The US Department of Justice (DOJ) has filed a civil forfeiture complaint to seize over $24 million in cryptocurrency assets linked to Rustam Rafailevich Gallyamov, a Russian national accused of spearheading the development and distribution of the Qakbot malware. This action, detailed in a press release on May 22, alleges that Gallyamov played a pivotal role in deploying Qakbot as part of a widespread cybercrime operation that compromised computers globally, facilitating numerous ransomware attacks.

Federal prosecutors assert that Gallyamov, residing in Moscow, managed the botnet infrastructure behind Qakbot since its initial deployment in 2008. This sophisticated malware was utilized to infiltrate computer systems, granting access to co-conspirators who then launched ransomware campaigns using variants such as REvil, Conti, Black Basta, and Cactus. Gallyamov allegedly received a portion of the ransom proceeds in return.

The DOJ highlighted that this seizure is part of an ongoing international effort involving law enforcement agencies from the US, Europe, and Canada, aimed at dismantling cybercriminal networks. The indictment specifies that Gallyamov's cyber operations escalated from 2019, with Qakbot infiltrating thousands of systems to establish an extensive botnet. These compromised systems were then handed over to ransomware operators.

In August 2023, a US-led multinational task force successfully disrupted the Qakbot network, seizing crypto assets including 170 BTC and millions in stablecoins like USDT and USDC. Despite this takedown, the DOJ alleges that Gallyamov and his associates continued to target victims, adapting their methods. The recent complaint details how Gallyamov shifted tactics post-2023, employing "spam bomb" techniques to deceive employees into providing access to internal systems, enabling continued ransomware deployment into 2025. These attacks purportedly involved Black Basta and Cactus ransomware targeting US victims.

On April 25, 2025, the FBI executed another seizure, recovering over 30 BTC and more than $700,000 in stablecoins as part of the ongoing investigation. The DOJ’s civil forfeiture complaint seeks to formalize the seizure of the illicit crypto proceeds, intending to return the funds to victims. This effort is part of a coordinated global campaign involving the FBI’s Los Angeles and Milwaukee field offices, Europol, and cybersecurity divisions from France, Germany, the Netherlands, and other nations. The DOJ credited this collaboration for enabling quick identification and disruption of Gallyamov’s operations.

Assistant US Attorneys from the Central District of California and officials from the DOJ’s Computer Crime and Intellectual Property Section are leading the prosecution. DOJ and FBI officials have reaffirmed their commitment to dismantling global cybercrime infrastructure, utilizing indictments, forfeiture actions, and international cooperation to hold perpetrators accountable and compensate victims. US Attorney Bill Essayli emphasized the commitment to seizing ill-gotten assets to compensate victims.