Qakbot Malware Leader Indicted in Global Law Enforcement Operation

• The U.S. DoJ indicted a Russian national believed to be the mastermind behind the now-defunct Qakbot ransomware network.
• Court documents say the individual distributed, deployed, and controlled the notorious malware.
• A civil forfeiture complaint is also mentioned, targeting over $24 million in cryptocurrency as compensation.

The United States Department of Justice (DoJ) unsealed an indictment against Rustam Rafailevich Gallyamov of Moscow, Russia, alleging he led the notorious Qakbot malware operation that played a pivotal role in global ransomware attacks since at least 2008. 

According to the May 22, 2025, DoJ document, 48-year-old Gallyamov masterminded the distribution, deployment, and control of the notorious loader malware, leveraging a sprawling botnet of infected computers worldwide. 

Gallyamov allegedly profited by receiving a share of ransom payments extorted from victims around the globe.

Forensic efforts led by the FBI’s Los Angeles Field Office, in close partnership with authorities from France, Germany, the Netherlands, Denmark, the U.K., and Canada, culminated in a major disruption of the Qakbot botnet in August 2023. The operation resulted in the seizure of more than 170 bitcoin and over $4 million in stablecoins.

Court documents reveal that Gallyamov and his associates rapidly adapted, executing “spam bomb” phishing campaigns to regain illicit access to networks. These attacks continued into January 2025 and involved the deployment of sophisticated ransomware tools.

The latest DoJ action includes a civil forfeiture complaint targeting over $24 million in cryptocurrency, with the stated intention of ultimately compensating victims. 

This case underscores the growing coordination among international law enforcement to dismantle cybercriminal ecosystems, as seen in initiatives like Operation Endgame.

From 2019 onward, Qakbot’s reach facilitated a host of ransomware attacks, providing access for criminal affiliates deploying ransomware strains such as Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus. 

The new strain of BackConnect malware (detected as QBACKCONNECT by Trend Micro) exhibits links to the dismantled QakBot, suggesting a pivot in attack methodologies.