Germany Doxes 'UNKN', Head of REvil & GandCrab Ransomware Gangs

German authorities have publicly exposed the identity of the notorious hacker known as "UNKN", linking the alias to 31‑year‑old Russian national Daniil Maksimov. Maksimov is alleged to have been the mastermind behind the early ransomware groups GandCrab and REvil, both of which operated on a ransomware‑as‑a‑service model and extorted millions of dollars from businesses worldwide. The release of his personal details, including a photograph and his alleged address, marks a rare case of direct doxing by a law‑enforcement agency and signals a shift toward more aggressive attribution tactics.

The investigation, coordinated with Europol, the FBI and other partners, traced "UNKN" through a combination of blockchain analysis of cryptocurrency transactions, infiltration of closed‑source forums and correlation of leaked forum metadata. German prosecutors say the evidence ties Maksimov to the administration of the malware distribution infrastructure used by GandCrab, which claimed more than 1.5 million victims before its abrupt shutdown in 2019, and to the later incarnation of REvil, which escalated the threat with double‑extortion schemes and high‑profile attacks on critical infrastructure. The authorities have filed charges of computer sabotage, extortion and money laundering, and are seeking his extradition.

The exposure of "UNKN" is expected to have a chilling effect on the ransomware ecosystem, especially among Russian‑speaking operators who have historically operated with relative impunity. Security analysts note that public attribution raises the personal risk for cybercriminals, potentially reducing the willingness of affiliates to join high‑profile RaaS programs. At the same time, the move underscores the growing capacity of international law‑enforcement to pierce the anonymity of dark‑web actors through a mix of forensic and OSINT techniques.

The case highlights the importance of continuous threat‑intelligence sharing and the need for organizations to maintain robust incident‑response plans, as ransomware groups continue to evolve tactics. While the doxing of "UNKN" does not immediately dismantle the underlying malicious infrastructure, it represents a significant milestone in the fight against ransomware and may encourage further collaborative actions across borders to disrupt the financial pipelines that fuel these attacks.