How Law Enforcement Identifies and Apprehends Ransomware Kingpins: The Case of UNKN
Introduction
In the shadowy world of cybercrime, anonymous handles often conceal the identities of those orchestrating devastating ransomware attacks. But as the case of the Russian hacker known as "UNKN" demonstrates, law enforcement agencies are increasingly adept at peeling back layers of digital anonymity. This guide walks you through the systematic approach authorities used to unmask Daniil Maksimovich Shchukin, the alleged mastermind behind the GandCrab and REvil ransomware groups, leading to his identification and pursuit by German authorities. By following these steps, you’ll understand how cyber investigators connect online personas to real-world individuals, even across international borders.
What You Need
- Basic understanding of ransomware operations (encryption, double extortion)
- Knowledge of cryptocurrency transactions (especially Bitcoin) and blockchain analysis
- Access to cyber threat intelligence feeds (e.g., from BKA or FBI)
- Legal authorization to conduct investigations (warrants, mutual legal assistance treaties)
- Cooperation from international agencies (e.g., Europol, Interpol)
- Forensic tools for analyzing malware code and communication logs
- Patience and persistence — these cases often span years
Step 1: Identify the Threat Actor’s Alias and Initial Traces
Start by collecting all available intelligence on the ransomware group. In this case, German authorities focused on the handle “UNKN” (also “UNKNOWN”) that surfaced on Russian cybercrime forums. This alias was associated with the GandCrab affiliate program launched in January 2018. Document every post, communication, or transaction linked to this alias. Look for patterns — the same writing style, specific terminology, or time zones. For example, researchers noted that UNKN’s forum escrow deposit of $1 million to back the REvil program signaled serious intent. Collect screenshots, timestamps, and metadata.
Step 2: Analyze Ransomware Code for Unique Signatures
Examine the malware binaries and command-and-control infrastructure. GandCrab underwent five major revisions, each with unique features that may contain developer fingerprints — such as compiler settings, leftover debug symbols, or specific encryption algorithms. Compare samples across GandCrab and REvil; cybersecurity experts concluded REvil was essentially a rebranded version of GandCrab. This linkage narrows the circle of possible suspects. Look for code comments or strings in Russian that might reveal the author’s native language or regional dialect.
Step 3: Trace Cryptocurrency Transactions
Ransomware groups rely on cryptocurrency for payments. Obtain wallet addresses from ransom notes or blockchain analysis. In the UNKN case, a U.S. Justice Department filing in February 2023 linked a digital wallet containing over $317,000 in illicit funds to Shchukin. Follow the money flow — identify exchanges, mixing services, and fiat off-ramps. Use Chainalysis or similar tools to cluster addresses. Look for patterns: payouts to the same account, timing of transactions coinciding with attacks, and transfers that bypass typical anonymity measures.
Step 4: Correlate with Real-World Identities via Open Source Intelligence (OSINT)
Combine the digital evidence with publicly available information. Search for personal data associated with the wallet or the alias — social media profiles, leaked databases, forum registrations. In this instance, the BKA matched Shchukin’s name and age (31) to the wallet and to the timeline of attacks (2019-2021). Check for travel records, passport numbers, or utility bills. Also look for co-conspirators; here, 43-year-old Anatoly Sergeevitsch Kravchuk was identified as a partner. Use search engines, social media, and data broker sites to build a profile.
Step 5: Verify through Interrogation or Parallel Construction
Once you have a suspect, verify the identification through official processes. This may involve questioning the individual if arrested, or using court orders to obtain additional evidence from ISPs or financial institutions. The BKA likely relied on mutual legal assistance with Russia or other countries, though international cooperation can be challenging. In some cases, informants or undercover agents help confirm identities. Ensure all evidence is legally obtained and admissible in court. The advisory published by BKA named Shchukin as the head of both GandCrab and REvil, based on at least 130 acts of computer sabotage across Germany.
Step 6: Quantify the Damage and Build a Case
Document the extent of the crimes. The BKA stated that Shchukin and Kravchuk extorted nearly €2 million from two dozen cyberattacks, causing total economic damage exceeding €35 million. This requires victim statements, forensic reports, and financial analyses. The double extortion model — charging both a decryption key fee and a data leak ransom — must be clearly explained in charging documents. Include the timeline: GandCrab operated from early 2018 until its supposed shutdown in May 2019 (claiming over $2 billion in extortion), then REvil emerged shortly after. Present the continuity of operations to prove the same individuals were involved.
Step 7: Coordinate International Arrests and Seizures
With a solid case, work with international partners to apprehend the suspects and seize assets. In the UNKN situation, German authorities issued the advisory, but actual arrest may depend on Russian cooperation — which is often limited. However, seizure of cryptocurrency wallets (like the one with $317,000) can proceed through legal channels. Freeze accounts, issue Interpol Red Notices, and pressure other jurisdictions. The goal is to disrupt the criminal enterprise even if extradition is not immediate. Public naming also serves as a deterrent and helps victims.
Step 8: Release Findings to the Public and Cybersecurity Community
Once identities are confirmed and legal actions underway, publish an advisory like the BKA did. This alerts potential victims, encourages further reporting, and allows security firms to update indicators of compromise. Include aliases, techniques, and any de-anonymization methods that don’t jeopardize ongoing investigations. The public naming of Shchukin as UNKN helps the community attribute future attacks and builds trust in law enforcement. It also showcases the success of international collaboration.
Tips
- Use blockchain analytics early: Following the money is often the most effective way to unmask anonymous actors. Start tracing transactions as soon as a wallet is identified.
- Leverage forum intelligence: Russian cybercrime forums are goldmines. Monitor them for new aliases or mentions of ongoing programs.
- Preserve evidence chain of custody: Digital evidence must be meticulously documented for court. Use hashes and timestamps.
- Collaborate across agencies: The BKA worked with U.S. DOJ and possibly other countries. Shared intelligence multiplies resources.
- Don’t underestimate the double extortion model: It adds complexity but also creates more financial trails.
- Expect the suspects to use countermeasures: Groups like GandCreb updated code to evade detection; investigators must stay flexible.
- Public naming is a powerful tool: Even if extradition fails, exposing the criminals hinders their future operations and may lead to internal strife.
- Learn from the farewell message: GandCrab’s boast about making a lifetime of money shows how brazen criminals can become. Use their own words as evidence of intent.
By systematically following these steps, law enforcement agencies can successfully unmask even the most elusive cybercriminals. The case of UNKN is a testament to the power of persistent investigation and international cooperation in the fight against ransomware.