Russian Hacker Faces Charges in $24 Million Qakbot Ransomware Operation

Federal prosecutors today unsealed an indictment against Rustam Rafailevich Gallyamov, a 48-year-old Russian national accused of orchestrating one of the most sophisticated Qakbot ransomware operations in recent history.

The charges represent the culmination of a multinational investigation that has resulted in the seizure of over $24 million in cryptocurrency proceeds from the cybercriminal’s activities.

The indictment marks the latest phase in an ongoing international effort spanning seven countries, including the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada.

Matthew R. Galeotti, Head of the Justice Department’s Criminal Division, emphasized the government’s commitment to pursuing cybercriminals globally, stating that the announcement “sends a clear message to the cybercrime community” about law enforcement’s determination to hold perpetrators accountable.

The charges against Gallyamov are being prosecuted in the Central District of California, where prosecutors have also filed a civil forfeiture complaint targeting the seized cryptocurrency assets.

U.S. Attorney Bill Essayli highlighted that the forfeiture action demonstrates the Justice Department’s commitment to “seizing ill-gotten assets from criminals in order to ultimately compensate victims.”

The investigation was spearheaded by the FBI’s Los Angeles Field Office, working in close coordination with international partners including Germany’s Bundeskriminalamt, the Netherlands National Police, France’s Anti-Cybercrime Office, and Europol.

This collaborative effort exemplifies the global response required to combat sophisticated cybercrime networks.

Botnet to Spam Bomb Attacks

According to court documents, Gallyamov developed and deployed the Qakbot malware beginning in 2008, evolving it into a sophisticated criminal enterprise by 2019.

The malware infected thousands of computers worldwide, creating a massive botnet that served as a gateway for ransomware attacks.

Once Gallyamov gained access to victim systems, he allegedly provided access to co-conspirators who deployed various ransomware strains, including Prolock, DoppelPaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus.

Despite a successful international operation in August 2023 that disrupted the Qakbot botnet, Gallyamov allegedly adapted his criminal methods.

The indictment reveals that after the takedown, he shifted to “spam bomb” attacks, where accomplices would deceive company employees into granting system access.

These evolved tactics enabled continued ransomware deployment as recently as January 2025.

Massive Asset Seizure and Victim Compensation

The financial scope of Gallyamov’s alleged crimes is substantial. During the initial August 2023 operation, authorities seized over 170 bitcoin and more than $4 million in USDT and USDC tokens.

The criminal enterprise continued generating illicit proceeds even after this disruption, leading to additional seizures on April 25, 2025, when the FBI confiscated over 30 bitcoin and $700,000 in USDT tokens.

The total cryptocurrency assets seized from Gallyamov exceed $24 million in current value. The Justice Department’s civil forfeiture complaint aims to permanently forfeit these funds to compensate ransomware victims.

Assistant Director Akil Davis of the FBI’s Los Angeles Field Office noted that while Gallyamov’s “bot network was crippled” in 2023, he “brazenly continued to deploy alternative methods” to facilitate ransomware attacks.

These enforcement actions occurred as part of Operation Endgame, a coordinated international initiative targeting cybercriminal organizations worldwide, demonstrating law enforcement’s evolving approach to combating sophisticated digital threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Russian Hacker Faces Charges in $24 Million Qakbot Ransomware Operation appeared first on Cyber Security News.