Full Report
The U.S. Justice Department has unsealed an indictment against Rustam Rafailevich Gallyamov, a Russian national accused of running a cybercrime group responsible for one of the most notorious malware threats in recent years: Qakbot. According to prosecutors, Gallyamov, 48, was the architect behind a decade-long malware operation that infected thousands of computers worldwide and helped deploy a batch of ransomware attacks. His alleged actions netted millions in cryptocurrency, over $24 million of which has now been seized by the FBI. The charges come as part of Operation Endgame, an ongoing international law enforcement effort to take down global cybercrime networks. The operation involves agencies from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada. “This is a clear message to cybercriminals everywhere: we will find you, we will charge you, and we will take back what you stole,” said Matthew R. Galeotti, head of the Justice Department’s Criminal Division. From Qakbot Malware to Millions Qakbot, also known as Qbot, first surfaced in 2008 as a banking trojan. But under Gallyamov’s alleged leadership, it evolved into a malware platform used to build a global botnet, a network of infected machines that gave hackers a backdoor into private and corporate systems. Beginning in 2019, the malware was increasingly used as a launchpad for ransomware attacks. Prosecutors say Gallyamov rented out access to infected systems to cyber gangs who then released ransomware strains like REvil, Dopplepaymer, Conti, and Black Basta on victims across the world. In return, Gallyamov reportedly took a cut of the ransom payments, usually paid in cryptocurrency. “He wasn’t just writing malware—he was monetizing misery on a global scale,” said U.S. Attorney Bill Essayli of the Central District of California. “And now we’re working to return those stolen funds to the victims.” Takedown and the Comeback The U.S. and its partners dealt a major blow to the operation in August 2023, when they disrupted the Qakbot infrastructure in a coordinated takedown. That effort led to the seizure of 170 bitcoin and over $4 million in stablecoins from Gallyamov’s digital wallets. But Gallyamov didn’t back down, officials say. He allegedly changed tactics and continued launching attacks—this time using “spam bomb” campaigns, flooding employees at target companies with malicious emails to trick them into opening the door to new infections. According to the indictment, as recently as January 2025, Gallyamov and his associates were still deploying ransomware, including Black Basta and Cactus, on newly compromised systems. “Even after we took down his botnet, he found other ways to get back into business,” said Akil Davis, Assistant Director in Charge of the FBI’s Los Angeles Field Office. “This guy was relentless. But so are we.” Crypto Crackdown In April, FBI agents executed another seizure warrant, this time netting over 30 bitcoin and $700,000 in USDT tokens. Combined with earlier seizures, authorities have now locked down more than $24 million in alleged illicit crypto profits linked to Gallyamov. A civil forfeiture complaint filed today aims to permanently confiscate those funds—and eventually return them to the victims. “This case highlights the growing importance of crypto forensics in cybercrime investigations,” said one DOJ official. “It’s not just about catching hackers anymore—it’s about taking away their profits.” Global Effort The case against Gallyamov is the result of an extensive, multi-year investigation led by the FBI’s Los Angeles Field Office, with crucial support from partners in Germany, France, the Netherlands, and Europol. The DOJ’s Office of International Affairs also played a key role, coordinating across borders to track digital evidence and execute seizures. Prosecutors from the DOJ’s Computer Crime and Intellectual Property Section (CCIPS) and the Central District of California are handling the case. What’s Next? Gallyamov is still believed to be in Russia, and his extradition prospects remain unclear. However, officials say this case isn’t just about prosecution, it’s about disruption. By seizing funds, disabling infrastructure, and publicly unmasking key players, law enforcement hopes to raise the stakes for cybercriminals who think they’re untouchable. “Indictments like this one won’t stop cybercrime overnight,” said an FBI spokesperson. “But they make it harder to hide, harder to profit, and harder to sleep at night if you’re in that world.” As always, an indictment is merely an accusation, and Gallyamov is presumed innocent until proven guilty in court. But for now, the DOJ has made its position clear: Cybercrime has real consequences—even when it crosses international lines.
Analysis Summary
# Threat Actor: Unnamed Architect of Qakbot Malware (Indicted Individual: Gallyamov)
## Attribution & Identity
* **Identification:** An individual, believed to be the architect behind the Qakbot malware, has been indicted by the U.S. Department of Justice (DOJ).
* **Aliases and Associated Groups:** Explicitly linked to the **Qakbot** malware operation. The indicted individual is named **Gallyamov** (though the article notes he is believed to be in Russia).
## Activity Summary
* The primary activity highlighted is the development and operation of the Qakbot malware, a significant cybercrime operation.
* The U.S. DOJ filed a civil forfeiture complaint aiming to seize approximately **$24 million in alleged illicit crypto profits** linked to Gallyamov.
* This pursuit of profits is part of broader efforts to disrupt the cybercriminal ecosystem, alongside recent actions like Operation Endgame 2.0, indicating an international law enforcement focus on taking away criminal profits.
## Tactics, Techniques & Procedures
* The actor is associated with developing and deploying **Qakbot malware**. (Specific TTPs related to Qakbot's infection vector or internal functions are not detailed in this summary, only the tool itself).
## Targeting
* **Sectors:** Not explicitly detailed, but the disruption of Qakbot suggests broad targeting typical of high-volume malware distribution.
* **Geography:** The investigation involved international law enforcement cooperation (Germany, France, the Netherlands, Europol), suggesting the operations had a global scope. The indicted individual is believed to be in **Russia**.
* **Victims:** The seizure of funds is explicitly intended to be **returned to victims**, implying widespread financial harm. Specific victim organizations are not named.
## Tools & Infrastructure
* **Malware Families Used:** **Qakbot** (also known as Qbot).
* **Infrastructure:** The operation involved tracking and seizing **cryptocurrency holdings** linked to illicit profits. The legal actions specifically targeted the financial infrastructure used by the malware operator.
## Implications
* The indictment and seizure of $24M in crypto highlight a shift in cybercrime prosecution priorities towards **financial disruption and asset recovery (crypto forensics)**, not just apprehension.
* The multinational investigation (FBI, Germany, France, Netherlands, Europol) demonstrates strong international coordination against major cyber threats like Qakbot.
* The primary architect remains at large (believed to be in Russia), indicating that while significant financial damage was inflicted, the complete dismantling of the command structure may be hindered by geopolitical realities.
## Mitigations
* **Crypto Forensics and Asset Tracking:** Law enforcement and victims should utilize advanced crypto forensics to track and seize illicit proceeds.
* **International Cooperation:** Continued collaboration between international agencies (like Europol and national law enforcement) is crucial for prosecuting and disrupting cross-border cybercrime operations.