The U.S. Department of Justice has unsealed a federal indictment against Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, alleging he led the development and deployment of the notorious Qakbot malware.
This action, announced on May 22, 2025, marks a significant milestone in a years-long multinational effort to disrupt cybercriminal networks that have inflicted hundreds of millions of dollars in damages worldwide.
The indictment accuses Gallyamov of conspiracy to commit computer fraud and abuse and conspiracy to commit wire fraud.
Prosecutors allege that Gallyamov and his group infected over 700,000 computers globally—including more than 200,000 in the U.S.—using Qakbot, also known as Qbot or Pinkslipbot.
The malware enabled a vast array of cybercrimes, including ransomware attacks, credential theft, and the creation of a botnet—a network of compromised computers used for further malicious activity.
How Qakbot Operated: Technical Insights and Attack Vectors
Qakbot is a sophisticated, modular malware platform that evolved from a banking trojan into a multi-purpose cybercrime tool.
Its core capabilities included:
- Credential Harvesting: Qakbot could steal login credentials, banking details, and personal data by keylogging and browser session hijacking.
- Lateral Movement: Once inside a network, the malware spread to other systems using stolen credentials or exploiting network shares.
- Payload Delivery: Qakbot served as a delivery mechanism for additional malware, most notably ransomware strains such as Prolock, Dopplepaymer, Egregor, REvil, Conti, Black Basta, and Cactus.
- Persistence and Evasion: The malware used advanced techniques, such as modifying registry entries and creating scheduled tasks, to maintain persistence and evade detection.
Qakbot typically infiltrates systems through phishing emails containing malicious attachments or links.
Once executed, it established command-and-control (C2) communication with remote servers, allowing attackers to manage infected devices, exfiltrate data, and deploy further payloads.
The malware’s polymorphic nature made it difficult for traditional security solutions to detect and remove.
From Botnet Takedown to Spam Bombing: Evolving Tactics and International Response
In August 2023, a U.S.-led multinational operation—codenamed Operation Duck Hunt—dismantled the Qakbot botnet infrastructure, seizing 52 servers and more than $8.6 million in illicit cryptocurrency.
At the time, authorities believed the takedown would cripple Qakbot’s operations.
However, Gallyamov and his associates rapidly adapted, shifting to new tactics such as “spam bomb” attacks.
In these attacks, victims’ inboxes were flooded with unwanted emails, after which attackers posed as IT support to trick employees into running malicious code, regaining access to corporate networks.
Despite the disruption, Gallyamov allegedly continued orchestrating ransomware attacks as recently as January 2025, deploying strains like Black Basta and Cactus.
The Justice Department has now filed a civil forfeiture complaint seeking to return over $24 million in seized cryptocurrency to victims, including more than 200 bitcoin and over $4 million in USDT and USDC tokens.
This case is part of a broader international campaign, Operation Endgame, targeting malware “droppers” and “loaders” used by cybercriminals worldwide.
The investigation involved law enforcement agencies from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada, coordinated through Europol.
Global Impact and Ongoing Efforts
The Qakbot malware operation is linked to hundreds of ransomware attacks on private companies, healthcare providers, and government agencies, resulting in financial losses exceeding $58 million in just 18 months.
The charges against Gallyamov highlight the persistent threat posed by sophisticated cybercriminal networks and the necessity of international cooperation to combat them.
As the Justice Department pursues forfeiture of illicit assets and seeks to compensate victims, the case underscores the evolving nature of cybercrime and the critical role of law enforcement collaboration in bringing perpetrators to justice.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
