So here’s the thing about ransomware gangs – they usually operate with impunity, right? You hear about these massive attacks, millions in Bitcoin ransoms, and nobody ever gets caught. Well, buckle up, because Germany’s Federal Criminal Police Office just dropped a bombshell. They identified two of REvil’s key figures, and honestly? It’s the kind of news that makes me think maybe law enforcement is finally catching up.
What Actually Went Down
Germany’s BKA (Bundeskriminalamt) announced they’ve unmasked the real identities of two major players in the REvil ransomware operation. REvil, also known as Sodinokibi, was one of the biggest ransomware-as-a-service operations before it went dark in 2021. They were behind some seriously high-profile attacks.
Here’s the kicker – one of them operated under the alias “UNKN” and functioned as a representative for the group. They identified him as Daniil Maksimovich Shchukin, a 31-year-old Russian national. This guy wasn’t just some foot soldier either. He was advertising the ransomware on cybercrime forums back in June 2019.
The BKA statement was brutal: “From early 2019 at the latest until at least July 2021, the wanted person, in cooperation with other individuals, acted as the leader of one of the largest global ransomware groups.”
The lesson? Even pseudonymous cybercriminals leave trails eventually.
Why Should You Care?
Ever wondered if these ransomware gangs actually face consequences? Most of the time, no. They live in jurisdictions that don’t extradite to the West, they launder crypto through mixers, and they operate with near-total impunity. But this case is different.
The BKA identified this guy through what they describe as extensive investigation. And here’s what gets me – REvil was involved in over 130 ransomware attacks in Germany alone. That’s not counting the thousands worldwide.
Some of their greatest hits:
- JBS Foods – $11 million ransom, disrupted meat supply chains
- Kaseya – MSP supply chain attack, thousands of downstream victims
- Travelex – $2.3 million, took the currency exchange offline
IMO, this is part of a bigger trend. Law enforcement is getting better at attributing cybercrime to real people. It’s slow, it’s painstaking, but it’s happening.
What the BKA Found
The investigation revealed some interesting details about how REvil operated:
- Hierarchical structure – This wasn’t a loose collective. It had leadership.
- Ransomware-as-a-Service model – They sold access to affiliates who carried out the actual attacks
- Sophisticated infrastructure – The group demanded large ransom payments in exchange for decrypting and not leaking stolen data
The aliases tracked:
- UNKN (primary)
- Oneillk2, Oneillk22
- GandCrab (their earlier operation)
The real question now is what happens next. Russia doesn’t typically extradite cybercriminals to Western countries. But unmasking them? That limits their travel, their freedom, their ability to spend those Bitcoin fortunes.
The REvil Story
REvil emerged in 2019 after the GandCrab operation shut down. They quickly became one of the most prolific ransomware groups in history.
Timeline of chaos:
- 2019 – REvil launches, starts recruiting affiliates
- 2020 – Major attacks ramp up
- 2021 – JBS and Kaseya attacks make global headlines
- July 2021 – REvil mysteriously goes dark
- 2022 – Russia claims to have arrested REvil members (many doubted this)
- 2026 – BKA finally identifies the leaders
Ever noticed how ransomware gangs disappear and reappear? REvil “shut down” multiple times. But now we know who was actually running the show.
What This Means
I know what you’re thinking – “They identified them, so what? They’re probably still in Russia.” Fair point. But here’s what actually matters:
Immediate implications:
- Sanctions and travel bans – These guys can’t leave Russia now
- Financial tracking – Their crypto wallets are flagged
- Associates at risk – If the leaders are identified, affiliates might be next
Bigger picture:
- This sends a message that attribution is possible
- It discourages the “get rich quick” ransomware dream
- It shows international cooperation on cybercrime works (eventually)
The BKA worked with international partners on this. That’s significant. Cybercrime doesn’t respect borders, so neither can law enforcement.
Final Thoughts
Is this the end of REvil? Honestly, REvil already ended in 2021. This is about accountability. It’s about showing that you can’t just wreak havoc on hospitals, businesses, and critical infrastructure and walk away.
The ransomware economy is still massive. Groups like LockBit, BlackCat, and Cl0p are still active. But every time law enforcement unmasks a major player, it adds friction to the system. It makes the risk-reward calculation a bit less favorable for the criminals.
Will Shchukin ever see the inside of a German courtroom? Probably not. Russia’s not handing him over. But he can’t travel freely. He can’t enjoy his ill-gotten gains without looking over his shoulder. And maybe – just maybe – the next “UNKN” thinks twice before launching a ransomware career.
So yeah, that’s the situation. Is it a complete victory? No. Is it progress? Absolutely. I’ll be watching for more developments – and FYI, you probably should too. 🙂