The US Department of Justice (DOJ) has indicted Russian national Rustam Rafailevich Gallyamov, the alleged leader of the Qakbot botnet malware operation, which compromised over 700,000 computers and enabled ransomware attacks.
The DOJ has also initiated a civil forfeiture complaint to recover more than $24m in cryptocurrency seized from Gallyamov during the investigation. This development is part of a broader international effort involving the US, France, Germany, the Netherlands, Denmark, the UK, and Canada to tackle cybercrime.
“Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said the US Department of Justice Criminal Division head Matthew Galeotti. “We are determined to hold cybercriminals accountable and will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity.”
According to court documents, Gallyamov has been involved with Qakbot since 2008, using it since 2019 to create a botnet by infecting thousands of computers worldwide. Once access was gained, he allegedly allowed co-conspirators to deploy ransomware such as Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus on these systems. In return, Gallyamov reportedly received a share of the ransoms paid by victims.
Multinational operation disrupts Qakbot botnet, seizes illicit proceeds
The charges follow a multinational operation led by the US in August 2023 that disrupted the Qakbot botnet and malware. At that time, the Justice Department seized illicit proceeds from Gallyamov, including over 170 bitcoin and more than $4m in USDT and USDC tokens. Despite the disruption, Gallyamov and his associates allegedly continued their criminal activities, employing tactics like “spam bomb” attacks to deceive employees into granting system access. The indictment claims these attacks targeted US companies as recently as January 2025, with Black Basta and Cactus ransomware being deployed.
Last month, the FBI seized additional illicit proceeds from Gallyamov, including over 30 bitcoins and more than $700,000 in USDT tokens. The Department of Justice has now filed a civil forfeiture complaint in the Central District of California to confiscate these assets, valued at over $24m to return them to the victims.
“The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals,” said the US Attorney for the Central District of California Bill Essayli. “The forfeiture action against more than $24m in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”
Read more: Ransomware gang Black Basta has made more than $100m in two years
