A Russian national has been indicted in the United States for his alleged leadership role in the development and operation of the notorious Qakbot malware and botnet, also known as Pinkslipbot or QBot.
Rustam Rafailevich Gallyamov, 48, is accused of overseeing the creation, deployment, and control of Qakbot since its inception in 2008, according to a newly unsealed indictment. Starting in 2019, Gallyamov and his co-conspirators reportedly used the malware to infect hundreds of thousands of computers globally, building a powerful botnet used for widespread cybercrime.
Qakbot was typically distributed via malicious spam campaigns, hijacked email threads, and the exploitation of known vulnerabilities in internet-facing systems. The botnet targeted a broad range of industries in the United States, including healthcare, insurance, manufacturing, technology, real estate, and telecommunications.
Ransomware Distribution and Extortion
According to the indictment, Gallyamov and his accomplices sold access to Qakbot-compromised systems to other cybercriminal groups, enabling them to deploy ransomware variants such as:
- Black Basta
- Cactus
- Conti
- Doppelpaymer
- Egregor
- Name Locker
- Prolock
- REvil
Gallyamov himself is alleged to have personally infected some victims with Black Basta and Cactus ransomware. These victims were then extorted to pay for the return or non-disclosure of their stolen data. According to the Justice Department, Gallyamov and his co-conspirators received a share of the ransom payments.
“Ransomware victims were then extorted by defendant Gallyamov and his coconspirators to pay ransoms to regain access to and/or prevent the dissemination of their private data,” the indictment states.
Disruption and Continued Activity
In August 2023, international law enforcement agencies took coordinated action to dismantle Qakbot’s infrastructure, seizing servers and millions in cryptocurrency. Despite the disruption, the group reportedly continued distributing malware and ransomware.
As of May 2025, Gallyamov remains active in hacking, malware deployment, data theft, and extortion, although he has reportedly shifted away from botnets and now uses spam bombing tactics to breach organizations.
Financial Seizure and Operation Endgame
On April 25, 2025, U.S. authorities seized an additional $4 million in cryptocurrency linked to Gallyamov under a seizure warrant. The total value of illicit proceeds recovered is now estimated to exceed $24 million, according to a civil forfeiture complaint filed by the U.S. Department of Justice.
These enforcement actions are part of Operation Endgame, a multinational law enforcement initiative aimed at dismantling major cybercrime operations. This week, authorities also announced the takedown of other malware platforms including DanaBot and Lumma Stealer under the same operation.
