In a significant move, the US Department of Justice (DOJ) has initiated a civil forfeiture action seeking to reclaim over $24 million in cryptocurrency believed to be associated with Rustam Rafailevich Gallyamov, a Russian national accused of orchestrating the notorious Qakbot malware.
A press release dated May 22 outlines the allegations against Gallyamov, suggesting his pivotal role in the distribution of Qakbot, which has been implicated in various global cybercrimes and ransomware incidents.
From Cyber Offense to Wide-Scale Ransomware Operations
Federal authorities assert that Gallyamov, based in Moscow, is a key figure behind the Qakbot botnet, a complex piece of malware initially introduced in 2008. This malware not only compromised countless systems but also enabled access for other criminals, facilitating ransomware attacks executed through multiple variants including REvil, Conti, Black Basta, and Cactus.
In exchange for his role, Gallyamov allegedly received a percentage of the ransom payments. The DOJ highlights that this seizure is part of a broader, ongoing effort involving a coalition of law enforcement entities across the US, Europe, and Canada aimed at disbanding cybercrime syndicates.
The indictment from the DOJ indicates that Gallyamov’s activities ramped up from 2019, exploiting Qakbot to compromise thousands of systems and establish a robust botnet. Once these systems were infiltrated, they were handed over to ransomware operators.
In August 2023, a coordinated task force led by US agencies succeeded in dismantling the Qakbot network, seizing numerous crypto assets linked to the operation. This included 170 BTC along with millions in stablecoins such as USDT and USDC. Nevertheless, the DOJ asserts that Gallyamov and his associates persisted in their criminal activities, utilizing alternative strategies to engage their victims.
Recent DOJ filings describe how Gallyamov adapted his techniques post-disruption, employing innovative “spam bomb” tactics aimed at tricking employees into inadvertently granting access to secure systems. Prosecutors indicate this evolution in methodology allowed ransomware activities to extend into 2025.
The attacks reportedly involved the deployment of ransomware variants like Black Basta and Cactus, targeting individuals and organizations throughout the United States. Subsequently, in April 2025, the FBI executed an additional seizure, recovering over 30 BTC and in excess of $700,000 in stablecoins.
Global Collaboration in Cyber Crime Enforcement
The DOJ’s civil forfeiture action represents a formal step towards reclaiming over $24 million in illicit cryptocurrency, aiming to return these funds to affected individuals and organizations. This initiative highlights a unified global effort that encompasses the FBI’s field offices in Los Angeles and Milwaukee, Europol, and cybersecurity forces from nations like France, Germany, and the Netherlands.
According to the DOJ, this international cooperation has been crucial in swiftly identifying and neutralizing Gallyamov’s operations. Prosecutors from the Central District of California, alongside officials from the DOJ’s Computer Crime and Intellectual Property Section, are spearheading the case.
In public statements, DOJ and FBI representatives reiterated their unwavering commitment to dismantling the frameworks of global cybercrime, employing all available legal instruments, from indictments to forfeiture cases and international law enforcement partnerships. US Attorney Bill Essayli for the Central District of California remarked:
This forfeiture of over $24 million in virtual assets signifies our dedication to confiscating illicit assets from criminals to ultimately compensate the victims affected.
Image created with DALL-E, Chart sourced from TradingView
