The US Department of Justice (DOJ) has filed a civil forfeiture case seeking to take approximately $24 million in bitcoin assets belonging to Rustam Rafailevich Gallyamov, a Russian national suspected of spearheading the creation and distribution of the Qakbot virus.
According to a news statement released on May 22, the DOJ says that Gallyamov played a key role in distributing Qakbot as part of a larger criminal operation that infected systems worldwide and facilitated ransomware operations.
Malware deployment and global ransomware attacks
According to federal authorities, Gallyamov, who lives in Moscow, ran the botnet infrastructure that powered Qakbot, a complex piece of malware that was originally launched in 2008. The virus was used to infect computers and then grant access to co-conspirators who ransomware campaigns using variations including REvil, Conti, Black Basta, and Cactus.
In exchange, Gallyamov apparently received a portion of the ransom payments. The Department of Justice stressed that this seizure is part of a larger multinational campaign to disrupt cybercriminal networks that includes law enforcement agencies from the United States, Europe, and Canada.
According to the DOJ’s indictment, Gallyamov’s cyber activities became more active beginning in 2019, when Qakbot was utilized to breach hundreds of computers and develop an extensive botnet. Once compromised, these computers were turned over to ransomware operators.
In August 2023, a US-led global task team effectively disrupted the Qakbot network and confiscated numerous crypto assets associated with the scam, including 170 BTC and millions in stablecoins like as USDT and USDC. Despite the takedown, the DOJ claims that Gallyamov and his associates continued to pursue victims using different tactics.
The current DOJ lawsuit describes how the accused changed methods after the 2023 disruption, including using “spam bomb” techniques to deceive employees into granting access to internal systems. Prosecutors claim that this updated methodology enabled ransomware deployment to continue long beyond 2025.
The assaults apparently used Black Basta and Cactus ransomware to target victims in the United States. As part of the ongoing investigation, the FBI conducted another seizure on April 25, 2025, recovering over 30 BTC and more than $700,000 in stablecoins.
International coordination and recovery efforts by the Department of Justice
The DOJ’s civil forfeiture action seeks to legitimize the seizure of more than $24 million in unlawful cryptocurrency revenues, with the goal of restoring the monies to victims. This endeavor highlights a global campaign including the FBI’s Los Angeles and Milwaukee field offices, Europol, and cybersecurity units from France, Germany, the Netherlands, and other nations.
The DOJ acknowledged this coordination with allowing the rapid discovery and interruption of Gallyamov’s operations. The prosecution is led by Assistant United States Attorneys from the Central District of California and officers from the Department of Justice’s Computer Crime and Intellectual Property Section.
In public, DOJ and FBI officials reaffirmed their commitment to destroying global cybercrime infrastructure and using all available legal instruments, including indictments, forfeiture actions, and international law enforcement cooperation, to hold offenders responsible and recompense victims. Bill Essayli, US Attorney for the Central District of California, said:
“The forfeiture case against more than $24 million in virtual assets exemplifies the Justice Department’s dedication to taking ill-gotten wealth from criminals in order to recompense victims.”
Our feature image was created by Microsoft Designer AI. All the rights of this image belong to them.
