The U.S. Department of Justice unsealed federal charges Thursday against Russian national Rustam Rafailevich Gallyamov, 48, for allegedly orchestrating one of the world’s most sophisticated malware operations that infected over 700,000 computers globally and facilitated devastating ransomware attacks.
The Moscow-based cybercriminal faces conspiracy charges for developing and deploying the notorious Qakbot malware since 2008, while prosecutors simultaneously filed a civil forfeiture complaint seeking over $24 million in seized cryptocurrency proceeds.
How the Sophisticated Malware Operated
Gallyamov, operating under aliases “Cortes,” “Tomperz,” and “Chuck,” allegedly controlled a massive botnet infrastructure through command-and-control (C2) servers that coordinated malicious activities across three operational tiers.
.png
)
The Qakbot malware, also known as QBot or Pinkslipbot, functioned as a sophisticated banking trojan with modular capabilities including credential harvesting, lateral network movement, and payload delivery mechanisms.
According to court documents, the malware employed advanced evasion techniques including RC4 encryption for stolen data transmission and SOCKS5 proxy protocols for network communication.
Qakbot’s hooking module intercepted Windows API calls and Mozilla DLL functions to perform web injection attacks, while its passgrabber component extracted credentials from Firefox, Chrome, and Microsoft Vault storage systems.
The malware’s multi-stage architecture enabled threat actors to deploy additional modules for email collection, cookie grabbing, and system reconnaissance.
The indictment reveals Gallyamov’s operation as a sophisticated ransomware-as-a-service provider, facilitating attacks by notorious groups including Prolock, DoppelPaymer, Egregor, REvil, Conti, Black Basta, and Cactus.
These partnerships generated substantial illicit proceeds, with Gallyamov allegedly receiving percentage cuts from successful ransom payments, including over $300,000 from a single Tennessee music company attack.
Victims spanned diverse sectors, from a Los Angeles dental office to Nebraska technology firms, Wisconsin manufacturers, and Canadian real estate companies.
The criminal enterprise utilized multiple virtual currency transactions and blockchain-based decentralized services to launder proceeds and evade detection.
Following the FBI-led Operation Duck Hunt in August 2023, which dismantled 52 servers and seized $8.6 million in cryptocurrency, Gallyamov pivoted to “spam bomb” tactics.
Law Enforcement Takes Down Qakbot’s Evolving Attacks
The spam bombing technique involved flooding victim inboxes with unwanted subscriptions, followed by social engineering calls where conspirators posed as IT support personnel to trick employees into executing malicious code.
This evolved approach demonstrated the operation’s resilience, with criminal activities documented as recently as January 2025.
The investigation, coordinated through Operation Endgame, involved collaboration between the FBI’s Los Angeles Field Office, Germany’s Bundeskriminalamt (BKA), Netherlands National Police, French Anti-Cybercrime Office, and Europol.
On April 25, 2025, federal agents seized additional assets including over 30 bitcoin and $700,000 in USDT tokens, bringing total forfeitures to over $24 million.
“The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims”, said U.S. Attorney Bill Essayli for the Central District of California.
FBI Assistant Director Akil Davis emphasized the bureau’s commitment to pursuing cybercriminals globally, stating that Gallyamov “brazenly continued to deploy alternative methods” despite the 2023 infrastructure disruption.
The forfeiture proceeds are intended for victim compensation, marking a significant victory in international cybercrime enforcement efforts.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
