“A federal indictment unsealed today charges Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, with leading a group of cyber criminals who developed and deployed the Qakbot malware. In connection with the charges, the Justice Department filed today a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov over the course of the investigation. These actions are the latest step in an ongoing multinational effort by the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime.”
“According to court documents, Gallyamov developed, deployed, and controlled the Qakbot malware beginning in 2008. From 2019 onward, Gallyamov allegedly used the Qakbot malware to infect thousands of victim computers around the world in order to establish a network, or ‘botnet,’ of infected computers. As alleged, once Gallyamov gained access to victim computers, he provided access to co-conspirators who infected the computers with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus. In exchange, Gallyamov was allegedly paid a portion of the ransoms received from ransomware victims.”
“The announcement of charges today is the latest step taken by the Justice Department against the Qakbot conspiracy. In August 2023, a U.S.-led multinational operation disrupted the Qakbot botnet and malware. At that time, the Justice Department announced the seizure of illicit proceeds from Gallyamov, including over 170 bitcoin and over $4 million of USDT and USDC tokens.”
“According to the indictment, after the disruption and takedown of the Qakbot botnet, Gallyamov and his co-conspirators continued their criminal activities. Instead of a botnet, they allegedly used different tactics, including ‘spam bomb’ attacks on victim companies, where co-conspirators would trick employees at those victim companies into granting access to computer systems. The indictment alleges that Gallyamov orchestrated spam bomb attacks against victims in the United States as recently as January 2025. It also alleges that Gallyamov and his co-conspirators deployed Black Basta and Cactus ransomware on victim computers.” (Source: US Department of Justice)
