US Indicts Leader of Qakbot Botnet Linked to Ransomware Attacks

US Indicts Leader of Qakbot Botnet Linked to Ransomware Attacks

The US government has taken a significant step in its efforts to combat cybercrime by indicting Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation. This move comes after an investigation that revealed Gallyamov's role in creating and deploying the Qakbot malware, which compromised over 700,000 computers and enabled ransomware attacks.

Gallyamov started developing Qakbot (also known as Qbot and Pinkslipbot) in 2008 and deployed it to create a network of thousands of infected computers. Over time, a team of developers was formed around Qakbot, but the indictment notes that other malware was also created under Gallyamov's leadership.

For about a decade, Gallyamov used Qakbot as a banking trojan with worm capabilities, malware dropper, or backdoor that could also record keystrokes. However, starting in 2019, Qakbot became the initial infection vector in many ransomware attacks from infamous gangs such as Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, Doppelpaymer, Black Basta, and Cactus.

Gallyamov allegedly received a portion of the ransom paid by the victims for providing initial access. The payment varied based on an arrangement with each ransomware group. This lucrative arrangement made Gallyamov a key player in the global ransomware landscape.

The Qakbot botnet led to hundreds of ransomware victims across the globe, including private companies, healthcare providers, and government agencies. The compromises caused hundreds of millions of dollars in damage, with financial damages exceeding $58 million in just 18 months.

In 2023, the FBI dismantled the Qakbot botnet by hacking parts of its infrastructure and taking control of one computer used by a Qakbot administrator. Despite this, Gallyamov continued to engage in malicious operations and "orchestrated spam bomb attacks against victims in the United States as recently as January 2025."

Earlier today, the Justice Department filed a forfeiture complaint against more than $24 million in cryptocurrency seized from Gallyamov during the investigation. Last month, the FBI seized more illegal assets - 30 bitcoins and $700,000 in USDT tokens, worth more than $4 million at today's exchange rate.

Law enforcement actions were taken in conjunction with Operation Endgame, an international effort that led to seizing more than 100 servers used by multiple botnets and malware loaders (e.g. IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC).

The Scope of the Indictment

The indictment reveals the scope of Gallyamov's operations, which spanned over a decade and involved creating and deploying various malware tools. The Qakbot botnet was just one part of his operation, with other malware being created under his leadership.

The Impact of the Indictment

The indictment sends a strong message to cybercriminals around the world: the US government will not tolerate malicious activity on its soil. The seizure of cryptocurrency and other assets is a significant blow to Gallyamov's operation, but it highlights the ongoing threat posed by ransomware attacks.

Cybersecurity Implications

The indictment has implications for cybersecurity professionals and organizations worldwide. It highlights the importance of staying vigilant against emerging threats and investing in robust security measures to prevent infection.

Conclusion

The indictment of Rustam Rafailevich Gallyamov marks a significant milestone in the US government's efforts to combat cybercrime. As law enforcement agencies continue to disrupt malware operations, it is essential for organizations and individuals to stay informed about emerging threats and take steps to protect themselves.