Authorities have seized over $24 million in cryptocurrency from a Russian cybercriminal mastermind who orchestrated global ransomware attacks from the shadows of Moscow, while victims across America suffered devastating financial losses.
Key Takeaways
- Russian national Rustam Gallyamov has been charged with developing and deploying the Qakbot malware that infected over 700,000 computers worldwide
- Federal authorities seized more than $24 million in cryptocurrency assets connected to the criminal enterprise
- Gallyamov allegedly partnered with multiple ransomware groups, providing access to compromised systems for a share of ransom payments
- The suspect remains at large in Russia while facing potential 25-year prison sentence if convicted
- A multinational operation successfully disrupted the Qakbot botnet in 2023, though Gallyamov reportedly continued operations through alternative methods
Russian Cybercriminal Charged in Massive Malware Operation
Federal prosecutors in Los Angeles have charged Russian national Rustam Gallyamov, 48, with leading a sophisticated cybercriminal organization responsible for developing and deploying the notorious Qakbot malware. The charges include conspiracy to commit computer fraud and abuse, along with conspiracy to commit wire fraud. Gallyamov, believed to be safely residing in Russia beyond the reach of American law enforcement, faces up to 25 years in federal prison if convicted. The Department of Justice’s decisive action demonstrates President Trump’s administration’s commitment to pursuing foreign cybercriminals who target American businesses and citizens.
According to the indictment, Gallyamov has been developing and controlling the Qakbot malware since 2008, using it to create an extensive botnet of infected computers. This malicious software infiltrated hundreds of thousands of systems globally, with approximately 200,000 computers compromised in the United States alone. The criminal operation specifically targeted a wide range of American businesses, including a dental clinic in Los Angeles, a music company in Tennessee, and an insurance company in Maryland, demonstrating the far-reaching impact of this cyber threat on our nation’s economy.
Criminal Tactics and Financial Seizure
Gallyamov and his co-conspirators employed sophisticated methods to infiltrate victim networks, including “spam bomb” attacks designed to trick employees into granting system access. Once inside, they deployed ransomware such as Prolock, Dopplepaymer, and Egregor to lock victims out of their own systems. The cybercriminals then demanded ransom payments to restore access and prevent the public release of sensitive data, a tactic that has become increasingly common among foreign adversaries targeting American infrastructure and businesses.
“The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals,” said U.S. Attorney Bill Essayli, for the Central District of California. “The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”
The Justice Department has filed a civil forfeiture complaint targeting over $24 million in cryptocurrency seized from Gallyamov’s criminal enterprise. This includes more than 170 bitcoin and an additional $4 million in various cryptocurrency tokens that were seized in August 2023. These funds represent the ill-gotten gains from countless American victims who were forced to pay ransoms to regain access to their critical systems and data. The administration’s focus on recovering these assets highlights its commitment to not just punishing cybercriminals but also providing restitution to American victims.
International Collaboration and Ongoing Threats
In a significant blow to Gallyamov’s operation, a U.S.-led multinational operation successfully disrupted the Qakbot botnet in 2023, seizing $8.6 million in cryptocurrency at that time. Despite this setback, investigators discovered that Gallyamov brazenly continued his criminal activities by deploying alternative methods to distribute malware and support ransomware attacks. This persistence demonstrates the ongoing challenges faced by American law enforcement in combating foreign cybercriminals who operate with relative impunity from countries like Russia.
“Mr. Gallyamov’s bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,” said Akil Davis, assistant director in charge at the FBI’s Los Angeles Field Office.
The investigation, led by the FBI’s Los Angeles Field Office with substantial international collaboration, exemplifies how American intelligence and law enforcement agencies continue to track and disrupt foreign cybercriminals who target our citizens and businesses. While Gallyamov remains beyond the reach of U.S. law enforcement for now, the indictment serves as a warning to other cybercriminals that American authorities will pursue them relentlessly, freeze their assets, and work to bring them to justice regardless of where they attempt to hide. The Trump administration’s tough stance on cybersecurity threats continues to protect American interests against foreign actors who seek to profit from attacking our infrastructure.
