Overview
In a landmark development for cybersecurity and international law enforcement, Germany’s Federal Criminal Police (BKA) publicly identified the individual behind the pseudonym UNKN (also known as UNKNOWN) as Daniil Maksimovich Shchukin, a 31-year-old Russian national. Shchukin is alleged to have led two of the most notorious ransomware operations in history: GandCrab and REvil. This guide unpacks the investigative techniques that led to his exposure, offering a practical roadmap for understanding how cybercriminals are unmasked. By examining BKA’s advisory, cryptocurrency tracing, forum intelligence, and cross-border collaboration, you will learn the key steps that turned a shadowy handle into a concrete suspect. Whether you are a cybersecurity professional, a policy maker, or an enthusiast, this tutorial provides actionable insights into the real‑world pursuit of ransom ware kingpins.
Prerequisites
Before diving into the step‑by‑step process, ensure you have a foundational understanding of the following concepts:
- Ransomware as a Service (RaaS): Affiliate programs where developers license malware to hackers, splitting ransom payments.
- Double extortion: A tactic where attackers encrypt files and threaten to leak stolen data unless a second ransom is paid.
- Cryptocurrency blockchain analysis: The ability to trace transactions on public ledgers (e.g., Bitcoin) to identify wallet owners.
- Dark web forums and escrow services: Platforms where cybercriminals advertise, vet affiliates, and prove credibility.
- Legal instruments: How seizure warrants and mutual legal assistance treaties (MLATs) enable cross‑border evidence gathering.
No advanced programming or hacking skills are required, but a curious mind and willingness to explore investigative logic will help.
Step‑by‑Step Instructions
Step 1: Identify the Key Handles and Forum Activity
The investigation began by tracking the alias UNKN (often written as UNKNOWN) across Russian cybercrime forums. When GandCrab shut down in May 2019, the group posted a farewell message claiming they had extorted over $2 billion and vanished “scot‑free.” Shortly after, a user named UNKNOWN deposited $1 million into a forum’s escrow to launch REvil. Security researchers already suspected REvil was a rebranding of GandCrab. The BKA focused on linking UNKNOWN’s forum posts to the original GandCrab leadership. Key action: Collect all public statements from UNKNOWN and cross‑reference timestamps and writing style with known GandCrab communications.
Step 2: Correlate Cryptocurrency Transactions
The U.S. Department of Justice filed a seizure request in February 2023 that revealed a cryptocurrency wallet containing over $317,000 tied to Shchukin. German authorities traced ransoms paid during 130+ attacks between 2019 and 2021, totaling nearly €2 million in direct extortion and causing €35 million in economic damage. Using blockchain analytic tools, they mapped payments from victims to wallet addresses controlled by UNKN. Key action: Overlay transaction flows with forum registration IPs or other identifying metadata to link wallet ownership to the UNKN alias.
Step 3: Leverage the BKA Advisory and Public Data
The BKA’s formal advisory named not only Shchukin but also his alleged accomplice, Anatoly Sergeevitsch Kravchuk (43 years old). The advisory detailed that the duo operated from Russia and targeted German companies exclusively (130+ cases). German investigators likely used local victim reports, ransom notes, and technical malware samples to attribute attacks to the same gang. Key action: Combine victim timelines with cryptocurrency traces to build a pattern of behavior that consistently points to UNKN.
Step 4: Analyze the GandCrab Farewell Message
GandCrab’s farewell note boasted, “We are a living proof that you can do evil and get off scot‑free… We have proved that one can make a lifetime of money in one year.” Such hubris often leaves ego‑driven clues — for example, the author’s phrasing or specific references may match later REvil announcements. The BKA could have performed linguistic analysis to attribute the note to Shchukin. Key action: Compare the farewell message’s tone, grammar, and claims with UNKNOWN’s forum statements to confirm authorship.
Step 5: Coordinate International Legal Pressure
Because Shchukin is Russian, German authorities worked with U.S. prosecutors (who had already seized cryptocurrency accounts) to build a case. The BKA’s advisory served as a de facto “wanted” notice, though Shchukin remains unarrested (as of the advisory). The step illustrates how public naming itself is a tactic — it disrupts the criminal’s ability to operate under anonymity. Key action: Use MLATs to request transaction details from exchanges and shared threat intelligence from private sector partners like cybersecurity firms.
Step 6: Publish the Findings to Deter Future Operations
Finally, the BKA publicly released Shchukin’s full name, photo (presumably from passport or social media), and known aliases. The move serves two purposes: alerting potential victims and accomplices that the leader’s identity is compromised, and demonstrating that law enforcement can pierce the veil of anonymity even for sophisticated ransomware gangs. Key action: Disseminate the advisory through official channels and encourage organizations to cross‑reference the name with their own threat logs.
Common Mistakes
- Assuming all ransomware actors are untraceable: Many rely on the false premise that cryptocurrencies and VPNs offer complete anonymity. In reality, blockchain transparency and metadata leaks (e.g., forum registration times, language quirks) can unravel identities.
- Overlooking the value of public statements: Farewell messages or interviews (like UNKNOWN’s chat with Dmitry Smilyanets) often contain unique phrasing that can be matched to a suspect’s known writing samples.
- Ignoring low‑level accomplices: Shchukin’s partner Kravchuk was named alongside him. Even secondary operators can provide a secure link to the primary suspect through shared infrastructure or joint wallet addresses.
- Believing that naming alone equals capture: While doxing is a powerful tool, Shchukin remains at large. Effective takedowns require coordinated extradition requests and physical apprehension, which is often hindered by geopolitical barriers.
Summary
The unmasking of UNKN as Daniil Maksimovich Shchukin demonstrates that determined law enforcement agencies can systematically de‑anonymize ransomware leaders through a combination of forum surveillance, cryptocurrency tracing, and international legal collaboration. The BKA’s advisory not only revealed a face behind the handle but also underscored the importance of persistence — even after groups like GandCrab claimed to have retired. This guide walked through the investigative steps: identifying online aliases, tracing illicit funds, leveraging victim reports, analyzing public taunts, cooperating across borders, and finally publicizing the identity. For cybersecurity professionals, the takeaway is clear: no cybercriminal is truly anonymous if investigators follow the money and the communication trails. The fight against ransomware continues, but each unmasking closes the gap between digital impunity and real‑world accountability.