Germany Names Russian National as REvil Ransomware Leader in Rare Attribution Breakthrough
Daniil Shchukin identified as operational chief behind 130+ attacks, but faces no extradition prospect from Russia.
German federal authorities have publicly identified Daniil Maksimovich Shchukin, 31, as the operational leader of the GandCrab and REvil ransomware syndicates responsible for 130 confirmed attacks on German targets and estimated global ransom demands exceeding $200 million. The 30 March 2026 announcement by Germany’s Generalstaatsanwaltschaft Karlsruhe and Baden-Württemberg LKA represents a landmark moment in Western efforts to attribute Russian-based cybercriminal infrastructure, though Shchukin remains beyond reach, believed to be operating from Russia.
The public identification breaks years of operational secrecy surrounding the syndicates that terrorised healthcare, finance, and critical infrastructure across NATO allies between 2018 and 2021. German law enforcement alleges Shchukin orchestrated operations, recruited partners, and coordinated ransom payments while co-suspect Anatoly Sergeevich Kravchuk handled technical infrastructure, per Tarnkappe.info citing German prosecutors. Both men now face international arrest warrants and listing on Europol’s Most Wanted, though neither prosecution nor extradition appears imminent.
The GandCrab-REvil Pipeline
GandCrab operated from January 2018 through May 2019 before its operators announced retirement. REvil—also known as Sodinokibi—emerged in April 2019 with striking code similarities, leading threat researchers at Secureworks to establish developer continuity between the two operations. The syndicates pioneered the Ransomware-as-a-service model, licensing malware to affiliates who executed attacks in exchange for revenue shares.
REvil’s most damaging operation came in July 2021 with the Kaseya VSA attack, which exploited a software vendor to deploy ransomware across approximately 1,500 downstream businesses globally. The syndicate demanded $70 million in Bitcoin. That incident, combined with mounting US pressure following multiple high-profile attacks, contributed to a coordinated law enforcement operation that dismantled REvil’s infrastructure later that month, according to Palo Alto Networks Unit 42.
Attribution Precision and Policy Implications
The German announcement arrives amid persistent confusion in ransomware attribution. While the original story brief suggested REvil orchestrated the May 2021 Colonial Pipeline attack that triggered President Biden’s ultimatum to Russia on cybercrime, that attack was definitively executed by DarkSide—a separate ransomware-as-a-service group. The misattribution matters: policy discourse around Russian cybercrime infrastructure depends on accurate threat actor mapping, particularly when assessing Moscow’s tolerance for criminal operations within its borders.
The Colonial Pipeline attack on 7 May 2021 was carried out by DarkSide, not REvil. DarkSide demanded $4.4 million and received payment before US authorities recovered approximately $2.3 million. The incident prompted Biden to warn Putin directly about cybercriminal safe havens. DarkSide subsequently ceased operations, though analysts debate whether pressure from Russian intelligence services contributed to the shutdown.
In 25 documented German cases where victims paid ransoms, total payments reached €1.8–1.9 million, per Bundeskriminalamt. German authorities estimate total damages from the GandCrab/REvil campaign at approximately €35 million when factoring in recovery costs, business interruption, and security remediation. Globally, REvil generated ransom demands estimated at several hundred million euros, with BlackFog research citing total demands exceeding $200 million across the syndicate’s operational lifespan.
The Extradition Impasse
Shchukin’s public identification carries symbolic weight but limited practical enforcement value. Russia maintains no extradition treaty with Germany or other Western nations, and Moscow has historically declined to surrender Russian nationals accused of cybercrime—particularly when those operations target adversary states. The pattern held even after the July 2021 REvil disruption, when Russian Federal Security Service claimed arrests of REvil members in January 2022 but released no verified details on prosecutions.
“The two suspects acted as the group’s leader and as a programmer.”
— German law enforcement statement
German prosecutors’ decision to name Shchukin publicly suggests either intelligence-sharing breakthroughs with allies or acceptance that traditional prosecution pathways remain blocked. Inkorr reports Shchukin is believed hiding in Russia, with international travel now severely constrained by the warrant and Europol listing. The exposure may function as reputational deterrence—complicating Shchukin’s ability to operate internationally or recruit affiliates—even without arrest.
The identification also signals Western law enforcement’s improving capability to penetrate Russian cybercriminal networks despite operational security measures. Whether that translates to actionable intelligence on current ransomware operations or upcoming threats remains uncertain. REvil’s infrastructure saw brief reemergence in late 2021 before disappearing again, and the broader ransomware ecosystem has fragmented into smaller, more cautious groups following the 2021 crackdown.
What to Watch
Track whether Germany or Europol partners release additional operational details on how Shchukin was identified—particularly any signals of penetration into Russian cybercriminal forums or affiliate networks. Monitor for signs that public attribution becomes a standard tool in Western deterrence strategies, even absent extradition prospects. Watch for Russian government response: silence may indicate tolerance; performative arrests could signal shifting calculations around cybercrime safe harbor as geopolitical tensions with the West persist. Finally, observe whether the Shchukin identification disrupts active ransomware operations or merely memorialises a defunct threat from 2019–2021.