The U.S. Justice Department has unsealed an indictment against Rustam Rafailevich Gallyamov, a Russian national accused of running a cybercrime group responsible for one of the most notorious malware threats in recent years: Qakbot.
According to prosecutors, Gallyamov, 48, was the architect behind a decade-long malware operation that infected thousands of computers worldwide and helped deploy a batch of ransomware attacks. His alleged actions netted millions in cryptocurrency, over $24 million of which has now been seized by the FBI.
The charges come as part of Operation Endgame, an ongoing international law enforcement effort to take down global cybercrime networks. The operation involves agencies from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada.
“This is a clear message to cybercriminals everywhere: we will find you, we will charge you, and we will take back what you stole,” said Matthew R. Galeotti, head of the Justice Department’s Criminal Division.
From Qakbot Malware to Millions
Qakbot, also known as Qbot, first surfaced in 2008 as a banking trojan. But under Gallyamov’s alleged leadership, it evolved into a malware platform used to build a global botnet, a network of infected machines that gave hackers a backdoor into private and corporate systems.
Beginning in 2019, the malware was increasingly used as a launchpad for ransomware attacks. Prosecutors say Gallyamov rented out access to infected systems to cyber gangs who then released ransomware strains like REvil, Dopplepaymer, Conti, and Black Basta on victims across the world.
In return, Gallyamov reportedly took a cut of the ransom payments, usually paid in cryptocurrency.
“He wasn’t just writing malware—he was monetizing misery on a global scale,” said U.S. Attorney Bill Essayli of the Central District of California. “And now we’re working to return those stolen funds to the victims.”
Takedown and the Comeback
The U.S. and its partners dealt a major blow to the operation in August 2023, when they disrupted the Qakbot infrastructure in a coordinated takedown. That effort led to the seizure of 170 bitcoin and over $4 million in stablecoins from Gallyamov’s digital wallets.
But Gallyamov didn’t back down, officials say. He allegedly changed tactics and continued launching attacks—this time using “spam bomb” campaigns, flooding employees at target companies with malicious emails to trick them into opening the door to new infections.
According to the indictment, as recently as January 2025, Gallyamov and his associates were still deploying ransomware, including Black Basta and Cactus, on newly compromised systems.
“Even after we took down his botnet, he found other ways to get back into business,” said Akil Davis, Assistant Director in Charge of the FBI’s Los Angeles Field Office. “This guy was relentless. But so are we.”
Crypto Crackdown
In April, FBI agents executed another seizure warrant, this time netting over 30 bitcoin and $700,000 in USDT tokens. Combined with earlier seizures, authorities have now locked down more than $24 million in alleged illicit crypto profits linked to Gallyamov.
A civil forfeiture complaint filed today aims to permanently confiscate those funds—and eventually return them to the victims.
“This case highlights the growing importance of crypto forensics in cybercrime investigations,” said one DOJ official. “It’s not just about catching hackers anymore—it’s about taking away their profits.”
Global Effort
The case against Gallyamov is the result of an extensive, multi-year investigation led by the FBI’s Los Angeles Field Office, with crucial support from partners in Germany, France, the Netherlands, and Europol.
The DOJ’s Office of International Affairs also played a key role, coordinating across borders to track digital evidence and execute seizures.
Prosecutors from the DOJ’s Computer Crime and Intellectual Property Section (CCIPS) and the Central District of California are handling the case.
What’s Next?
Gallyamov is still believed to be in Russia, and his extradition prospects remain unclear. However, officials say this case isn’t just about prosecution, it’s about disruption.
By seizing funds, disabling infrastructure, and publicly unmasking key players, law enforcement hopes to raise the stakes for cybercriminals who think they’re untouchable.
“Indictments like this one won’t stop cybercrime overnight,” said an FBI spokesperson. “But they make it harder to hide, harder to profit, and harder to sleep at night if you’re in that world.”
As always, an indictment is merely an accusation, and Gallyamov is presumed innocent until proven guilty in court.
But for now, the DOJ has made its position clear: Cybercrime has real consequences—even when it crosses international lines.
