In April 2026, German Federal Criminal Police (BKA — Bundeskriminalamt) announced that it had, in conjunction with international law enforcement partners, identified and publicly named a key leader and developer behind the REvil ransomware group and its predecessor GandCrab. GandCrab operated from January 2018 to May 2019 and was one of the most prolific RaaS operations in history, claiming revenues of over $2 billion from victims worldwide and powering the evolution of modern ransomware-as-a-service business models. GandCrab’s operators announced retirement in May 2019 after claiming their ransoms had made them sufficient income. REvil (Sodinokibi), which emerged shortly after GandCrab’s closure and is widely believed to share core developers, went on to conduct some of the most high-profile ransomware attacks ever: the Travelex attack ($6M ransom), the Kaseya VSA attack (1,500+ businesses, $70M demand), the JBS Foods attack ($11M paid), and many others. Previous law enforcement actions had already apprehended affiliates and some operators: Yaroslav Vasinskyi (Rabotnik) was extradited to the US and convicted in 2023, and Yevgeniy Polyanin was indicted. The April 2026 German BKA identification of the core REvil/GandCrab leader/developer represents a significant additional law enforcement achievement in dismantling one of cybercrime’s most historically significant ransomware operations. The identification follows the BKA’s established pattern of unmasking cybercriminals through long-term financial tracking, forum analysis, and intelligence-sharing with US and Eastern European partners.