The US Department of Justice (DOJ) has filed a civil forfeiture complaint to seize over $24 million in cryptocurrency assets tied to Rustam Rafailevich Gallyamov, a Russian national accused of leading the development and distribution of the Qakbot malware.
According to a press release issued on May 22, the DOJ alleges Gallyamov played a central role in deploying Qakbot as part of a broader cybercrime operation that infected computers globally and enabled ransomware attacks.
From Malware Deployment to Global Ransomware Attacks
Federal prosecutors claim that Gallyamov, who resides in Moscow, operated the botnet infrastructure behind Qakbot, a sophisticated piece of malware first deployed in 2008. The malware was used to compromise computers and then provide access to co-conspirators, who executed ransomware campaigns using variants such as REvil, Conti, Black Basta, and Cactus.
In return, Gallyamov reportedly received a share of the ransom proceeds. The DOJ emphasized that this seizure reflects a continued international effort involving law enforcement agencies from the US, Europe, and Canada to disrupt cybercriminal networks.
According to the DOJ’s indictment, Gallyamov’s cyber operations intensified from 2019 onwards, as Qakbot was used to infiltrate thousands of systems and build an expansive botnet. Once compromised, these systems were handed off to ransomware operators.
In August 2023, a US-led multinational task force successfully disrupted the Qakbot network and seized various crypto assets tied to the scheme, including 170 BTC and millions in stablecoins such as USDT and USDC. Despite that takedown, the DOJ alleges that Gallyamov and his partners continued targeting victims using alternative methods.
The latest DOJ complaint details how the accused shifted tactics following the 2023 disruption, including employing “spam bomb” techniques that tricked employees into opening access to internal systems. Prosecutors assert that this newer approach allowed ransomware deployment to continue well into 2025.
These attacks reportedly included the use of Black Basta and Cactus ransomware to target victims in the United States. As part of the ongoing investigation, the FBI executed another seizure on April 25, 2025, retrieving over 30 BTC and more than $700,000 in stablecoins.
DOJ’s International Coordination and Recovery Efforts
The DOJ’s civil forfeiture complaint aims to formalize the seizure of over $24 million in illicit crypto proceeds, with the intent of returning those funds to victims. This effort underscores a coordinated global campaign involving the FBI’s Los Angeles and Milwaukee field offices, Europol, and cybersecurity divisions from France, Germany, the Netherlands, and other countries.
The DOJ credited this collaboration for enabling swift identification and disruption of Gallyamov’s operations. Assistant US Attorneys from the Central District of California and officials from the DOJ’s Computer Crime and Intellectual Property Section are leading the prosecution.
In public remarks, DOJ and FBI officials reiterated their commitment to dismantling global cybercrime infrastructure and using all available legal tools including indictments, forfeiture actions, and international law enforcement cooperation to hold perpetrators accountable and compensate victims. US Attorney Bill Essayli for the Central District of California said:
The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.
Featured image created with DALL-E, Chart from TradingView
Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
