U.S. Indicts Russian Cybercriminal for Qakbot Malware Operation
The U.S. Justice Department has unsealed an indictment against Rustam Rafailevich Gallyamov, a Russian national accused of leading a cybercrime group linked to one of the most notorious malware threats in recent years: Qakbot.
A Decade of Cybercrime
Prosecutors allege that Gallyamov, 48, has been the mastermind behind a prolonged malware operation that has infected thousands of computers globally. This operation has reportedly facilitated a series of ransomware attacks, generating millions in cryptocurrency. The FBI has seized over $24 million attributed to Gallyamov’s alleged activities.
This indictment is part of Operation Endgame, a coordinated international effort to dismantle cybercriminal networks worldwide. Law enforcement agencies from countries including the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada are involved in this ongoing operation.
Matthew R. Galeotti, head of the Justice Department’s Criminal Division, emphasized the significance of this indictment, stating, “This is a clear message to cybercriminals everywhere: we will find you, we will charge you, and we will take back what you stole.”
Evolution of Qakbot Malware
Qakbot, also known as Qbot, initially appeared in 2008 as a banking trojan. Under Gallyamov’s alleged leadership, it transformed into a powerful malware platform used to create a global botnet. This botnet provided hackers with unauthorized access to both personal and corporate systems.
Since 2019, Qakbot has increasingly been used to launch ransomware attacks. Prosecutors claim Gallyamov rented out access to infected machines to various cyber gangs, who subsequently deployed ransomware variants such as REvil, Dopplepaymer, Conti, and Black Basta on victims around the world.
In exchange for this access, Gallyamov reportedly received a share of the ransom payments, often made in cryptocurrency.
A Major Takedown
In August 2023, U.S. authorities and their international partners executed a significant disruption of the Qakbot infrastructure. This coordinated effort resulted in the seizure of 170 bitcoin and over $4 million in stablecoins from Gallyamov’s digital wallets.
Despite this setback, Gallyamov allegedly persisted in his illegal activities and adopted new tactics. Officials claim he turned to “spam bomb” campaigns, inundating employees at targeted companies with malicious emails designed to trigger further infections.
The indictment indicates that Gallyamov and his associates continued deploying ransomware strains, including Black Basta and Cactus, as recently as January 2025.
Akil Davis, Assistant Director in Charge of the FBI’s Los Angeles Field Office, remarked, “Even after we took down his botnet, he found other ways to get back into business. This guy was relentless. But so are we.”
Crackdown on Cryptocurrency
In April, FBI agents executed another seizure warrant, resulting in the confiscation of over 30 bitcoin and $700,000 in USDT tokens. Authorities have now secured more than $24 million in alleged illicit cryptocurrency profits linked to Gallyamov’s activities.
A civil forfeiture complaint aimed at permanently confiscating these funds has also been filed, with the intention of returning them to the victims affected by Gallyamov’s operations.
“This case highlights the growing importance of crypto forensics in cybercrime investigations,” noted a DOJ official. “It’s not just about catching hackers anymore—it’s about taking away their profits.”
A Collaborative Global Effort
The case against Gallyamov is the product of an extensive multi-year investigation spearheaded by the FBI’s Los Angeles Field Office, with critical support from international partners in Germany, France, the Netherlands, and Europol. The DOJ’s Office of International Affairs has played an essential role, aiding in the tracking of digital evidence and the execution of seizures.
Prosecutors from the DOJ’s Computer Crime and Intellectual Property Section (CCIPS) and the Central District of California are currently overseeing this case.
What Lies Ahead
Gallyamov is believed to be in Russia, and the prospects for his extradition remain uncertain. However, officials maintain that this case represents more than just a prosecution; it signifies a broader strategy for disruption.
Through seizing funds, neutralizing infrastructure, and publicly identifying key figures, law enforcement aims to increase the risks for cybercriminals who believe they operate without consequence.
An FBI spokesperson noted, “Indictments like this one won’t stop cybercrime overnight, but they make it harder to hide, harder to profit, and harder to sleep at night if you’re in that world.”
As with any legal indictment, Gallyamov is considered innocent until proven guilty in court. However, the DOJ’s message is clear: Cybercrime carries serious repercussions, even when it extends across international borders.
