Key Takeaways:
The U.S. Department of Justice seized over $24 million in crypto linked to a Russian national.
The suspect allegedly ran a cybercrime operation that infected computers worldwide and later facilitated ransomware attacks.
The FBI, in collaboration with international partners, led the investigation and plans to return the recovered assets to the victims.
The U.S. Department of Justice (DOJ) announced on May 23 that it has seized over $24 million in cryptocurrency from a Russian national accused of developing and operating the Qakbot malware.
The unsealed federal indictment identifies Rustam Rafailevich Gallyamov, 48, of Moscow, as the lead developer behind Qakbot. Gallyamov now faces federal charges for allegedly leading a global cybercrime group that infected computers with malware and facilitated large-scale ransomware attacks.
U.S. Charges Russian Hacker Behind Qakbot and Disrupts Its Operation
According to the DOJ, Gallyamov created and controlled the malware beginning in 2008 and later used it to infect thousands of computers worldwide. These infected systems were then used to build a botnet, which became a platform for widespread ransomware attacks.
Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme https://t.co/wfq7gc7453
— US Attorney L.A. (@USAO_LosAngeles) May 22, 2025
“Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, head of the DOJ’s Criminal Division. “We are determined to hold cybercriminals accountable and will use every legal tool at our disposal.”
From 2019 onward, Gallyamov is accused of giving access to this botnet to other cybercriminal groups. These groups then deployed ransomware strains such as REvil, Conti, Black Basta, and Cactus. In return, Gallyamov allegedly received a share of the ransom payments.
The Qakbot botnet was disrupted in August 2023 as part of a U.S.-led international operation. At the time, authorities seized over 170 Bitcoin and more than $4 million in USDT and USDC from Gallyamov.
However, according to prosecutors, Gallyamov continued his cyber activities even after the takedown. Instead of relying on the botnet, Gallyamov and his associates allegedly switched to new tactics, including “spam bomb” attacks.
These involved flooding victims with emails to trick employees into granting access to their systems. Prosecutors say he continued this activity as recently as January 2025.
“The charges announced today exemplify the FBI’s commitment to relentlessly hold accountable individuals who target Americans and demand ransom, even when they live halfway across the world,” said Akil Davis, Assistant Director in Charge of the FBI’s Los Angeles Field Office.
On April 25, the FBI executed a seizure warrant against Gallyamov, collecting an additional 30 Bitcoin and over $700,000 in USDT. All seized assets, valued at over $24 million, are now subject to a civil forfeiture complaint filed in the Central District of California. The DOJ intends to return these funds to ransomware victims.
U.S. Attorney Bill Essayli emphasized the department’s goals, stating, “The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”
The investigation was led by the FBI’s Los Angeles Field Office in coordination with law enforcement in France, Germany, the Netherlands, Denmark, the UK, Canada, and Europol.
New DOJ Cases Indicate Broader U.S. Crackdown on Crypto-Backed Cybercrime
The $24 million crypto seizure from a Qakbot-linked developer is only the latest in a sweeping U.S. crackdown on cybercrime.
In December 2024, U.S. authorities charged Rostislav Panev, a dual Russian-Israeli national, for his alleged role in the notorious LockBit ransomware group.
Panev, who was arrested in Israel last August, remains in custody as extradition proceedings continue. The DOJ describes him as a key developer behind malware tools used to disable antivirus software, access victim networks, and issue ransom demands.
Authorities say he was behind malware that disabled antivirus software and delivered ransom notes via infected devices. Investigators also traced over $230,000 in crypto payments allegedly linked to his activity.
His lawyer claims he unknowingly created software used by the group and is cooperating with law enforcement.
Meanwhile, in a sweeping May 2025 indictment, U.S. officials charged 12 people, including Americans and foreign nationals mostly aged 18 to 21, for a crypto-driven racketeering scheme that netted $263 million.
The U.S. Department of Justice (DOJ) charged a dozen people for their role in a $263 million crypto crime scheme.#DOJ #CryptoCrimehttps://t.co/5yBzBytkgy
— Cryptonews.com (@cryptonews) May 16, 2025
Prosecutors allege the group engaged in coordinated cyberattacks, laundering stolen funds through lavish purchases like private jets, exotic cars, and luxury goods.
Federal charges are also advancing against Roman Storm, the developer of the sanctioned mixing service Tornado Cash. Authorities claim the platform was instrumental in laundering billions in illicit crypto.
The post Qakbot Malware Developer’s $24M in Crypto Seized – Is a Bigger DOJ Crackdown Coming? appeared first on Cryptonews.
