Civil Forfeiture Lawsuit Seeking Over $24 Million in Cryptocurrency Filed
LOS ANGELES – A federal grand jury indictment unsealed today charges a Russian national with leading a group of cyber criminals that developed and deployed the Qakbot malware that infected thousands of computers worldwide, installing ransomware and demanding payment from victims.
Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, is charged with one count of conspiracy to commit computer fraud and abuse, and one count of conspiracy to commit wire fraud. He is believed to be in Russia and is not in custody.
In connection with the charges, the Justice Department filed today a civil forfeiture complaint against more than $24 million in cryptocurrency seized from Gallyamov over the course of the investigation. These actions are the latest step in an ongoing multinational effort by the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime.
“The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals,” said United States Attorney Bill Essayli for the Central District of California. “The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”
“Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “We will not stop holding cybercriminals accountable, even over a course of years, and we will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity.”
“Mr. Gallyamov’s bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,” said Akil Davis, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “The charges announced today exemplify the FBI’s commitment to relentlessly hold accountable individuals who target Americans and demand ransom, even when they live halfway across the world.”
According to the indictment, Gallyamov developed, deployed, and controlled the Qakbot malware beginning in 2008. From 2019 onward, Gallyamov allegedly used the Qakbot botnet to infect thousands of victim computers around the world to establish a network or “botnet” of infected computers. Once Gallyamov gained access to victim computers, he provided access to co-conspirators who infected the computers with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus. Gallyamov was paid a portion of the ransoms received from ransomware victims.
The announcement of charges today is the latest step taken by the Justice Department against the Qakbot conspiracy. In August 2023, a U.S.-led multinational operation disrupted the Qakbot botnet and malware. At that time, the Justice Department announced the seizure of illicit proceeds from Gallyamov, including more than 170 bitcoin and more than $4 million of USDT and USDC tokens.
According to the indictment, after the disruption and takedown of the Qakbot botnet, Gallyamov and his co-conspirators continued their criminal activities. Instead of a botnet, they allegedly used different tactics, including “spam bomb” attacks on victim companies, where co-conspirators would trick employees at those victim companies into granting access to computer systems. The indictment alleges that Gallyamov orchestrated spam bomb attacks against victims in the United States as recently as January 2025. It also alleges that Gallyamov and his co-conspirators deployed Black Basta and Cactus ransomware on victim computers.
On April 25, pursuant to a seizure warrant, the FBI seized additional illicit proceeds from Gallyamov, including more than 30 bitcoin and more than $700,000 of USDT tokens. Today, the Department filed a civil forfeiture complaint in the Central District of California against all the illicit proceeds seized from Gallyamov – worth more than $24 million as of today – to forfeit and ultimately return those funds to victims.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
If convicted, Gallyamov would face a statutory maximum sentence of 25 years in federal prison.
The investigation of Gallyamov was led by the FBI’s Los Angeles Field Office, which worked closely with investigators from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, the French Police Cybercrime Central Bureau, and Europol. The Justice Department’s Office of International Affairs and the FBI Milwaukee Field Office provided significant assistance.
The case against Gallyamov is being prosecuted by Assistant United States Attorneys Khaldoun Shobaki and Lauren Restrepo of the Cyber and Intellectual Property Crimes Section, and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) Senior Counsel Jessica Peck. Assistant United States Attorney James Dochterman of the Asset Forfeiture and Recovery Section is prosecuting the forfeiture case.
These law enforcement actions were taken in conjunction with Operation Endgame, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling and prosecuting cybercriminal organizations around the world.
Resources for victims can be found on the following website, which will be updated as additional information becomes available: https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
Release No. 25-150
