough, Germany’s Federal Criminal Police Office (BKA) has revealed the real identities behind key figures of this infamous operation. This development not only exposes the individuals behind the attacks but also offers a rare glimpse into the inner workings of modern ransomware networks.
the Original Report
The German Federal Criminal Police Office (BKA) has successfully identified the individual behind the alias “UNKN,” a central figure in the REvil ransomware operation. The suspect is Daniil Maksimovich Shchukin, a 31-year-old Russian national who played a major role in promoting and managing the ransomware-as-a-service (RaaS) platform. Operating under multiple aliases such as Oneiilk2, Oneillk2, Oneillk22, and GandCrab, Shchukin was instrumental in advertising REvil on underground cybercrime forums as early as June 2019.
According to investigators, Shchukin was not just a promoter but a leader within the group, coordinating activities with other members from early 2019 through mid-2021. During this period, REvil emerged as one of the most dangerous ransomware organizations globally, demanding massive ransom payments in exchange for decrypting compromised systems and preventing sensitive data leaks.
Another key suspect identified is Anatoly Sergeevitsch Kravchuk, a 43-year-old developer believed to have been responsible for building and maintaining the ransomware infrastructure. Together, Shchukin and Kravchuk are suspected of orchestrating at least 130 ransomware attacks in Germany alone. Of these, 25 incidents resulted in ransom payments totaling €1.9 million (approximately $2.19 million), while overall damages from these attacks exceeded €35.4 million (around $40.8 million).
REvil, also known by aliases such as Water Mare and Gold Southfield, gained global notoriety after targeting major corporations, including JBS and Kaseya. The group evolved from the earlier GandCrab ransomware, inheriting its infrastructure and expanding its capabilities.
In mid-July 2021, REvil unexpectedly went offline, sparking speculation about internal conflicts or law enforcement pressure. However, the group briefly resurfaced two months later before disappearing again in October 2021. This final shutdown was linked to coordinated law enforcement efforts that dismantled parts of its infrastructure, including its data leak websites.
Subsequent arrests followed. Romanian authorities detained two individuals connected to REvil affiliates, while Russia’s Federal Security Service (FSB) announced in January 2022 that it had arrested multiple members of the gang. By October 2024, four individuals were sentenced to prison, marking one of the few instances where ransomware actors faced legal consequences in their home country.
Interestingly, Shchukin disappeared from cybercrime forums around the same time as these operations. His absence led to another figure, initially using the REvil name and later adopting the alias 0_neday, becoming the group’s public representative.
In a rare interview conducted in March 2021, Shchukin revealed that he had been involved in ransomware activities since 2007. He described a difficult childhood marked by poverty, claiming that his rise to wealth through cybercrime transformed him into a millionaire. At its peak, REvil reportedly had up to 60 affiliates working under its RaaS model, highlighting the scale and organization of the operation.
What Undercode Say:
The Industrialization of Cybercrime
What stands out most in this case is how REvil operated less like a loose hacker collective and more like a structured corporation. With defined roles—developers, affiliates, marketers—the group mirrored legitimate SaaS businesses. This evolution signals a shift in cybercrime from opportunistic attacks to fully industrialized operations, where efficiency and scalability are prioritized.
Ransomware-as-a-Service: A Dangerous Business Model
The RaaS model used by REvil allowed even low-skilled attackers to launch sophisticated cyberattacks. By lowering the technical barrier to entry, ransomware groups effectively expanded their workforce without direct recruitment. This decentralization made the ecosystem harder to dismantle, as affiliates could operate independently while still contributing to the broader network.
The Role of Underground Forums
Platforms like XSS served as critical hubs for advertising and recruitment. Shchukin’s early promotion of REvil demonstrates how cybercriminal marketplaces function similarly to legitimate digital platforms, complete with branding, reputation systems, and customer engagement strategies.
Law Enforcement’s Gradual Progress
The identification of Shchukin and Kravchuk shows that law enforcement agencies are slowly catching up. However, the timeline—from 2019 activities to public identification years later—reveals a persistent lag. Cybercrime operates at internet speed, while investigations often take years, creating a gap that attackers exploit.
The Geopolitical Challenge
One of the biggest obstacles in combating ransomware groups like REvil is jurisdiction. Many of these actors operate from countries where extradition is unlikely or politically sensitive. Even when arrests occur, as in Russia, they are rare and often influenced by broader geopolitical considerations rather than purely legal ones.
The Psychological Narrative of Cybercriminals
Shchukin’s personal story adds a human dimension to cybercrime. His narrative of rising from poverty to wealth through illegal means reflects a recurring theme among cybercriminals. While it does not justify the crimes, it helps explain the motivations behind them—financial desperation, ambition, and the allure of anonymity.
The Impact on Global Businesses
The attacks on companies like JBS and Kaseya highlight how ransomware is no longer just an IT issue—it is a business continuity crisis. These incidents disrupted supply chains, affected millions of consumers, and forced companies to reconsider their cybersecurity strategies.
The Temporary Nature of “Shutdowns”
REvil’s disappearance and reappearance illustrate a key reality: taking down infrastructure does not necessarily eliminate the threat. Cybercriminal groups can rebuild quickly, often rebranding or merging with other operations.
Affiliate Networks as Force Multipliers
With up to 60 affiliates at its peak, REvil demonstrated how decentralized networks can amplify impact. Each affiliate acts as an independent attacker, multiplying the number of potential targets while reducing risk for the core developers.
Financial Incentives Drive Persistence
Despite arrests and crackdowns, ransomware remains highly profitable. As long as organizations continue to pay ransoms, the business model remains viable. The millions earned by REvil are a testament to the effectiveness of their methods.
The Future of Ransomware
The exposure of REvil’s leaders may disrupt operations temporarily, but it is unlikely to end ransomware as a whole. New groups will emerge, often adopting similar models and learning from the successes and failures of their predecessors.
🔍 Fact Checker Results
Verification of Law Enforcement Claims
✅ German authorities have officially identified key REvil figures, confirming the legitimacy of the investigation and its findings.
Scale of Financial Damage
✅ The reported damages exceeding $40 million align with known ransomware impact trends and documented REvil attacks.
Arrests and Sentencing in Russia
❌ While arrests were reported, full transparency around prosecutions in Russia remains limited, making independent verification difficult.
📊 Prediction
The unmasking of REvil’s leadership marks a symbolic victory, but not a definitive end to ransomware. Similar groups will continue to rise, likely becoming more decentralized and harder to trace. Law enforcement agencies will increasingly rely on international cooperation and intelligence sharing, but geopolitical tensions may limit their effectiveness. Meanwhile, organizations will shift toward proactive cybersecurity measures, investing heavily in detection, response, and resilience strategies to mitigate future attacks.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
