The Qakbot Malware: An International Cyber Menace
For thousands of victims, the terror started with a locked-up screen, a flashing notice, and a ransom demand. From Los Angeles' small dental offices to Wisconsin manufacturers and Canadian real estate companies, the Qakbot malware of Gallyamov did the damage. Initially created in 2008, Qakbot developed into a sophisticated program that breached systems and supported ransomware attacks by notorious gangs such as Conti, REvil, Black Basta, and Cactus. Gallyamov allegedly provided access to infected devices, allowing his co-conspirators to deploy ransomware and extort millions, with Gallyamov taking a cut of the profits.
The malware spread broadly, infecting more than 700,000 computers at a cost to victims of tens of millions. During the 18 months prior to a 2023 disruption, Qakbot enabled at least 40 ransomware attacks, causing $58 million in damage. Victims included small businesses and critical infrastructure, demonstrating the indiscriminate nature of these cyberattacks.
Operation Endgame: A Global Effort
The indictment and seizures are a component of Operation Endgame, a joint international operation with the FBI, Europol, and French, German, Dutch, British, Danish, and Canadian law enforcement bodies. The operation, which commenced in May 2024, aims at the infrastructure underpinning ransomware groups, including malware such as Qakbot, Bumblebee, and TrickBot. In its final phase, authorities dismantled 300 servers, knocked out 650 domains, and took over €3.5 million in cryptocurrency, for a total seized under Operation Endgame of more than €21.2 million.
The FBI’s Los Angeles and Milwaukee field offices, alongside international partners like Germany’s Bundeskriminalamt and France’s Anti-Cybercrime Office, played a key role in tracking Gallyamov’s operations. A seizure warrant executed on April 25, 2025, netted 30 Bitcoins and $700,000 in USDT, while a civil forfeiture complaint filed in California’s Central District aims to permanently claim over $24 million in crypto assets to compensate victims.
A Persistent Threat, Evolving Tactics
Gallyamov's operation was initially disrupted in August 2023, when a U.S.-led task force had seized 52 servers and more than $8.6 million in cryptocurrency, including 170 Bitcoins. During that time, U.S. Attorney Martin Estrada described it as "the most significant technological and financial operation ever led by the DOJ against a botnet." However, Gallyamov was resilient. By January 2025, he and his colleagues had changed their strategy, employing "spam bomb" attacks—overwhelming victims' mailboxes with malicious messages to lure employees into granting network access.
This flexibility highlights the difficulty in fighting cybercrime. Even after the 2023 shutdown, Gallyamov went on to coordinate attacks, which were aimed at a variety of organizations. The DOJ's recent actions seek not just to dismantle his network but to send a message to cybercriminals across the globe. "We are committed to holding cybercriminals accountable," said Matthew Galeotti, chief of the DOJ's criminal division. "We will employ every available legal tool to find you, prosecute you, and seize your ill-gotten proceeds."
The Larger Picture: Ransomware and Crypto
Ransomware has emerged as an increasing threat with Russian-speaking cybercriminals leading the charge. A 2024 TRM Labs report disclosed that Russian-speaking actors control 69% of all cryptocurrency proceeds from ransomware in 2023, amounting to $500 million. Cryptocurrencies such as Bitcoin and stablecoins such as USDT have emerged as the hackers' payment medium of choice owing to their anonymity and ease of transfer. But as in this case, law enforcement is becoming more adept at following these transactions through blockchain analysis.
The DOJ's asset forfeiture emphasis is a central strategy. By taking ransomware illicit crypto and returning it to victims, the government hopes to break the financial incentives fueling the attacks. This tactic has worked before, including the 2021 Bitcoin seizure of $2.3 million from the DarkSide gang behind the Colonial Pipeline attack and the 2022 recovery of $500,000 from North Korean hackers targeting U.S. healthcare providers.
Challenges Ahead
Although the indictment of Gallyamov is a success, there are challenges. He is thought to be in Russia, which has no extradition treaty with the U.S., so his arrest is unlikely unless he does travel outside the country. The fact that ransomware groups continue to operate despite significant disruptions indicates the necessity for continued international cooperation and investment in cybersecurity.
Operation Endgame's success demonstrates the strength of international cooperation, but cybercrooks adapt continuously. As Assistant Director Akil Davis of the Los Angeles Field Office of the FBI explained, "Gallyamov's bot net was brought to its knees in 2023, but he boldly persisted." To stay ahead of such threats, vigilance, creativity, and commitment to bringing perpetrators to justice will be needed.
A Step Toward Justice
The capture of $24 million in cryptocurrency and the indictment of Rustam Gallyamov represent a major victory in the battle against ransomware. For the victims, from small business to critical infrastructure, the recovery of these funds represents the promise of restitution. For the international cybersecurity community, Operation Endgame is a reminder that no hacker is untouchable when countries cooperate.
As the DOJ and its allies are dismantling cybercrime syndicates, there is one message: the era of being able to act with impunity in the dark recesses of the web is coming to an end. At least for the time being, the priority is to return the seized money to the victims and hold cybercrooks accountable for what they did.
Comments
Post a Comment