The U.S. Department of Justice has charged Russian national Rustam Rafailevich Gallyamov, 48, for leading one of the world’s most advanced malware operations. The scheme infected more than 700,000 computers worldwide and helped launch major ransomware attacks.
Gallyamov, based in Moscow, faces conspiracy charges related to the Qakbot malware, which he allegedly helped develop and distribute since 2008. Prosecutors have also filed a civil complaint to seize over $24 million in cryptocurrency tied to the crimes.
How the Qakbot Malware Worked
Known online as “Cortes,” “Tomperz,” and “Chuck,” Gallyamov reportedly operated a large botnet using command-and-control servers to carry out malicious actions across three tiers of infrastructure.
The Qakbot malware—also called QBot or Pinkslipbot—was a powerful banking trojan. It could steal credentials, move through networks, and deliver harmful payloads.
According to court documents, Qakbot used encryption and proxy protocols to hide its activity. It also hijacked Windows and browser functions to steal login details and inject fake web content. Other tools collected emails, cookies, and system data.
Authorities say Gallyamov ran a ransomware-as-a-service business, working with groups like Prolock, DoppelPaymer, REvil, Conti, and Black Basta. He earned shares of ransom payments, including over $300,000 from one attack on a Tennessee music company.
Victims included a dental office in Los Angeles, tech firms in Nebraska, manufacturers in Wisconsin, and real estate companies in Canada.
How the Group Hid and Moved Money
The group used complex cryptocurrency transactions and blockchain tools to hide the stolen money. The FBI disrupted the network in August 2023 during “Operation Duck Hunt,” seizing 52 servers and $8.6 million in cryptocurrency.
After that, Gallyamov reportedly switched to “spam bomb” attacks. These involved flooding inboxes with emails and then calling victims while pretending to be IT staff, tricking them into running harmful software. This method was used as recently as January 2025.
Global Law Enforcement Action
The investigation, known as Operation Endgame, involved agencies from the U.S., Germany, the Netherlands, France, and Europol. On April 25, 2025, agents seized even more assets, including over 30 bitcoins and $700,000 in USDT, bringing the total to more than $24 million.
U.S. Attorney Bill Essayli said the goal is to return the funds to victims. “This case shows our commitment to seizing criminal assets to help victims recover,” he said.
FBI Assistant Director Akil Davis noted that Gallyamov kept changing tactics even after a major disruption in 2023. “This case proves we will continue to pursue cybercriminals wherever they are,” he said.
The Qakbot case is seen as a major win in the fight against international cybercrime, especially as the stolen funds will go toward victim compensation.
