A Russian national has been indicted in the US for leading the cybercrime group behind the infamous Qakbot malware and botnet.
The individual, Rustam Rafailevich Gallyamov, 48, allegedly “developed, deployed, and controlled the Qakbot malware beginning in 2008”.
Also known as Pinkslipbot and QBot, Qakbot was distributed through spam campaigns, hijacked email threads, or the exploitation of known vulnerabilities in internet-facing assets.
According to the newly unsealed indictment (PDF), starting 2019, the Qakbot gang, led by Gallyamov, infected hundreds of thousands of computers worldwide, ensnaring them in a botnet.
Victims of the attacks included healthcare, insurance, manufacturing, marketing, music, real estate, technology, and telecommunications organizations in the US.
Gallyamov and his co-conspirators allegedly sold access to Qakbot-infected machines to other cybercriminals, who deployed ransomware families such as Black Basta, Cactus, Conti, Doppelpaymer, Egregor, Name Locker, Prolock, and REvil.
Gallyamov himself allegedly infected some of the victims with the Black Basta and Cactus ransomware families.
“Ransomware victims were then extorted by defendant Gallyamov and his coconspirators to pay ransoms to regain access to and/or prevent the dissemination of their private data. Defendant Gallyamov and his coconspirators received a portion of any ransom paid,” the indictment reads.
In August 2023, law enforcement agencies in multiple countries took down Qakbot’s infrastructure, disrupting the botnet and seizing millions of dollars in cryptocurrency. Soon after, however, the Qakbot gang was seen continuing the deployment of ransomware and malware.
According to the indictment, as of May 2025, Gallyamov continues to engage in activities involving computer hacking, malware deployment, data theft, and extortion. Instead of using a botnet, the cybercriminal has relied on ‘spam bombing’ to target victim organizations.
A civil forfeiture complaint (PDF) filed by the Department of Justice on Thursday reveals that, on April 25, 2025, pursuant to a seizure warrant, authorities seized an additional $4 million in cryptocurrency from Gallyamov. The US estimates that the illicit proceeds seized from Gallyamov are worth over $24 million.
The actions against Gallyamov were taken in conjunction with Operation Endgame, an ongoing international law enforcement effort to disrupt cybercrime operations worldwide. This week, authorities announced the takedown of DanaBot and Lumma Stealer as part of Operation Endgame.
Related: US Announces Botnet Takedown, Charges Against Russian Administrators
Related: US Indicts China’s iSoon ‘Hackers-for-Hire’ Operatives
Related: US Charges Genesis Market User
Related: US Charges Five People Over North Korean IT Worker Scheme
