PARIS, FRANCE - NOVEMBER 12: In this photo illustration, a visual representation of the digital Cryptocurrency, Bitcoin is on display on November 12, 2024 in Paris, France. Bitcoin, the world's largest cryptocurrency, has been rising in value since the US election, reaching $89,637 at 8 a.m. this morning. For the first time in its history, the bitcoin cryptocurrency has surpassed the $90,000 threshold, supported by a wave of euphoria following the election of Donald Trump, considered favorable to cryptocurrencies, as president of the United States. (Photo illustration by Chesnot/Getty Images)
Los Angeles, California – A Russian man accused of running one of the world’s most prolific malware operations has been indicted in Los Angeles on federal charges tied to the Qakbot malware scheme. The scheme has infected thousands of computers globally and helped deploy a range of ransomware attacks.
Rustam Rafailevich Gallyamov, 48, of Moscow, is facing two conspiracy charges—one for computer fraud and abuse and another for wire fraud—stemming from his alleged role in developing and controlling Qakbot. Authorities say this malicious botnet has been used to carry out cyberattacks for more than a decade.
Gallyamov is not in U.S. custody and is believed to be in Russia.
As part of the case, the Department of Justice also filed a civil forfeiture complaint seeking to seize more than $24 million in cryptocurrency linked to Gallyamov. The funds—recovered in bitcoin, USDT, and USDC—were allegedly proceeds of cybercrime.
Authorities say Qakbot, initially developed in 2008, grew into a powerful cybercrime platform used by threat actors to deploy ransomware such as REvil, Conti, Black Basta, and others. Once a victim’s system was infected by Qakbot, Gallyamov and his associates allegedly sold access to those systems to other criminals, who then launched ransomware attacks.
According to the indictment, Gallyamov was still active in January 2025, orchestrating “spam bomb” phishing attacks designed to trick employees into opening the door to network intrusions. Prosecutors say this shift in tactics followed the dismantling of the Qakbot infrastructure in August 2023, when a U.S.-led multinational operation seized over 170 bitcoin and millions more in crypto assets from the operation.
Even after that disruption, the indictment alleges, Gallyamov continued his operations using alternate methods to support ransomware campaigns. Federal investigators say he received a cut of the ransoms paid by victims.
On April 25, the FBI seized another round of digital assets tied to Gallyamov—more than 30 bitcoin and roughly $700,000 in USDT. The Department of Justice is seeking to forfeit these funds and return them to victims, if possible.
The case is part of a broader international effort dubbed Operation Endgame, involving law enforcement agencies from the U.S., Germany, France, the Netherlands, the U.K., and Canada, among others.
If convicted, Gallyamov faces up to 25 years in federal prison. Prosecutors emphasized that the charges are part of a broader strategy to target cyber criminals—even those operating from abroad—and recover stolen assets.
Qakbot, a longtime fixture in cybercrime, has been known for stealing financial data, spreading through networks, and helping deliver other malware.
