How STRIKE Helped Identify Qakbot’s Alleged Operator and Support a $24M Asset Seizure
SecurityScorecard’s STRIKE team supported U.S. law enforcement in an investigation into Qakbot, a malware platform linked to some of the most widespread ransomware activity in recent history.
On May 22, 2025, the Department of Justice unsealed an indictment against Russian national Rustam Rafailevich Gallyamov, who is accused of operating Qakbot and enabling access for ransomware groups. The DOJ also filed a civil forfeiture complaint to recover more than $24 million in cryptocurrency linked to the operation.
Key Takeaways:
- DOJ indicted Russian national Rustam Gallyamov, accused of running Qakbot malware
- SecurityScorecard’s STRIKE contributed to the long-term investigation through years of infrastructure tracking and technical intelligence
- Qakbot enabled ransomware campaigns tied to REvil, Conti, Black Basta, and others
- Over $24 million in cryptocurrency has been seized by law enforcement
- Gallyamov faces up to 25 years in federal prison if convicted
- Operation Endgame spanned seven countries and involved multiple federal agencies
- Victim support resources: https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
STRIKE’s Role in Supporting Identification
SecurityScorecard’s STRIKE team contributed to the long-term investigation through infrastructure tracking and technical intelligence. As Qakbot evolved, analysts monitored infrastructure shifts and conducted intelligence analysis of TTPs.
A STRIKE member reported, “Qakbot remained active for years because the infrastructure and actors behind it were constantly shifting. STRIKE analysts were involved in tracking and identifying Qakbot and related activity that led to this indictment. This was a methodical process, not a single event. Organizations facing serious threats need partners who stay with them long after the headlines fade.”
The investigation was led by the FBI’s Los Angeles Field Office, with assistance from the FBI Milwaukee Field Office, Europol, Germany’s BKA, the Netherlands National Police, and the French Police Cybercrime Central Bureau. The DOJ’s Office of International Affairs also provided support.
The case is being prosecuted by Assistant U.S. Attorneys Khaldoun Shobaki and Lauren Restrepo of the Cyber and Intellectual Property Crimes Section, Senior Counsel Jessica Peck of the DOJ’s Computer Crime and Intellectual Property Section, and Assistant U.S. Attorney James Dochterman of the Asset Forfeiture and Recovery Section.
Qakbot’s Role in Ransomware Deployment
According to the indictment, Gallyamov began operating Qakbot in 2008. The malware was used to infect devices and create access points for several of the most notorious ransomware groups including REvil, Conti, ProLock, Black Basta, Dopplepaymer, Cactus, Egregor, and Name Locker.
From 2019 forward, Qakbot became a common first-stage loader, delivered through phishing emails and malicious attachments. Once inside a network, it enabled lateral movement and gave attackers control over infected systems.
In August 2023, a U.S.-led takedown disrupted Qakbot infrastructure. Law enforcement seized over 170 Bitcoin and more than $4 million in stablecoins during that initial operation. The action was part of Operation Endgame, a coordinated effort involving law enforcement from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada.
Tactic Shift After Disruption
Following the 2023 disruption, Qakbot-linked actors changed tactics. Instead of rebuilding their original botnet, they moved to spam bomb campaigns. These campaigns used high-volume email bursts to overwhelm inboxes and bypass filters, allowing malware to reach targets.
The indictment says Gallyamov and his associates used these techniques as recently as January 2025. In April, federal authorities conducted a second seizure, recovering over 30 Bitcoin and approximately $700,000 in USDT.
What This Means for Cybercrime Disruption
This case represents a shift from infrastructure takedown to actor attribution. Gallyamov is not in custody. If convicted, he faces up to 25 years in federal prison. The DOJ intends to return the recovered assets to impacted victims.
Victim resources are available at:
https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
To learn more about SecurityScorecard’s STRIKE intelligence and attribution work, or to explore partnership opportunities, contact our team directly. STRIKE works with public and private sector organizations to support high-impact, long-term threat actor investigations.
For media outreach, please contact [email protected].