Germany Doxes "UNKN," Head of RU Ransomware Gangs REvil, GandCrab
krebsonsecurity.com206 points by Bender 6 hours ago
206 points by Bender 6 hours ago
Putting someone on a (most) wanted list is "doxing"?
[Edit] "An international search is underway for Daniil Maksimovich SHCHUKIN on suspicion of numerous counts of gang-related and commercial extortion using ransomware to the detriment of commercial enterprises, public facilities, and institutions."
Yeah, I’m not okay with this. Doxxing is a term with an extremely negative connotation and is often done to people who, bluntly, weren’t hiding or doing anything wrong. The correct term for the same act here is either “accuse” or “unmask”.
So it is doxxing if the doxxed committed wrongdoings from the perspective of... the doxxer? Ideals, morality, alignment, goals and purpose are and have always been a static constant for all humankind. There is no pineapple pizza, it is a lie, for I don't like it, and therefore nobody else ever did either.
doxxing is a term that is commonly reserved for private information that the doxxed individual has an expectation to be treated as such, that is to say, it's not in the public interest.
Someone who breaks the law and is actively searched for obviously has no expectation of privacy, or do you think the people visiting Epstein's island were doxxed?
You have understand that we're dealing with Morals™, if you're an enemy of the States, anything is on the table. Even some of the things the States is actively calling other countries out for, see Iran for example and how silent the EU, ICC, and NATO is when its "Daddy", as Rutte put it, commits atrocities.
So basically it's like Terrorism or Genociding, where if it's against the team you are rooting for, it is that, and if it's not against your in-group it's just War?
I'd rather "doxxing" just mean "de-anonymizing" because that's 1) how I already read it, 2) removes the whole "who is the more moral side in this dispute therefore has the right to make the accusation" problem
If someone wasn't previously known, only an alias or alter-ego, but you then link those together with a real-life identity, that's very much the definition of "doxxing", at least the original definition, maybe it's different today? Positive or negative doesn't really matter, just like "shooting" or "jumping" in itself isn't positive or negative, it's just a verb.
No, if I kidnap someone it's kidnapping. If the police based on probable cause receive and execute a warrant for someone's arrest, it's an arrest. This is how the state monopoly on violence works.
And if the state kills somebody without the cover of a legal pretext, it's called an "extrajudicial killing" rather than a murder.
https://en.wikipedia.org/wiki/Extrajudicial_killing#United_S...
More to the point, if the police or whoever shoot someone in self defence, that someone is "killed". If I, or the police shoot someone for fun, it's "murder". In both cases the victim is "killed"
True, self defense isn't called murder. But if the government drone strikes an American citizen without a trial or anything, that's "extrajudicial killing", not murder.
And if the police actually catches the accused and puts them in jail, is that kidnapping? Most verbs have far more semantics than just the most basic before/after state diff.
Well, no, kidnapping is unlawful abduction. But abduction is always abduction, regardless of who does it, police can abduct people too, but when criminals do so, we call it kidnapping, since it's illegal. Not sure what point you were trying to make, but I think it failed to land properly.
The point is the outcome and magnitude of "kidnapping" and "abduction" are the same, so it's not fair people are treated differently if the terms are virtually synonymous. The impact is the same. If it was a truly just system, the people in power would subscribe to the same rules they codify into law.
"Doxing" has negative connotations.
Its almost always associated with a private person (ie not police or anyone of a judicial system) releasing personal information with malicious intent.
As the person above you said, semantics are important. This is a judicial system specifically searching for a person they believe to have caused severe criminal harm.
While I don’t think this case is accurately described as Doxxing I also reject the definition that the state can’t commit Doxxing. The reason this situation doesn’t count is because of due process, not simply state action. The state is not infallible, regardless of what immunity may try to establish.
I have, admittedly, only been on the Internet for thirty-five years or so, but I seem to recall that a long time ago reading about people "doxxing" guys who posted pictures of them torturing cats and dogs.
"Doxxing" certainly doesn't carry a negative connotation in that usage. Unless you live in a culture where torturing domesticated animals is a good thing.
ANd I recall that, before that, hackers would doxx other hackers in the 90s in order to get them arrested. Again, that seems like the exact same usage as here: tying a pseudonym to an IRL for purposes of law enforcement.
There is still an inherent negative aspect to the "Don't Fuck with Cats" doxxing. Vigilantes publicly revealing the identity of (suspected) perpetrators can enable further vigilante action, and this can cause harm to innocent people if the identification was incorrect, or unwittingly impede law enforcement. And that's before considering whether vigilantism is inherently good or bad.
See the canonical example of this going wrong: the Reddit 'investigation' of the Boston Bomber, where someone was misidentified, doxxed, and their family was harassed.
Of course, law enforcement is capable of making the same mistakes. But ideally they have better safeguards, and victims of their negligence have much better recourse.
> that seems like the exact same usage as here: tying a pseudonym to an IRL for purposes of law enforcement.
I disagree. Tying a pseudonym to an IRL persona for purposes of law enforcement is a part of an official investigation.
Doxxing is specifically non-government unmasking and dissemination of that tie for extrajudicial purposes, almost always for harassment. There is a world of difference between them and we should not fudge them together with terminology. My 2c.
What if the government reveals the name of a victim of sexual assault? Is that doxxing? What about a political rival in connection with a made up crime? What about a true but benign crime such as accessing reproductive healthcare?
Doxxing a hostile act.
If it's negative depends on if you think they deserve the hostility.
Most people who dox for a reason they think is justified will nonetheless reject the label of doxing for what they did. They'll say "I didn't dox him, I just discovered publicly available but obscure information about him and posted it."
Unfortunately language tends to get diluted. Nowadays in pop culture it means publishing anyone's personal information, usually against their wishes.
This does seem close to the original intent of "doxxing", where information ("dox") is publicized that connects a real-world identity to a previously anonymous online persona. These are hackers in the classic sense who were going out of their way to stay anonymous.
The dilution of the word doxxing has been interesting, though. Some of the recent "doxxing" controversies have been about figures who weren't all that anonymous to begin with. The pop culture meaning has been extended to cover any mention of someone's real identity at all, even if it wasn't a secret.
Beyond diluting it also seems that people are increasingly under the impression that internet rules are also the same in real life.
I’ve been seeing it come up in discussions about court cases where people are under the belief that requiring online personalities real names in the court documents is somehow illegal because it’s doxxing.
It's just the usual millennials and zoomers finding out that their fantasies aren't actually how the world works
Most of us grew up on the Internet, and consequently our world view is incredibly screwed and not particularly based on facts
“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean — neither more nor less.”
I do not understand this logic either. They take GDPR way too serious haha. JK obv.
> Putting someone on a (most) wanted list is "doxing"?
No, if they just put UNKN on the most wanted list, then it wouldn't be doxing. But then they also tie UNKN together with "Daniil Maksimovich Shchukin", and that's the doxxing, regardless or not if it's on a most wanted list.
I think this is not how wanted lists work, here in Germany at least. Do they work this way where you are living? The goal of wanted lists in Germany is to find the person the police is searching for to put them in front of a court if the prosecution can make a case.
Perhaps this goes back to leftist terrorism in Germany in the 1970s, they would not use the code names of terrorists on the wanted lists but their real names to find them, because this is what they wanted - but I don't know.
What do you mean "this is not how wanted lists work"? The goal everywhere is to find the people on the wanted list, that's why they're called "wanted" in the first place. Is there something in my comment indicating I don't believe wanted lists are for finding people?
"No, if they just put UNKN on the most wanted list, then it wouldn't be doxing."
I misread that as it either would be the thing to do or an alternative option and you were against putting names on a wanted list.
No, I was just trying to clarify that the "doxxing" part is not the "add $name to $list" but "tie $alias to $real-name".
Isn't this just the good old "aka"?
Like in " William H. Bonney aka The Kid"? Doxing in the 19th century by the government it seems.
Back in the day, being doxed meant having your real name, address, phone number, email, etc. posted online for anyone to do what they would.
This seems to be just issuing an arrest warrant.
Uh, you think they should just put "UNKN" on the wanted list instead of the person they believe is UNKN? That's not very helpful...
How is "this is the name of the formerly anonymous extortionist" doxxing?
Unless there's something not covered in the article, his current address, family members, phone, etc were not listed. That's not doxxing; that's "here's a guy were want to arrest."
That wouldn't sound cool. Especially as noone actually gives a fuck about what germany wants.
I feel accepted spelling of the word is 'doxxes'; doxes in my head reads as 'dokeses'.
Also talk about a headline that would mean absolute gibberish just a couple decades ago.
So apparently some CCC-connected hackers already unmasked one of them years ago (as reported in the update, which could have also just linked to the talk here: https://media.ccc.de/v/37c3-12134-hirne_hacken_hackback_edit... )
Makes you wonder if the investigators discovered this independently, or decided to maybe ask the hackers already involved in defending against them for help...
I'm not deep into the topic, but AFAIK there generally isn't a warm connection between the CCC and the BND in Germany (in the recent years mostly due to the BNDs involvement ins spying on German citizens, but I think there is also deeper history there). If a hacker collaborates with the BND they do run a risk of many of their peers not wanting to collaborate with them anymore.
It also has something to do with the so called "Hackerparagraph" [1] under which whitehat hacking is basically impossible in Germany. Even writing a program that could potentially be used for hacking is a crime. If you followed the law word for word the authors of e.g. curl could be charged under this law.
1: https://de.wikipedia.org/wiki/Vorbereiten_des_Aussp%C3%A4hen... [de]
I think people are getting stuck on the concept of the word doxing here. In anonymous online hacking circles, the idea that you're exposing anyone's OPSEC at all is considered basically doxing. People do it regularly, but it's seen as a clear indication of being an enemy.
Some take a "full disclosure" style and expose all OPSEC failures instantly and transparently, because otherwise people seem to collect OPSEC failures and make it seem to be extortion itself, like saying "hey remember that time you signed off with your real name?" or "I know your clearnet address"
Spiegel recently did a video on them: https://www.youtube.com/watch?v=HuwRrqM6H1M
Since when does putting criminals on official wanted lists count as doxxing?!? If they want their information taken down they just have to show up in court.
Some of the comments here (and lately on HN in general) are very concerning to me. Are we really going to pretend that people accused of real crimes shouldn’t be arrested, charged and, if found guilty, have an appropriate sentence? It doesn’t take many more than 2 brain cells rubbing together to see that that won’t end well. Whataboutism, political differences, and even real injustices in my opinion to not make this a reasonable position.
It probably depends on what people think about the laws that define what a "real crime" is.
E.g. in germany it was a real crime to grow some weed. Now it's legal, but even before a lot of reasonable people didn't want someone go to jail over weed.
Feels odd for an infosec blog to use 'doxxing' this way. Doxxing is generally considered to be unethical exposure of personal information.
Identifying a criminal is ethical.
"Doxxing" is from the 90s and was used to describe a hacker unmasking another hacker so they could be arrested. That's almost exactly the same usage as here.
Semantic shift happens over time. A 2026 article is supposed to communicate to 2026, not 1996, readers.
I think they obviously just took it as 'exposure of personal information' period.
>Identifying a criminal is ethical.
This outsourcing of one's morals to the state is excessive even by already high western white collar internet standards.
Now, make no mistake, these guys are up to no good and probably should be identified and prosecuted, but to just declare that a bad thing is now good because government is doing it is basically an abdication of one's moral compass. At best this is still a bad thing but a necessary one because all the other options are worse. Like shooting someone in self defense, or putting someone in a cage for doing sufficiently bad things.
Edit: I'll admit I played too loose with ethics vs morality here, but still the point stands.
Certainly, criminals also have a right to privacy. However, the limited publication of personal data of criminals by law enforcement is generally a legally legitimate measure. Doxxing, on the other hand, is generally a process that violates the fundamental right to privacy.
>criminals
>law
>legally
You keep using these words but it causes circular logic as those are all defined by the same entity that is acting unilaterally.
The action the government took was not a "good" action by any moral standard. But it was perhaps the least worse action available all things considered. Can't just whisk people off the street in a foreign country or drone them over such matters, those options would be worse.
> You keep using these words but it causes circular logic as those are all defined by the same entity that is acting unilaterally.
It's not, in Germany we have separation of powers.
> The action the government took was not a "good" action by any moral standard.
Morals aren't binary. Morals have context.
Running a ransomware gang is immoral. Catching someone running a ransomware gang is good. If publishing their name helps catch them, it's also good. Not sure where do you see the gap between legality and morality in this case
People often forget that Threat Actors (TA) are the ones keeping the infosec alive. They are doing a good job of scaring people into implementing actual security protocols and thereby improving everyone's security posture. The whole infosec would collapse without TAs, let's not forget that. They create jobs.
This is the “Broken Window” fallacy[1] which was explained by Bastiat.
[1] https://en.wikipedia.org/wiki/Parable_of_the_broken_window
I don't fucking care about made up terms. If you can't see the actual economic growth (not some vague, theoretical fallacy) they create, you're just another moron in denial.
The wildfire industry brings growth but it would be a whole lot better if we didn't have wildfires.
The same thing is true with computers. Imagine all the nice things we could have if we didn't have to worry about people abusing the systems we build.
If economic growth at all cost is the solution, then you are wasting your time giving your fiction away for free.
That's right. They also create jobs for police though, and now German police is doing theirs
German govt is also one of the most corrupt and vastly incompetent govt. It's run by bunch of boomers. Most of the prolific ransomware gangs have terrible opsec. De-anon'ing them is child's play. Most of the opsec-aware TAs never even get attributed, let alone get caught for any breaches.
> One of the most corrupt
It's on like place 10 out of 180, which makes it one of the least corrupt places.
It also has some surprisingly non-boomer departments, like the Sovereign Tech Fund. Either way you need to celebrate police doing good things and immoral actors being exposed, it can only have good outcomes.
Perhaps it deters them, or deters the next generation of such hackers. Or at least it makes their life less enjoyable, which is fair since they were only able to afford their travels due to their illicitly acquired wealth.
Is it your position that privacy is a right regardless of any action you take? Many rights are dependent on circumstance and in tension with other rights. In this case I think you can make the case that their right to privacy is lost.
> Doxxing, on the other hand, is generally a process that violates the fundamental right to privacy.
It historically was used for this exact case: revealing someone hiding behind a pseudonym for purposes of law enforcement. The term dates back to the 90s, if not earlier.
This isn't something Gen Z made up. It's a Gen X term. "Hack the gibson" era. Wargames era.
Doxxing is basically a DDOS reflection attack but for real violence, or threat thereof, instead of 1s and 0s.
I might want to do violence upon you for some reason. Maybe I hate you. Maybe you're doing something that I don't like. If I'm lucky I can round up half a dozen buddies to help. But I don't have infinite resources and infinite reach, so my capability is rather laughable unless you live next door.
Buuuut, if I craft it just right, I can cause the state with it's practically infinite resources, infinite men with guns who kick in doors, etc, etc to choose to kick in your door and do violence upon you. (And the request usually looks a lot like doing their job for them "hey look over here there's this specific person doing this specific thing that you're supposed to go after", but that's beside the point.)
Same as how if I craft a request to a 3rd party server just right a few Kb of on my end can become dozens of Mb on yours.
The German police can't reach these guys. Hence why they're doxing them. They're hoping to structure things such that those who can reach them respond to the request (i.e. rounding up these guys will be a line item in some larger geopolitical context).
"Identifying a criminal" doesn't imply that it's done by the government, and being done by the government doesn't imply that it's done to a criminal. This comment seems like quite a leap.
It's the government who defines what "criminal" means.
Not necessarily. I'm free to make my own determination on the matter.
You are certainly free to make up your own definitions for words and speak a dialect that is niche but you will not be effectively communicating when you do. By commonly understood definition criminality is a matter of law.
ethics and morality are not interchangeable are they?
anyway individuals willingly give to teh state some autonomy in return for the safety of governance... that's the social contract free people have with government
"doxxing" a Russian ransomware group is the kind thing to do. bombing them out of existence is within the remit of the range of ideas a government could resort to...
Not disagreeing with your preface but I was under the impression that while it took governments some time to figure things out, kinetic bombing in retaliation for cyberwarfare was pretty much ruled out unless the cyberwarfare results in direct mass casualties (for example cyber sabotaging a refinery results in an explosion which results in casualties.). Else we’d have bombed North Korea, China, Ukraine, Russia, Romania, etc.
Yeah bombing as a counter to cyber attacks is a last ditch Pandora’s box thing
> Identifying a criminal is ethical.
I agree that “doxxing” is being misused in TFA, but criminals have privacy rights like anyone else. Violating these rights requires specific justification, it’s not automatically ethical.
I mean doxxing is totally incorrect. Let's say for example there was a person on film near a crime scene, even though the police know they weren't directly involved there is no violation of privacy in the US if the police post their picture and ask for them to come forward. Or even later find out their name and look for them publically.
[dead]
[flagged]
This reads less like “hacking” and more like an optimized business.
Clear specialization, outsourcing, and reinvestment — very similar to how startups scale.
Found his record in Russia's official company registry. This is what he officially does as an entepreneur:
56.10 — Restaurant activities and food delivery services
47.23 — Retail sale of fish, crustaceans, and mollusks in specialized stores
47.25.12 — Retail sale of beer in specialized stores
47.25.2 — Retail sale of soft drinks in specialized stores
47.29.39 — Retail sale of other food products in specialized stores, not included in other groups
68.20 — Lease and management of own or leased real estate
I find it entertaining that even as part of a Russian hacking gang, the real threat is the Russian tax authorities. Regardless of how you got the money, need to pay the taxes.
That's not specific to Russia, almost every country in the world requires you to report illegal income for tax purposes, including the US.
> 56.10 — Restaurant activities and food delivery services
That one is a classic for russian criminals and warlords.
This has nothing to do with russia. All over the world it's an obvious choice to use it for money laundering.
Go look at the al Qaeda emails recovered from the raid that killed bin Laden and you'll find all the same stuff. Turns out that the way businesses operate is just a good way to operate human organizations in general, whether their goal is to sell widgets or blow up infidels.