DOJ Seizes $24M in Crypto Tied to Qakbot Malware Developer

Highlights:

• Qakbot malware operator Rustam Gallyamov has had $24 million in crypto seized by the DOJ.
• The botnet used in global ransomware attacks by Qakbot was dismantled by the FBI.
• Gallyamov switched to spam bomb attacks after the 2023 disruption.

The United States Department of Justice has charged Rustam Rafailevich Gallyamov with operating the Qakbot malware scheme. Authorities filed a complaint to forfeit more than $24 million in cryptocurrency relating to the cybercrime.

According to the indictment, the accused, Gallyamov, a 48-year-old from Moscow, is believed to have operated Qakbot for more than a decade. Since 2008, he is believed to have distributed the malware on thousands of computers across the world. Authorities claim he sold access to compromised computers to ransomware groups.

Black Basta and Conti, among others, conducted attacks using file encryption, forcing victims to make digital payments. In return, Gallyamov was said to have received some of the money obtained through extortion. The malware became widely noticed because of spread rapidly and managed to penetrate vital systems.

Today, a federal indictment was unsealed against Rustam Rafailevich Gallyamov, who led a group of cyber criminals in developing and deploying Qakbot malware, which was used to infect thousands of computers and steal millions of dollars in cryptocurrency https://t.co/S2AXxaHUB7 pic.twitter.com/Cj7Q1Z2Sg4

— FBI (@FBI) May 22, 2025

Major Cryptocurrency Seizure and DOJ Operation

After years of monitoring, law enforcement has moved to seize assets that were part of the scheme. As part of the process, authorities confiscated more than 170 Bitcoins and some stablecoins such as USDT and USDC.

According to the department, the total value of the amount seized exceeded $24 million. The operation is part of an overall approach to block cyberattacks and recover digital money. In addition, the authorities filed charges to guarantee that the money was returned to the affected parties.

Officials used a seizure warrant in April 2025 to seize what remained of Gallyamov’s assets. The money included 30 Bitcoins and another $700,000 worth of stablecoins. The latest complaint seeks that all property seized during the investigation be legally forfeited.

Qakbot Malware Used in Global Ransomware Attacks

Gallyamov’s Qakbot malware was designed to load other types of malware on infected systems. After installation, the malware gave the attacker access to any infected devices. Using access, he managed to create a botnet of hundreds of thousands of computers.

Many different organizations were hit by the malware. Businesses, healthcare facilities, and government organizations were victims of the malware. From 2019 to 2023, hundreds of millions were lost because of Qakbot-related attacks.

U.S. and international organizations dismantled the infrastructure used by Qakbot in August 2023. DuckHunt, an operation targeting malware, removed the malware code from more than 700,000 infected computers. Despite being shut down, reports revealed that Gallyamov got active again not long after.

So, we have new #Qakbot activity with low-volume attacks targeting the hospitality industry 🔥.

EMAIL > PDF > URL > MSI (#Signed by "SOFTWARE AGILITY LIMITED"). Campaign: tchk06, Version: 0x500.

PDF template is the same one used by #PikaBot a few days ago, of course.

Some… pic.twitter.com/PYW6uGO5mi

— Germán Fernández (@1ZRR4H) December 16, 2023

New Tactics After Qakbot Takedown

Following the disruption of the botnet, Gallyamov and his group started using different approaches. They were claimed to use spam bombing to gain access to systems. They did this by flooding employees’ email inboxes and asking them to install what looked like IT support software but was actually malware.

Because of these techniques, attackers released new versions of ransomware such as Cactus and Black Basta. The attack continued in 2025, targeting businesses in North America. Gallyamov’s activities continued even after international efforts until enforcement actions were taken recently. Authorities consider this operation to be one of the most damaging malware campaigns to date. In addition, they emphasized that they remain focused on identifying and disrupting cybercrime rings.