Skip to main content

FBI Cracks Down on Russian Cybercrime Kingpin, Seizes $24M in Crypto in Operation Endgame



In a major blow to global cybercrime, the U.S. Department of Justice (DOJ) has indicted Russian national Rustam Rafailevich Gallyamov, a 48-year-old Moscow resident accused of masterminding the Qakbot malware operation that infected over 700,000 computers worldwide. As part of the FBI’s “Operation Endgame,” authorities seized more than $24 million in cryptocurrency, including 30 Bitcoins and $700,000 in USDT tokens, linked to Gallyamov’s illicit activities. This takedown, made public on May 22, 2025, is a major milestone in the battle against ransomware attacks that have tormented businesses, healthcare organizations, and government networks worldwide.

The Qakbot Malware: An International Cyber Menace
For thousands of victims, the terror started with a locked-up screen, a flashing notice, and a ransom demand. From Los Angeles' small dental offices to Wisconsin manufacturers and Canadian real estate companies, the Qakbot malware of Gallyamov did the damage. Initially created in 2008, Qakbot developed into a sophisticated program that breached systems and supported ransomware attacks by notorious gangs such as Conti, REvil, Black Basta, and Cactus. Gallyamov allegedly provided access to infected devices, allowing his co-conspirators to deploy ransomware and extort millions, with Gallyamov taking a cut of the profits.

The malware spread broadly, infecting more than 700,000 computers at a cost to victims of tens of millions. During the 18 months prior to a 2023 disruption, Qakbot enabled at least 40 ransomware attacks, causing $58 million in damage. Victims included small businesses and critical infrastructure, demonstrating the indiscriminate nature of these cyberattacks.

Operation Endgame: A Global Effort
The indictment and seizures are a component of Operation Endgame, a joint international operation with the FBI, Europol, and French, German, Dutch, British, Danish, and Canadian law enforcement bodies. The operation, which commenced in May 2024, aims at the infrastructure underpinning ransomware groups, including malware such as Qakbot, Bumblebee, and TrickBot. In its final phase, authorities dismantled 300 servers, knocked out 650 domains, and took over €3.5 million in cryptocurrency, for a total seized under Operation Endgame of more than €21.2 million.

The FBI’s Los Angeles and Milwaukee field offices, alongside international partners like Germany’s Bundeskriminalamt and France’s Anti-Cybercrime Office, played a key role in tracking Gallyamov’s operations. A seizure warrant executed on April 25, 2025, netted 30 Bitcoins and $700,000 in USDT, while a civil forfeiture complaint filed in California’s Central District aims to permanently claim over $24 million in crypto assets to compensate victims.

A Persistent Threat, Evolving Tactics
Gallyamov's operation was initially disrupted in August 2023, when a U.S.-led task force had seized 52 servers and more than $8.6 million in cryptocurrency, including 170 Bitcoins. During that time, U.S. Attorney Martin Estrada described it as "the most significant technological and financial operation ever led by the DOJ against a botnet." However, Gallyamov was resilient. By January 2025, he and his colleagues had changed their strategy, employing "spam bomb" attacks—overwhelming victims' mailboxes with malicious messages to lure employees into granting network access.

This flexibility highlights the difficulty in fighting cybercrime. Even after the 2023 shutdown, Gallyamov went on to coordinate attacks, which were aimed at a variety of organizations. The DOJ's recent actions seek not just to dismantle his network but to send a message to cybercriminals across the globe. "We are committed to holding cybercriminals accountable," said Matthew Galeotti, chief of the DOJ's criminal division. "We will employ every available legal tool to find you, prosecute you, and seize your ill-gotten proceeds."

The Larger Picture: Ransomware and Crypto
Ransomware has emerged as an increasing threat with Russian-speaking cybercriminals leading the charge. A 2024 TRM Labs report disclosed that Russian-speaking actors control 69% of all cryptocurrency proceeds from ransomware in 2023, amounting to $500 million. Cryptocurrencies such as Bitcoin and stablecoins such as USDT have emerged as the hackers' payment medium of choice owing to their anonymity and ease of transfer. But as in this case, law enforcement is becoming more adept at following these transactions through blockchain analysis.

The DOJ's asset forfeiture emphasis is a central strategy. By taking ransomware illicit crypto and returning it to victims, the government hopes to break the financial incentives fueling the attacks. This tactic has worked before, including the 2021 Bitcoin seizure of $2.3 million from the DarkSide gang behind the Colonial Pipeline attack and the 2022 recovery of $500,000 from North Korean hackers targeting U.S. healthcare providers.

Challenges Ahead
Although the indictment of Gallyamov is a success, there are challenges. He is thought to be in Russia, which has no extradition treaty with the U.S., so his arrest is unlikely unless he does travel outside the country. The fact that ransomware groups continue to operate despite significant disruptions indicates the necessity for continued international cooperation and investment in cybersecurity.
Operation Endgame's success demonstrates the strength of international cooperation, but cybercrooks adapt continuously. As Assistant Director Akil Davis of the Los Angeles Field Office of the FBI explained, "Gallyamov's bot net was brought to its knees in 2023, but he boldly persisted." To stay ahead of such threats, vigilance, creativity, and commitment to bringing perpetrators to justice will be needed.

A Step Toward Justice
The capture of $24 million in cryptocurrency and the indictment of Rustam Gallyamov represent a major victory in the battle against ransomware. For the victims, from small business to critical infrastructure, the recovery of these funds represents the promise of restitution. For the international cybersecurity community, Operation Endgame is a reminder that no hacker is untouchable when countries cooperate.

As the DOJ and its allies are dismantling cybercrime syndicates, there is one message: the era of being able to act with impunity in the dark recesses of the web is coming to an end. At least for the time being, the priority is to return the seized money to the victims and hold cybercrooks accountable for what they did.

Comments

Popular posts from this blog

Severe Damage but Not Irreversible’: Decoding Satellite Images of U.S. Strikes on Iranian Nuclear Sites

  With the dust having yet to settle on the U.S. bombing campaign that hit Iran's nuclear facilities on June 22, 2025, satellite imagery has proven to be the indispensable tool for unraveling the truth behind the devastation. The mission, dubbed Operation Midnight Hammer, was a mass deployment of B-2 stealth bombers and Tomahawk cruise missiles on the Fordow, Natanz, and Isfahan sites—important pillars of Iran's uranium enrichment program. President Donald Trump called the raids a complete success, claiming they "obliterated" Iran's nuclear program. However, a closer inspection of satellite imagery, combined with expert opinion and alternative reports, undermines the validity of the damage reportedly done, whether it can be fixed, and the official pronouncements. The Strike Targets: A Strategic Overview The American attacks hit three extremely well-protected nuclear sites, each of which was designed to withstand significant attacks. Fordow, hidden in a mountain, i...

U.S. Strikes on Iranian Nuclear Sites: Unraveling the Impact of Operation Midnight Hammer

  On June 22, 2025, the United States launched a stunning military assault, code-named Operation Midnight Hammer, against Iran's nuclear facilities at Fordow, Natanz, and Isfahan. It was a biting switch in the Israel-Iran war, pushing the U.S. into direct confrontation after weeks of growing tensions. President Donald Trump confidently declared the attacks a total success, asserting that they "obliterated" Iran's nuclear program and dealt a devastating blow to Tehran's plans. But as satellite imagery and early intelligence reports arrive, the more sobering picture reveals widespread but reversible damage, possibly delaying Iran's program by several months at most, not destroying it entirely. With Iran deeming "badly damaged" targets and hinting at preemptive evacuations, and global leaders cautioning against danger of escalation, the real impact of this operation remains a subject of close scrutiny and debate.  The Operation: A Military Success with ...

FDA Shifts COVID Vaccine Policy: Annual Shots Restricted, New Rules for Children and Novavax Rollout

In a dramatic shift that is a clear departure from previous public health recommendations, the U.S. Food and Drug Administration (FDA) has significantly altered its strategy on COVID-19 vaccination policy. The agency now limits annual COVID vaccination only to targeted at-risk groups, while placing new clinical trial burdens on younger groups—especially children. This adjustment, in contrast to the prior guidelines from the Centers for Disease Control and Prevention (CDC), takes into account rising uncertainties about the effectiveness of vaccines, long-term safety data, and the ever-evolving threat profile of COVID-19. The FDA decision also has a controversial green light for the Novavax vaccine but with conditions of unprecedented magnitude over its release. Experts insist that the policy shift foretells a significant change in the government's pandemic-era public health policy—albeit one with sweeping consequences for how Americans engage with COVID prevention in the future. ...