The U.S. Department of Justice has launched a civil forfeiture case to seize more than $24 million in cryptocurrency allegedly tied to Rustam Rafailevich Gallyamov, a Russian national accused of helping develop and operate the Qakbot malware botnet—one of the most enduring cyber threats of the past two decades.
Unsealed on May 22, the complaint details federal charges against Gallyamov, 48, of Moscow, for conspiracy to commit computer fraud and wire fraud. According to prosecutors, he played a core role in building Qakbot’s infrastructure and maintaining its global reach, which enabled a wide array of cybercriminal activity, including large-scale ransomware deployments and credential theft.
Officials describe the forfeiture as part of an intensifying crackdown on cybercrime infrastructure funded through digital assets. DOJ Criminal Division chief Matthew Galeotti called the case a signal to cybercriminals worldwide that law enforcement will not only seek prosecution but also target and recover stolen crypto proceeds.
DOJ Seeks Justice for Victims as Qakbot Profits Come Under Fire
The Justice Department’s complaint builds on a global law enforcement action in 2023 that dismantled Qakbot’s command and control network. But despite that effort, prosecutors say Gallyamov continued his criminal activities, distributing new versions of the malware through alternative channels and leveraging affiliate-based networks.
U.S. Attorney Bill Essayli emphasized that the seizure of crypto funds is more than a punitive measure—it’s also aimed at providing restitution to Qakbot victims. “This action demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims,” he stated.
FBI Los Angeles Assistant Director Akil Davis added that the operation revealed how cybercriminals are adapting quickly, moving beyond dismantled infrastructures to develop decentralized affiliate models and other attack vectors.
Qakbot’s Ransomware Legacy and Crypto Trail
First detected in 2008, Qakbot evolved from a banking trojan into a sophisticated botnet used to facilitate some of the world’s most notorious ransomware campaigns. Prosecutors allege that Gallyamov was instrumental in monetizing the malware by selling infected machine access to other cybercrime syndicates.
These access points were subsequently used to deploy a wide range of ransomware strains—including REvil, Conti, DopplePaymer, Egregor, Black Basta, Name Locker, and Cactus. Many of these attacks targeted healthcare systems, corporations, and government agencies.
Although U.S. and international forces took down Qakbot’s infrastructure in 2023, the indictment alleges that Gallyamov transitioned into more direct ransomware deployment. Instead of relying on partners, his network allegedly used its access to launch attacks independently—highlighting an evolution in cybercriminal behavior post-takedown.
At the time of the initial takedown, investigators seized over 170 BTC and millions in stablecoins, including USDT and USDC. These funds were traced to wallets associated with Qakbot operations and believed to be proceeds from ransomware payments.
Quick Facts
- DOJ filed a civil forfeiture complaint to seize $24 million in crypto tied to Qakbot.
- Rustam Gallyamov is charged with conspiracy to commit wire and computer fraud.
- Qakbot enabled ransomware groups to launch global attacks since 2008.
- The botnet was dismantled in 2023, but Gallyamov allegedly continued operations.
- Seized crypto includes over 170 BTC, USDT, and USDC linked to ransomware profits.
