Skip to main content
Emerging ThreatsMalware & Ransomware

BKA Unmasks REvil Ransomware Leaders Behind 130 German Attacks

BKA Unmasks REvil Ransomware Leaders Behind 130 German Attacks

Who exactly runs a ransomware network that can paralyze companies, hospitals or municipalities — and what happens when they are finally exposed? Germany’s Federal Criminal Police Office (the BKA) says it has an answer: it identified the leaders behind a now-defunct ransomware-as-a-service operation, linked to 130 ransomware attacks in Germany.

What the BKA disclosed

The BKA has announced that it unmasked the real identities of the main threat actors associated with the REvil ransomware operation, also known by the name Sodinokibi. According to the agency, those actors were behind 130 ransomware incidents in Germany. The BKA’s finding singles out a person who used the alias UNKN, who served as a representative of the group and advertised the ransomware in June 2019 on the XSS cybercrime forum.

Background on the operation

REvil — Sodinokibi in some reporting — operated as a ransomware-as-a-service (RaaS) model. In that configuration, developers or organizers provide ransomware tools to affiliates in exchange for a share of proceeds, while representatives or spokespeople help recruit or manage activity on cybercrime forums. The BKA’s disclosure underscores that UNKN performed such a public-facing role by promoting the malware on a criminal marketplace in mid‑2019.

Why this matters — perspectives and implications

  • For technologists: identifying operators can yield technical leads. Attribution can enable investigators to trace infrastructure, recover forensic artefacts and harden detection methods for patterns tied to a specific criminal operation.
  • For policymakers and law enforcement: unmasking key operators behind a RaaS network tied to dozens or hundreds of incidents can justify coordinated cross-border responses and inform policy on cybercrime enforcement and public-private information sharing.
  • For users and organizations: the disclosure is a reminder that threat actors who recruit publicly on criminal forums can be investigated and exposed. That may affect how organizations prioritize defensive measures and incident response planning.
  • For adversaries and affiliates: the exposure of a public representative highlights both the benefits and the risks of using forums for recruitment and marketing; public-facing roles can leave traces that law enforcement can follow.

Analysis and the larger question

The BKA’s identification of REvil leaders behind 130 German incidents and its linking of the alias UNKN to promotional activity on XSS show how investigative work can connect online personas to concrete criminal campaigns. Even where a ransomware operation is now “defunct,” as the BKA described REvil, the historical record matters: it can help close cases, deter future operators and inform defensive work.

At the same time, the disclosure raises a deeper question for the digital age: when operators can outsource attacks through service models and recruit on public or semi-public platforms, how will defenders and law enforcement keep pace with the diffusion of capability? The BKA’s finding is a step toward an answer — but is it enough to stop the next evolution of the business model?

https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html