The U.S. government has indicted Rustam Rafailevich Gallyamov, a Russian national accused of leading the Qakbot botnet operation, which infected over 700,000 computers worldwide and facilitated numerous ransomware attacks.
According to federal court documents, Gallyamov began developing Qakbot — also known as Qbot or Pinkslipbot — in 2008. Initially created as a banking trojan, the malware evolved into a powerful tool for cybercriminals, capable of recording keystrokes, spreading like a worm, and acting as a malware dropper or backdoor.
By 2019, Qakbot became a key entry point for ransomware groups including Conti, REvil, Egregor, and Black Basta. Gallyamov reportedly profited by taking a cut of ransoms paid by victims, which included businesses, hospitals, and government agencies.
In 2023, the FBI disrupted the Qakbot infrastructure and took control of systems used by the botnet. However, Gallyamov continued malicious activities and is accused of launching spam attacks as recently as January 2025.
As part of the investigation, the U.S. Justice Department has seized over $24 million in cryptocurrency linked to Gallyamov. Additional seizures last month included 30 bitcoins and $700,000 in USDT tokens, totaling more than $4 million at current value.
This case is part of Operation Endgame, a global law enforcement effort that targeted major malware networks, taking down over 100 servers used by botnets such as IcedID, Trickbot, and Bumblebee.
