Russian cybercriminal masterminds a $24 million malware scheme targeting American businesses while hiding beyond the reach of U.S. law enforcement in Russia.
Key Takeaways
- Russian national Rustam Gallyamov faces federal charges for allegedly developing and deploying the Qakbot malware that infected over 700,000 computers worldwide
- Federal authorities have seized over $24 million in cryptocurrency connected to the scheme, which they plan to redistribute to victims
- Gallyamov provided malware access to ransomware groups targeting American businesses, including a dental clinic in Los Angeles, a music company in Tennessee, and an insurance company in Maryland
- Despite a 2023 multinational operation that disrupted the Qakbot botnet, Gallyamov allegedly continued deploying alternative methods for malware distribution
- If convicted, Gallyamov faces up to 25 years in federal prison, though he remains at large in Russia
Russian Cyber Criminal Charged in Massive Global Malware Operation
Federal prosecutors in Los Angeles have unveiled charges against Russian national Rustam Gallyamov, 48, for allegedly masterminding “one of the world’s most damaging malware operations,” According to the Department of Justice, Gallyamov developed and controlled the infamous Qakbot malware since 2008, using it to create a massive botnet of infected computers. The sophisticated cybercriminal enterprise targeted American businesses and institutions, stealing sensitive data and deploying ransomware that locked victims out of their systems until they paid substantial sums in cryptocurrency.
The indictment charges Gallyamov with conspiracy to commit computer fraud and abuse, as well as conspiracy to commit wire fraud. While these charges carry a potential 25-year prison sentence, the defendant remains beyond the reach of American law enforcement, believed to be safely residing in Russia. This case highlights President Trump’s ongoing concerns about foreign actors targeting American businesses and infrastructure while operating from countries that refuse to cooperate with U.S. extradition requests.
Sophisticated Criminal Enterprise Targeted American Businesses
According to federal authorities, Gallyamov’s operation was remarkably sophisticated and far-reaching. The Qakbot malware infected over 700,000 computers worldwide, including approximately 200,000 in the United States. Victims spanned various industries and included a dental clinic in Los Angeles, a music company in Tennessee, and an insurance company in Maryland. The criminal enterprise used “spam bomb” attacks to trick employees into granting system access, demonstrating how vulnerable even legitimate businesses are to foreign cyber threats.
“The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals,” said U.S. Attorney Bill Essayli, for the Central District of California. “The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”
Gallyamov’s business model involved providing access to compromised computer systems to co-conspirators who would then install ransomware such as Prolock, Dopplepaymer, and Egregor. These cybercriminal partners would demand ransom payments from victims to restore access to their systems and prevent the release of stolen data. In exchange for providing this initial access, Gallyamov allegedly received a portion of all ransom payments collected from victims, creating a criminal marketplace for digital extortion.
U.S. Law Enforcement Fights Back Against Foreign Cyber Threats
In August 2023, a U.S.-led multinational operation successfully disrupted the Qakbot botnet, seizing $8.6 million in cryptocurrency in the process. Despite this significant setback to his operation, Gallyamov allegedly continued his criminal activities. The Justice Department has now filed a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov, including more than 170 bitcoin and $4 million in various cryptocurrency tokens. Federal authorities intend to redistribute these funds to victims of the scheme.
“Mr. Gallyamov’s bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,” said Akil Davis, assistant director in charge at the FBI’s Los Angeles Field Office.
This case underscores the ongoing challenges faced by American law enforcement in combating foreign-based cybercrime. While the FBI and international partners have made significant progress in disrupting Gallyamov’s network and seizing millions in illegal proceeds, the primary suspect remains beyond the reach of U.S. justice. With Russia unlikely to extradite its citizen, this indictment serves primarily as a warning to other cybercriminals and a demonstration of the U.S. government’s ability to track and identify those responsible for attacks on American businesses and infrastructure.
