{"id":501,"date":"2026-04-06T07:42:08","date_gmt":"2026-04-06T07:42:08","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=501"},"modified":"2026-04-06T07:42:08","modified_gmt":"2026-04-06T07:42:08","slug":"bka-identifies-revil-leaders-behind-130-german-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=501","title":{"rendered":"BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 06, 2026<\/span><\/span>Cybercrime \/ Financial Crime<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Germany’s Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identity of the main threat actors associated with the now-defunct REvil (aka Sodinokibi<\/b>) ransomware-as-a-service (RaaS) operation.<\/p>\n

The threat actor, who went by the alias UNKN<\/b>, functioned as a representative of the group, advertising the ransomware in June 2019 on the XSS cybercrime forum. He\u00a0has now been identified\u00a0as Daniil Maksimovich\u00a0Shchukin<\/a>, a 31-year-old Russian national. He\u00a0also went by the online monikers Oneiilk2, Oneillk2, Oneillk22, and\u00a0GandCrab.<\/p>\n

The development\u00a0was reported<\/a> by independent security journalist Brian\u00a0Krebs.<\/p>\n

\u00abFrom early 2019 at the latest until at least July 2021, the wanted person, in cooperation with other individuals, acted as the leader of one of the largest global ransomware groups, known as GandCrab\/REvil,\u00bb BKA said. \u00abThe perpetrators demanded large ransom payments in exchange for decrypting and not leaking\u00a0data.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Also added to the wanted list\u00a0is Anatoly Sergeevitsch\u00a0Kravchuk<\/a>, a 43-year-old Russian born in the Ukrainian city of Makiivka. He\u00a0is alleged to have acted as the developer of REvil during the same time\u00a0period.<\/p>\n

Shchukin and Kravchuk are suspected of having carried out 130 ransomware attacks across Germany. Out\u00a0of these, 25 cases led to the payment of \u20ac1.9\u00a0million ($2.19\u00a0million). The\u00a0incidents collectively incurred financial damages exceeding \u20ac35.4\u00a0million ($40.8\u00a0million).<\/p>\n

REvil<\/a> (aka Water Mare and Gold Southfield) was one of\u00a0the prolific ransomware\u00a0groups<\/a> that counted companies like JBS and Kaseya among its victims. An\u00a0evolution of\u00a0the GandCrab<\/a> ransomware, the e-crime\u00a0crew mysteriously went\u00a0offline in mid-July 2021, only to resurface in two months\u00a0later.<\/p>\n

By October 2021, the\u00a0group ceased operations, and its data leak site became inaccessible as part of\u00a0a law enforcement\u00a0operation. Weeks\u00a0later, Romanian law enforcement authorities announced the arrest of two individuals for their roles as affiliates of the REvil ransomware\u00a0family.<\/p>\n

In a rare move, Russia’s Federal Security Service\u00a0(FSB) disclosed in January 2022 that it had arrested several members belonging to the notorious REvil ransomware gang and neutralized its operations. Four\u00a0of those members\u00a0were sent to several years in\u00a0prison in October 2024, Russian news publication Kommersant\u00a0reported.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

UNKN\u00a0also disappeared<\/a> from the cybercrime forums coinciding with the operation, prompting another user, REvil (later renamed to 0_neday), to become the public face of the gang’s operations.<\/p>\n

In\u00a0an interview<\/a> with Recorded Future’s Dmitry Smilyanets in March 2021, UNKN said he had been in the ransomware business since 2007 and that they had as many as 60 affiliates working for the group at one\u00a0point.<\/p>\n

\u00abAs a child, I scrounged through the trash heaps and smoked cigarette butts. I\u00a0walked 10 km one way to the school,\u00bb he was quoted as saying. \u00abI wore the same clothes for six months. In\u00a0my youth, in a communal apartment, I didn\u2019t eat for two or even three days. Now\u00a0I am a millionaire.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 06, 2026Cybercrime \/ Financial Crime Germany’s Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identity of the main threat actors associated with the…<\/p>\n","protected":false},"author":1,"featured_media":502,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[24,1081,1084,1082,471,93,1083],"class_list":["post-501","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attacks","tag-bka","tag-german","tag-identifies","tag-leaders","tag-ransomware","tag-revil"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=501"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/501\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/502"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}