Ddos 
The U.S. Department of Justice (DOJ) has unsealed charges against Russian national Rustam Rafailevich Gallyamov, the alleged architect of the Qakbot malware empire that fueled some of the most damaging ransomware attacks in recent years.
In a sweeping legal move tied to Operation Endgame, the DOJ also announced a civil forfeiture complaint to seize more than $24 million in cryptocurrency from Gallyamov’s illicit proceeds. These enforcement actions underscore the international commitment to dismantling cybercrime syndicates.
“We are determined to hold cybercriminals accountable and will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity,” said Matthew R. Galeotti, Head of the DOJ’s Criminal Division.
According to court documents, Gallyamov, 48, of Moscow, began developing and distributing Qakbot as far back as 2008. Starting in 2019, he allegedly used the malware to create a global botnet of compromised computers, selling access to ransomware groups.
These co-conspirators deployed infamous ransomware strains including:
- Prolock
- Dopplepaymer
- Egregor
- REvil
- Conti
- Name Locker
- Black Basta
- Cactus
“Mr. Gallyamov’s bot network was crippled… but he brazenly continued to deploy alternative methods,” said Assistant Director Akil Davis of the FBI’s Los Angeles Field Office. “The charges announced today exemplify the FBI’s commitment to relentlessly hold accountable individuals who target Americans.”
In tandem with the criminal indictment, the DOJ filed a civil forfeiture complaint to seize over 170 bitcoin and millions in USDT and USDC tokens—the proceeds of Qakbot-linked ransomware attacks.
The cryptocurrency was seized across two major actions:
- August 2023: 170 BTC, $4M in USDT and USDC
- April 25, 2025: 30+ BTC, $700K in USDT
“The forfeiture action… demonstrates the Justice Department’s commitment to seizing ill-gotten assets… to ultimately compensate victims,” said U.S. Attorney Bill Essayli.
Despite the FBI and Europol dismantling the Qakbot infrastructure in August 2023, the indictment reveals Gallyamov’s cyber operations continued post-takedown. He and his team allegedly switched to “spam bomb” tactics—tricking employees into granting access to corporate systems—and deployed Black Basta and Cactus ransomware on U.S. companies as recently as January 2025.
“The indictment alleges that Gallyamov orchestrated spam bomb attacks against victims in the United States,” the DOJ disclosed.
The charges and seizures are part of Operation Endgame, a collaborative effort among agencies from the U.S., France, Germany, the Netherlands, Denmark, the U.K., and Canada to dismantle international cybercriminal infrastructure.
The investigation was led by the FBI’s Los Angeles Field Office, in close cooperation with Europol and cybercrime divisions from Germany (BKA), the Netherlands, and France.
“These law enforcement actions… are part of an ongoing effort… to identify, disrupt, and hold accountable cybercriminals,” said the DOJ.
Related Posts:
- Yemeni National Indicted for Black Kingdom Ransomware Attacks
- QakBot Returns with Evasive Tactics, Posing Renewed Threat
- DarkGate and PikaBot: New Malware Threats Emerge from Advanced Phishing Campaign
- OneNote Exploited: Malicious Campaigns Unveiled in Note-Taking App
- $5 Million Reward Offered After Indictment of North Korean Cyber Operatives
Donate