A Russian citizen has been indicted in the United States for leading the cybercrime group behind the notorious Qakbot malware and botnet.
The individual, Rustam Rafailevich Gallyamov, 48, is accused of developing, deploying, and controlling the Qakbot malware since 2008.
Known by other names such as Pinkslipbot and QBot, Qakbot was spread through spam campaigns, hijacked email threads, and by exploiting known vulnerabilities in internet-facing systems.
According to a newly unsealed indictment, starting in 2019, the group led by Gallyamov infected hundreds of thousands of computers across the globe, turning them into part of a botnet.
Victims included organizations in sectors such as healthcare, insurance, manufacturing, marketing, music, real estate, technology, and telecommunications within the United States.
Gallyamov and his associates are alleged to have sold access to the Qakbot-infected systems to other cybercriminals, who then deployed ransomware families such as Black Basta, Cactus, Conti, Doppelpaymer, Egregor, Name Locker, Prolock, and REvil.
Gallyamov is also accused of personally infecting some victims with the Black Basta and Cactus ransomware variants.
“Ransomware victims were then extorted by defendant Gallyamov and his co-conspirators to pay ransoms in order to regain access to or prevent the release of their private data. Gallyamov and his associates received a share of any ransom payments,” the indictment states.
In August 2023, law enforcement agencies from multiple countries dismantled Qakbot’s infrastructure, effectively disrupting the botnet and seizing millions of dollars in cryptocurrency. Despite this, the group was later seen continuing its deployment of ransomware and malware.
As of May 2025, according to the indictment, Gallyamov remains active in cybercrime, continuing to engage in hacking, malware deployment, data theft, and extortion. He is now reportedly using ‘spam bombing’ tactics instead of relying on a botnet.
A civil forfeiture complaint filed by the Department of Justice reveals that, on April 25, 2025, authorities seized an additional $4 million in cryptocurrency from Gallyamov through a court-approved warrant. In total, the United States estimates that more than $24 million in illicit proceeds have been confiscated.
These actions are part of Operation Endgame, an international law enforcement initiative aimed at disrupting cybercrime networks. This week, the operation also resulted in the takedown of the DanaBot and Lumma Stealer malware platforms.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
