US seizes $24M in crypto from Russian malware network

The U.S. Justice Department charged the suspected head of the cybercrime group responsible for Qakbot malware, a tool several notorious ransomware operations widely employed.

Russian citizen Rustam Gallyamov, now 48, developed the software in 2008. Authorities disrupted its activities after it had spread to over 700,000 computers.

In August 2023, the U.S. Justice Department revealed a coordinated international effort with France, Germany, the Netherlands, the U.K., Romania, and Latvia to dismantle the botnet and remove its code from compromised systems.

The indictment states that Gallyamov provided his accomplices with access to compromised devices, and they deployed multiple types of ransomware on those devices.

In exchange, his accomplices gave him a share of the money they extorted.

The cybercriminals hit several organizations, notably a dental office in L.A., a technology firm from Nebraska, a manufacturing business in Wisconsin, and a real estate company operating in Canada.

The indictment reveals that ransomware groups such as Conti, REvil, Black Basta, and Dopplepaymer used the malware in their operations.

After authorities disrupted Qakbot, Gallyamov’s group changed its approach and launched “spam bomb” attacks to deceive company employees into providing network access.

According to the indictment, Gallyamov coordinated spam bomb assaults on U.S. victims as late as January 2025.

The indictment states that Gallyamov and his collaborators spread Black Basta and Cactus ransomware on infected systems.

The FBI seized more than 30 bitcoin and $700,000 in USDT tokens from Gallyamov under a seizure warrant executed on April 25, the Department of Justice confirmed in a statement.

To recover and return funds to victims, the Department filed a civil forfeiture complaint in California’s Central District targeting over $24 million in illicit proceeds Gallyamov earned.

Matthew Galeotti, head of the DOJ’s criminal division, said, “Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community.”

Galeotti highlighted that the DOJ is “determined to hold cybercriminals accountable.” He added that the department will “use every legal tool” to “identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity.”

U.S. Attorney Bill Essayli of California’s Central District said, “The criminal charges and forfeiture case announced today are part of an ongoing effort” to identify, disrupt, and hold accountable cybercriminals. He added:

“The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”