For thousands of people around the world, the nightmare began the same way: a frozen screen, a blinking message, and a demand for money. Doctors, small business owners, factory workers, and even school staff found their computers suddenly hijacked.
The US Department of Justice has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, for leading a global cybercriminal enterprise responsible for the notorious Qakbot malware. Alongside the charges, the Justice Department announced it had seized over $24 million in cryptocurrency linked to Gallyamov’s cybercrime empire. These funds are now targeted to be returned to the victims who suffered from these attacks.
Victims ranged from small dental offices in Los Angeles to technology firms in Nebraska, manufacturing companies in Wisconsin, and even real estate businesses in Canada.
This indictment was unsealed on Thursday, May 22, 2025, and marks a crucial moment in America’s ongoing battle against ransomware attacks that have plagued organizations worldwide.
Matthew R. Galeotti, Head of the Justice Department’s Criminal Division, emphasized the significance of this action: "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community. We are determined to hold cybercriminals accountable and will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity."
What is Gallyamov accused of?
Gallyamov is accused of developing and deploying Qakbot since 2008, a sophisticated malware that infected over 700,000 computers globally. The malware facilitated ransomware attacks by granting access to co-conspirators who deployed various ransomware strains, including Conti, REvil, Black Basta, and Dopplepaymer.
Despite a multinational operation targeting him in August 2023 that disrupted the Qakbot botnet, Gallyamov allegedly continued his cybercriminal activities.
“Mr. Gallyamov's bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,” said Assistant Director in Charge Akil Davis of the FBI’s Los Angeles Field Office.
He and his associates shifted tactics, employing "spam bomb" attacks to deceive employees into granting network access, leading to further ransomware deployments as recently as January 2025.
As a result, the FBI under its “Operation Endgame” seized more than 30 bitcoins and $700,000 in USDT tokens from Gallyamov under a seizure warrant executed on April 25, the Department of Justice confirmed in a statement.
The Justice Department also filed a civil forfeiture complaint to seize over $24 million in cryptocurrency linked to Gallyamov's illicit activities. This was done not only to prosecute cybercriminals but also to recover assets to compensate victims.
Operation Endgame
The indictment is part of Operation Endgame, a coordinated international effort involving law enforcement agencies from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada.
This operation has dismantled key infrastructures of several malware strains, including Qakbot, DanaBot, Trickbot, and others, by taking down approximately 300 servers and neutralizing 650 domains worldwide.
The US Department of Justice has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, for leading a global cybercriminal enterprise responsible for the notorious Qakbot malware. Alongside the charges, the Justice Department announced it had seized over $24 million in cryptocurrency linked to Gallyamov’s cybercrime empire. These funds are now targeted to be returned to the victims who suffered from these attacks.
Victims ranged from small dental offices in Los Angeles to technology firms in Nebraska, manufacturing companies in Wisconsin, and even real estate businesses in Canada.
This indictment was unsealed on Thursday, May 22, 2025, and marks a crucial moment in America’s ongoing battle against ransomware attacks that have plagued organizations worldwide.
Matthew R. Galeotti, Head of the Justice Department’s Criminal Division, emphasized the significance of this action: "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community. We are determined to hold cybercriminals accountable and will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity."
What is Gallyamov accused of?
Gallyamov is accused of developing and deploying Qakbot since 2008, a sophisticated malware that infected over 700,000 computers globally. The malware facilitated ransomware attacks by granting access to co-conspirators who deployed various ransomware strains, including Conti, REvil, Black Basta, and Dopplepaymer.
Despite a multinational operation targeting him in August 2023 that disrupted the Qakbot botnet, Gallyamov allegedly continued his cybercriminal activities.
“Mr. Gallyamov's bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,” said Assistant Director in Charge Akil Davis of the FBI’s Los Angeles Field Office.
He and his associates shifted tactics, employing "spam bomb" attacks to deceive employees into granting network access, leading to further ransomware deployments as recently as January 2025.
As a result, the FBI under its “Operation Endgame” seized more than 30 bitcoins and $700,000 in USDT tokens from Gallyamov under a seizure warrant executed on April 25, the Department of Justice confirmed in a statement.
The Justice Department also filed a civil forfeiture complaint to seize over $24 million in cryptocurrency linked to Gallyamov's illicit activities. This was done not only to prosecute cybercriminals but also to recover assets to compensate victims.
Operation Endgame
The indictment is part of Operation Endgame, a coordinated international effort involving law enforcement agencies from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada.
This operation has dismantled key infrastructures of several malware strains, including Qakbot, DanaBot, Trickbot, and others, by taking down approximately 300 servers and neutralizing 650 domains worldwide.
