Introduction
For years, the hacker known as "UNKN" or "UNKNOWN" operated with near-impunity, leading two of the most infamous ransomware groups: GandCrab and its successor, REvil. These cybercriminal enterprises caused hundreds of millions of dollars in damages worldwide through double-extortion attacks—encrypting victims' data and threatening to leak it unless ransoms were paid. In a breakthrough operation, German authorities finally unmasked UNKN as 31-year-old Russian national Daniil Maksimovich Shchukin. This guide walks you through the step-by-step process that law enforcement agencies used to identify, track, and build a case against Shchukin and his accomplice, Anatoly Sergeevitsch Kravchuk, leading to their public naming and pursuit of justice.
What You Need
- Cryptocurrency forensic tools – Software capable of tracing blockchain transactions (e.g., Chainalysis, CipherTrace) to identify wallet clusters and suspicious flows.
- International law enforcement cooperation – Agreements and liaison officers with agencies such as the U.S. Justice Department, Europol, and national police forces like Germany's BKA.
- Cyber threat intelligence reports – Historical data on ransomware variants, affiliate programs, and forum activity (e.g., from Recorded Future, CrowdStrike).
- Legal instruments for asset seizure – Court orders to freeze cryptocurrency accounts and seize proceeds under relevant asset forfeiture laws.
- Secure communication channels – Encrypted messaging and data-sharing platforms to coordinate across jurisdictions without tipping off suspects.
- Expert knowledge of Russian cybercrime forums – Familiarity with platforms like Exploit.in or XSS where UNKN advertised and recruited affiliates.
Step-by-Step Guide
Step 1: Identify the Initial Threat
When GandCrab first appeared in January 2018, security researchers quickly recognized it as a sophisticated ransomware-as-a-service (RaaS) operation. The group used an affiliate model, paying hackers a large share of ransoms for initial access to corporate networks. German authorities noted the malware's rapid evolution—five major revisions with enhanced evasion techniques. This step involved collecting samples, analyzing code similarities, and tracking ransom payment addresses on the blockchain. The pattern of double extortion—demanding payment both for decryption and data nondisclosure—became a hallmark.
Step 2: Link Successive Ransomware Families
After GandCrab announced its retirement on May 31, 2019, claiming $2 billion in extorted funds, the REvil (Sodinokibi) ransomware appeared almost immediately. Cybersecurity experts observed overlapping infrastructure, code reuse, and the same forum handle—UNKNOWN—introducing the new operation on a Russian cybercrime forum with a $1 million escrow deposit. This step required intelligence analysts to correlate timestamps, IP addresses, and operational tactics. The BKA recognized that REvil was essentially GandCrab rebranded, meaning the leader remained active under a fresh alias.
Step 3: Trace Cryptocurrency Transactions
Using blockchain analysis, investigators followed ransom payments from victims to cryptocurrency wallets controlled by the gang. A key breakthrough came from a February 2023 filing by the U.S. Justice Department, which revealed a digital wallet linked to UNKN (Daniil Shchukin) containing over $317,000 in illicit cryptocurrency. By mapping the flow of funds from REvil attacks, authorities connected specific wallet addresses to Shchukin’s identity. This step involved obtaining transaction records from exchanges, applying for subpoenas, and using heuristic clustering to separate personal wallets from mixing services.
Step 4: Gather Witness and Victim Testimonies
Germany’s BKA documented at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. These victims provided crucial details: ransom notes, negotiation chat logs, and Bitcoin payment receipts. Investigators interviewed company IT staff and executives to build a timeline of each attack. This step required careful preservation of evidence, including encrypted chat transcripts that sometimes contained the perpetrator’s unique phrasing or operational security mistakes.
Step 5: Collaborate with International Partners
The operation relied on close cooperation between the BKA, the U.S. Department of Justice, and other allied cybercrime units. The U.S. DOJ’s February 2023 seizure filing provided a legal basis to freeze accounts tied to Shchukin. Meanwhile, German authorities shared intelligence on Kravchuk’s role as a lieutenant. Regular meetings via secure channels ensured that no single agency duplicated efforts or missed a lead. This step highlights the necessity of mutual legal assistance treaties (MLATs) and real-time intelligence sharing.
Step 6: Correlate Digital Identities with Real Names
Using a combination of blockchain analysis, forum account registration data, and intercepted communications, investigators linked the online handle "UNKN" to the real-world identity of Daniil Maksimovich Shchukin, a 31-year-old Russian. Similarly, Anatoly Sergeevitsch Kravchuk, 43, was identified as a co-conspirator. The BKA’s advisory publicly named them, noting that the duo extorted nearly €2 million directly and caused over €35 million in total economic damage. This step often involves working with Russian authorities (when possible) or using open-source intelligence (OSINT) such as social media profiles, leaked databases, and payment metadata.
Step 7: Build a Legal Case and Issue Advisories
Once the suspects were named, Germany’s BKA published an official advisory detailing the charges and evidence. The legal case included counts of computer sabotage, extortion, and criminal conspiracy. While Shchukin remained at large in Russia at the time of the advisory, the naming served to disrupt the gang’s operations, warn potential affiliates, and encourage further witness cooperation. Law enforcement also worked to freeze additional assets and issue international arrest warrants through Interpol.
Tips for Success
- Operate with stealth – Avoid tipping off suspects by using covert monitoring of forums and encrypted communication. Even a single public disclosure can destroy a year of undercover work.
- Leverage public announcements – Publishing names and faces of cybercrime leaders can destabilize their networks. It may also flush out associates who panic and make mistakes.
- Focus on financial trails – Ransomware gangs are profit-driven. Following the money through cryptocurrency is often the most reliable way to pierce anonymity.
- Document every step – Every wallet address, forum post, and victim statement should be logged in a tamper-proof chain of custody to survive court scrutiny.
- Prepare for jurisdictional hurdles – Suspects often reside in countries with limited extradition treaties. Plan alternative legal strategies, such as asset forfeiture or public exposure, to achieve deterrence.
- Adapt to evolving techniques – Cybercriminals constantly update their tools and opsec. Stay current with ransom note variations, new encryption methods, and privacy coin usage (e.g., Monero).
By following these steps, law enforcement agencies can systematically dismantle even the most elusive ransomware operations. The identification of Daniil Shchukin as UNKN marks a significant victory in the fight against cybercrime, but it also underscores the need for persistent international collaboration and investment in forensic capabilities.