A Russian man has been indicted in the United States for allegedly operating the notorious Qakbot malware operation that targeted global organizations for over a decade.
Authorities identified Rustam Rafailevich Gallyamov, 48, as the mastermind behind the Qakbot malware and botnet, which was active since 2008. Qakbot, also known as QBot or Pinkslipbot, infected thousands of systems through spam emails, compromised email threads, and exploited system vulnerabilities.
Qakbot Malware Caused Global Damage
According to an unsealed U.S. indictment, from 2019 onward, Gallyamov led a cybercrime group that infected hundreds of thousands of devices worldwide. These machines became part of a botnet that facilitated further cyberattacks.
Victims of the group included companies across various sectors in the U.S., such as healthcare, insurance, manufacturing, music, marketing, telecom, real estate, and technology. The indictment reveals that Gallyamov and his team sold access to infected systems to other cybercriminals, who then deployed ransomware strains including Conti, REvil, Doppelpaymer, Cactus, Egregor, Prolock, and Black Basta.
Gallyamov personally infected several targets using Black Basta and Cactus ransomware, demanding payment to restore data or avoid exposure. Victims were often extorted into paying ransom to regain access to critical files and protect sensitive data.
Law Enforcement Seizes Millions in Crypto
In August 2023, international law enforcement dismantled the Qakbot infrastructure, disrupting the botnet and seizing millions in cryptocurrency. Yet, Gallyamov’s group reportedly continued launching attacks with new malware and ransomware tactics.
By May 2025, the indictment claims Gallyamov remained active in hacking, data theft, and extortion, shifting from botnets to spam bombing campaigns to breach organizations.
The U.S. Department of Justice also filed a civil forfeiture complaint revealing that, on April 25, 2025, agents seized an additional $4 million in cryptocurrency linked to Gallyamov. So far, over $24 million in illicit funds tied to him have been recovered.
These actions are part of Operation Endgame, a global initiative targeting cybercrime. This week, authorities also announced the takedown of DanaBot and Lumma Stealer, two other malware threats.
The indictment and forfeiture are major steps in holding cybercriminals accountable and dismantling global hacking networks.
