Federal prosecutors have charged Russian cybercriminal Rustam Gallyamov with masterminding a $24 million global extortion scheme through the infamous Qakbot malware, while he remains safely beyond U.S. reach in Russia.
Key Takeaways
- Russian national Rustam Gallyamov faces up to 25 years in prison for allegedly leading the Qakbot malware operation since 2008, infecting over 700,000 computers worldwide.
- Federal authorities have seized over $24 million in cryptocurrency from Gallyamov’s operation, which will be used for victim restitution.
- Gallyamov provided access to compromised networks to ransomware gangs for a share of extortion payments targeting businesses across healthcare, music, and insurance sectors.
- Despite a multinational operation dismantling the Qakbot botnet in 2023, Gallyamov allegedly continued deploying alternative methods for distributing malware.
- The suspect remains at large in Russia, highlighting ongoing challenges in bringing international cybercriminals to justice.
Massive Cybercrime Operation Uncovered
The U.S. Department of Justice has unsealed charges against 48-year-old Russian national Rustam Gallyamov for orchestrating one of the most damaging malware operations in recent history. Gallyamov faces charges of conspiracy to commit computer fraud and abuse, along with conspiracy to commit wire fraud. The indictment alleges he developed and controlled the Qakbot malware since 2008, using it to create a vast botnet of infected computers across the globe. The sophisticated operation targeted critical infrastructure and businesses, demonstrating once again how foreign actors exploit American vulnerabilities while operating beyond our borders.
“The scale of Gallyamov’s operation is staggering,” According to federal prosecutors, Qakbot infected more than 700,000 computers worldwide, with approximately 200,000 of those in the United States. His tactics included so-called “spam bomb” attacks that tricked employees into granting system access. Once inside a network, Gallyamov allegedly partnered with various ransomware groups including Prolock, Dopplepaymer, and Egregor, providing them access to compromised systems in exchange for a percentage of the ransom payments collected from victims.
Millions Seized as Justice Department Takes Action
In a significant countermove against this cybercriminal enterprise, the Justice Department has filed a civil forfeiture complaint against more than $24 million in cryptocurrency seized from Gallyamov’s operation. The seizure includes over 170 bitcoin and more than $4 million in various cryptocurrency tokens confiscated in August 2023. This represents one of the largest cryptocurrency seizures in a cybercrime case, highlighting both the lucrative nature of these criminal enterprises and the government’s increasing capability to track and seize digital assets.
“The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals. The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims,” said U.S. Attorney Bill Essayli, for the Central District of California.
Targeting American Businesses
The indictment details how Gallyamov’s operation specifically targeted American businesses across multiple sectors. Victims included a dental clinic in Los Angeles, a music company in Tennessee, and an insurance company in Maryland. Once systems were compromised, Gallyamov and his co-conspirators would demand ransom payments to restore access to computers and prevent the release of sensitive data. This pattern of targeting essential American services demonstrates the strategic nature of these attacks against our economy and infrastructure.
“Mr. Gallyamov’s bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,” said Akil Davis, assistant director in charge at the FBI’s Los Angeles Field Office.
Despite the successful disruption of the Qakbot botnet in a U.S.-led multinational operation last year, which resulted in the seizure of an additional $8.6 million in cryptocurrency, Gallyamov reportedly continued his criminal activities using alternative distribution methods. This persistence highlights the ongoing challenge law enforcement faces in permanently shutting down these operations, especially when perpetrators operate from countries like Russia that rarely extradite cybercriminals to face American justice.
Justice Delayed by Russian Protection
While the charges against Gallyamov carry a potential 25-year federal prison sentence if convicted, the reality remains that he is believed to be in Russia and is not currently in custody. This case exemplifies the ongoing challenge of bringing international cybercriminals to justice when they operate from countries that provide safe haven from American law enforcement. The Russian government has a long history of refusing to cooperate with U.S. authorities on cybercrime cases, particularly when the victims are American institutions.
The investigation was led by the FBI’s Los Angeles Field Office with international collaboration, demonstrating that despite these challenges, American law enforcement continues to build cases against these actors. Even if immediate arrest isn’t possible, the charges and asset seizures create significant limitations for these criminals, restricting their travel and financial activities while setting the stage for eventual prosecution should they ever leave their protective havens.
