IT Brief US - Technology news for CIOs & IT decision-makers
United States
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Malware
#
Ransomware
#
Phishing

US charges Russian in Qakbot cybercrime, seizes USD $24m

Wed, 28th May 2025
Author image
By Catherine Knowles, Journalist

The United States Department of Justice has unsealed an indictment against a Russian national accused of operating the Qakbot malware network, with support from SecurityScorecard's STRIKE team in the investigation.

Rustam Rafailevich Gallyamov has been charged with running the Qakbot malware platform, which prosecutors say facilitated access for ransomware groups responsible for widespread cyberattacks. The indictment also specifies a seizure of over USD $24 million in cryptocurrency believed to be proceeds from Qakbot-related activities.

The Department of Justice stated that Gallyamov, who is not currently in custody, operated Qakbot since 2008. The malware was allegedly used to infect devices and enable ransomware deployment by groups such as REvil, Conti, Black Basta, ProLock, Dopplepaymer, Cactus, Egregor, and Name Locker.

A member of SecurityScorecard's STRIKE team commented on the nature of the investigation, stating, "Qakbot remained active for years because the infrastructure and actors behind it were constantly shifting. STRIKE analysts were involved in tracking and identifying Qakbot and related activity that led to this indictment. This was a methodical process, not a single event. Organizations facing serious threats need partners who stay with them long after the headlines fade."

SecurityScorecard's STRIKE group supported the investigation through infrastructure tracking and analysis of technical threat intelligence, monitoring how Qakbot evolved and shifted its operations. Analysts followed changes in tactics, techniques, and procedures, providing actionable information to law enforcement.

The FBI's Los Angeles Field Office led the investigation, with further support from the FBI Milwaukee Field Office, Europol, Germany's Bundeskriminalamt, the Netherlands National Police, and the French Police Cybercrime Central Bureau. The Department of Justice's Office of International Affairs also played a supporting role.

The prosecution team handling the case includes Assistant U.S. Attorneys Khaldoun Shobaki and Lauren Restrepo from the Cyber and Intellectual Property Crimes Section, Senior Counsel Jessica Peck from the Department of Justice's Computer Crime and Intellectual Property Section, and Assistant U.S. Attorney James Dochterman from the Asset Forfeiture and Recovery Section.

From 2019 onwards, Qakbot became a common initial malware stage, often delivered by phishing emails and malicious attachments. Once a system was compromised, it allowed attackers lateral movement and control of infected networks, paving the way for ransomware deployment.

In August 2023, a US-led law enforcement operation disrupted Qakbot's infrastructure. Authorities seized more than 170 Bitcoin and over USD $4 million in stablecoins at that time. Named Operation Endgame, this action involved agencies from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada.

Following the initial takedown in 2023, Qakbot-linked actors reportedly adopted new tactics. Instead of attempting to rebuild the original botnet infrastructure, they shifted to spam bomb campaigns - high-volume email attacks intended to overwhelm inboxes and evade security filters, thus maintaining the ability to deliver malware to targets.

The indictment states that Gallyamov and associates continued using these new techniques as recently as January 2025. In April 2025, federal authorities conducted a second seizure of assets linked to Qakbot activity, recovering over 30 Bitcoin and approximately USD $700,000 in the USDT stablecoin.

According to prosecutors, this case marks a transition in law enforcement strategy, from dismantling criminal infrastructure to attributing cybercriminal activities to individuals. Should Gallyamov be convicted, he faces a sentence of up to 25 years in federal prison. The Department of Justice has indicated plans to return recovered funds to victims impacted by these malware and ransomware campaigns.

Support resources for victims of Qakbot-related cybercrime are available through the Department of Justice.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Westcon-Comstor hits record USD $5.24 billion sales in FY25
Security agencies urge stronger AI data protocols & SIEM shift
Radiant Logic launches AI tool for identity visibility
Skyfire & Cequence enable secure digital access for AI agents
ExtensionPedia launches with risk scores for 200K browser add-ons
Top stories
dbt Labs unveils AI tools to boost data autonomy & governance
Salesforce to acquire Informatica for equity value of USD $8 billion
Lineaje survey reveals software supply chain security gaps
UKG & ServiceNow to integrate AI for seamless HR & payroll
AI agents spark new enterprise security fears, report shows