The Moscow-based cybercriminal faces conspiracy charges for developing and deploying the notorious Qakbot malware since 2008, while prosecutors simultaneously filed a civil forfeiture complaint seeking over $24 million in seized cryptocurrency proceeds.
Gallyamov, operating under aliases “Cortes,” “Tomperz,” and “Chuck,” allegedly controlled a massive botnet infrastructure through command-and-control (C2) servers that coordinated malicious activities across three operational tiers.
The Qakbot malware, also known as QBot or Pinkslipbot, functioned as a sophisticated banking trojan with modular capabilities including credential harvesting, lateral network movement, and payload delivery mechanisms.
According to court documents, the malware employed advanced evasion techniques including RC4 encryption for stolen data transmission and SOCKS5 proxy protocols for network communication.
Qakbot’s hooking module intercepted Windows API calls and Mozilla DLL functions to perform web injection attacks, while its passgrabber component extracted credentials from Firefox, Chrome, and Microsoft Vault storage systems.
The malware’s multi-stage architecture enabled threat actors to deploy additional modules for email collection, cookie grabbing, and system reconnaissance.
The indictment reveals Gallyamov’s operation as a sophisticated ransomware-as-a-service provider, facilitating attacks by notorious groups including Prolock, DoppelPaymer, Egregor, REvil, Conti, Black Basta, and Cactus.
These partnerships generated substantial illicit proceeds, with Gallyamov allegedly receiving percentage cuts from successful ransom payments, including over $300,000 from a single Tennessee music company attack.
Victims spanned diverse sectors, from a Los Angeles dental office to Nebraska technology firms, Wisconsin manufacturers, and Canadian real estate companies.
The criminal enterprise utilized multiple virtual currency transactions and blockchain-based decentralized services to launder proceeds and evade detection.
Following the FBI-led Operation Duck Hunt in August 2023, which dismantled 52 servers and seized $8.6 million in cryptocurrency, Gallyamov pivoted to “spam bomb” tactics.
The spam bombing technique involved flooding victim inboxes with unwanted subscriptions, followed by social engineering calls where conspirators posed as IT support personnel to trick employees into executing malicious code.
This evolved approach demonstrated the operation’s resilience, with criminal activities documented as recently as January 2025.
The investigation, coordinated through Operation Endgame, involved collaboration between the FBI’s Los Angeles Field Office, Germany’s Bundeskriminalamt (BKA), Netherlands National Police, French Anti-Cybercrime Office, and Europol.
On April 25, 2025, federal agents seized additional assets including over 30 bitcoin and $700,000 in USDT tokens, bringing total forfeitures to over $24 million.
“The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims”, said U.S. Attorney Bill Essayli for the Central District of California.
FBI Assistant Director Akil Davis emphasized the bureau’s commitment to pursuing cybercriminals globally, stating that Gallyamov “brazenly continued to deploy alternative methods” despite the 2023 infrastructure disruption.
The forfeiture proceeds are intended for victim compensation, marking a significant victory in international cybercrime enforcement efforts.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The post Russian Cybercriminal Charged in $24 Million Qakbot Ransomware Scheme appeared first on Cyber Security News.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has recently observed a surge…
Microsoft has released an out-of-band hotpatch, KB5084897, addressing a critical Bluetooth device visibility issue impacting…
Microsoft has announced the release of an AI-powered troubleshooting capability for Microsoft Purview Data Lifecycle…
Illinois Senate Bill 3104 aims to make it easier for residents, including renters and condominium…
The first trailer for Dune: Part 3 has arrived, and it gives us our best…
Hulu’s hit new show Paradise has officially been renewed for its third season, just under…
This website uses cookies.