Skip to main content

FBI Cracks Down on Russian Cybercrime Kingpin, Seizes $24M in Crypto in Operation Endgame



In a major blow to global cybercrime, the U.S. Department of Justice (DOJ) has indicted Russian national Rustam Rafailevich Gallyamov, a 48-year-old Moscow resident accused of masterminding the Qakbot malware operation that infected over 700,000 computers worldwide. As part of the FBI’s “Operation Endgame,” authorities seized more than $24 million in cryptocurrency, including 30 Bitcoins and $700,000 in USDT tokens, linked to Gallyamov’s illicit activities. This takedown, made public on May 22, 2025, is a major milestone in the battle against ransomware attacks that have tormented businesses, healthcare organizations, and government networks worldwide.

The Qakbot Malware: An International Cyber Menace
For thousands of victims, the terror started with a locked-up screen, a flashing notice, and a ransom demand. From Los Angeles' small dental offices to Wisconsin manufacturers and Canadian real estate companies, the Qakbot malware of Gallyamov did the damage. Initially created in 2008, Qakbot developed into a sophisticated program that breached systems and supported ransomware attacks by notorious gangs such as Conti, REvil, Black Basta, and Cactus. Gallyamov allegedly provided access to infected devices, allowing his co-conspirators to deploy ransomware and extort millions, with Gallyamov taking a cut of the profits.

The malware spread broadly, infecting more than 700,000 computers at a cost to victims of tens of millions. During the 18 months prior to a 2023 disruption, Qakbot enabled at least 40 ransomware attacks, causing $58 million in damage. Victims included small businesses and critical infrastructure, demonstrating the indiscriminate nature of these cyberattacks.

Operation Endgame: A Global Effort
The indictment and seizures are a component of Operation Endgame, a joint international operation with the FBI, Europol, and French, German, Dutch, British, Danish, and Canadian law enforcement bodies. The operation, which commenced in May 2024, aims at the infrastructure underpinning ransomware groups, including malware such as Qakbot, Bumblebee, and TrickBot. In its final phase, authorities dismantled 300 servers, knocked out 650 domains, and took over €3.5 million in cryptocurrency, for a total seized under Operation Endgame of more than €21.2 million.

The FBI’s Los Angeles and Milwaukee field offices, alongside international partners like Germany’s Bundeskriminalamt and France’s Anti-Cybercrime Office, played a key role in tracking Gallyamov’s operations. A seizure warrant executed on April 25, 2025, netted 30 Bitcoins and $700,000 in USDT, while a civil forfeiture complaint filed in California’s Central District aims to permanently claim over $24 million in crypto assets to compensate victims.

A Persistent Threat, Evolving Tactics
Gallyamov's operation was initially disrupted in August 2023, when a U.S.-led task force had seized 52 servers and more than $8.6 million in cryptocurrency, including 170 Bitcoins. During that time, U.S. Attorney Martin Estrada described it as "the most significant technological and financial operation ever led by the DOJ against a botnet." However, Gallyamov was resilient. By January 2025, he and his colleagues had changed their strategy, employing "spam bomb" attacks—overwhelming victims' mailboxes with malicious messages to lure employees into granting network access.

This flexibility highlights the difficulty in fighting cybercrime. Even after the 2023 shutdown, Gallyamov went on to coordinate attacks, which were aimed at a variety of organizations. The DOJ's recent actions seek not just to dismantle his network but to send a message to cybercriminals across the globe. "We are committed to holding cybercriminals accountable," said Matthew Galeotti, chief of the DOJ's criminal division. "We will employ every available legal tool to find you, prosecute you, and seize your ill-gotten proceeds."

The Larger Picture: Ransomware and Crypto
Ransomware has emerged as an increasing threat with Russian-speaking cybercriminals leading the charge. A 2024 TRM Labs report disclosed that Russian-speaking actors control 69% of all cryptocurrency proceeds from ransomware in 2023, amounting to $500 million. Cryptocurrencies such as Bitcoin and stablecoins such as USDT have emerged as the hackers' payment medium of choice owing to their anonymity and ease of transfer. But as in this case, law enforcement is becoming more adept at following these transactions through blockchain analysis.

The DOJ's asset forfeiture emphasis is a central strategy. By taking ransomware illicit crypto and returning it to victims, the government hopes to break the financial incentives fueling the attacks. This tactic has worked before, including the 2021 Bitcoin seizure of $2.3 million from the DarkSide gang behind the Colonial Pipeline attack and the 2022 recovery of $500,000 from North Korean hackers targeting U.S. healthcare providers.

Challenges Ahead
Although the indictment of Gallyamov is a success, there are challenges. He is thought to be in Russia, which has no extradition treaty with the U.S., so his arrest is unlikely unless he does travel outside the country. The fact that ransomware groups continue to operate despite significant disruptions indicates the necessity for continued international cooperation and investment in cybersecurity.
Operation Endgame's success demonstrates the strength of international cooperation, but cybercrooks adapt continuously. As Assistant Director Akil Davis of the Los Angeles Field Office of the FBI explained, "Gallyamov's bot net was brought to its knees in 2023, but he boldly persisted." To stay ahead of such threats, vigilance, creativity, and commitment to bringing perpetrators to justice will be needed.

A Step Toward Justice
The capture of $24 million in cryptocurrency and the indictment of Rustam Gallyamov represent a major victory in the battle against ransomware. For the victims, from small business to critical infrastructure, the recovery of these funds represents the promise of restitution. For the international cybersecurity community, Operation Endgame is a reminder that no hacker is untouchable when countries cooperate.

As the DOJ and its allies are dismantling cybercrime syndicates, there is one message: the era of being able to act with impunity in the dark recesses of the web is coming to an end. At least for the time being, the priority is to return the seized money to the victims and hold cybercrooks accountable for what they did.

Comments

Popular posts from this blog

Israel’s “Operation Rising Lion”: A Bold Strike on Iran’s Nuclear and Military Infrastructure

  The Middle East witnessed on June 13, 2025, a sudden escalation of the age-old Iran-Israel war as Israel went all out with a grandiose military operation referred to as "Operation Rising Lion." The operation was aimed at Iran's military infrastructure and nuclear sites, one of the most audacious Israeli military endeavors ever. The attacks, which caused massive casualties and destruction, have caused shockwaves in the world and the region and raised speculations of a large-scale war. This article uncovers the truths about the operation, its goal, implication, and the geopolitics of delicacy which it has lit. The Scope of Operation Rising Lion Israel's attack was an extremely organized bombing designed to destroy Iran's nuclear program and exhaust the nation's military leadership. The Israeli Air Force used cutting-edge fighter aircraft, such as F-35 stealth planes, and allegedly precision-guided bombs to target strategic locations throughout Iran. The main t...

FDA Shifts COVID Vaccine Policy: Annual Shots Restricted, New Rules for Children and Novavax Rollout

In a dramatic shift that is a clear departure from previous public health recommendations, the U.S. Food and Drug Administration (FDA) has significantly altered its strategy on COVID-19 vaccination policy. The agency now limits annual COVID vaccination only to targeted at-risk groups, while placing new clinical trial burdens on younger groups—especially children. This adjustment, in contrast to the prior guidelines from the Centers for Disease Control and Prevention (CDC), takes into account rising uncertainties about the effectiveness of vaccines, long-term safety data, and the ever-evolving threat profile of COVID-19. The FDA decision also has a controversial green light for the Novavax vaccine but with conditions of unprecedented magnitude over its release. Experts insist that the policy shift foretells a significant change in the government's pandemic-era public health policy—albeit one with sweeping consequences for how Americans engage with COVID prevention in the future. ...

Trump’s Military Parade and the “No Kings” Protests: A Nation Divided on Display

  Washington, D.C. will host a grand military parade on June 14, 2025, to commemorate the 250th anniversary of the U.S. Army's founding, which also happens to be President Donald Trump's 79th birthday. The procession, featuring over 6,600 soldiers, 150 vehicles, 50 aircraft, and even a horse, a mule, and a dog, will be the biggest military celebration in the capital city since the 1991 Gulf War victory parade. But this demonstration of American military power is tainted by deepening national polarizations with thousands of demonstrators marching in nearly 2,000 towns and cities across the United States under the banner of the "No Kings" movement. These protests, fueled by opposition to Trump's policies—particularly his aggressive immigration enforcement and politically charged use of National Guard and U.S. Marines to Los Angeles—mark a contentious and polarized moment in American history. This article explores the context, controversies, and significance of this ...