US indicts leader of Qakbot botnet linked to ransomware attacks
The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks.
As per court documents, Gallyamov started to develop Qakbot (also known as Qbot and Pinkslipbot) in 2008 and deployed it to create a network of thousands of infected computers.
Over time, a team of developers was formed around Qakbot but the indictment notes that other malware was also created under Gallyamov’s leadership.
For about a decade, Gallyamov used Qakbot as a banking trojan with worm capabilities, malware dropper, or backdoor that could also record keystrokes.
Starting in 2019, Qakbot became the initial infection vector in many ransomware attacks from infamous gangs such as Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, Doppelpaymer, Black Basta, and Cactus.
For providing initial access, Gallyamov allegedly received a portion of the ransom paid by the victims. The payment varied based on an arrangement with each ransomware group.
Over $24 million seized in digital assets
According to the indictment, Qakbot infections led to hundreds of ransomware victims across the globe. The list includes private companies, healthcare providers, and government agencies.
The compromises caused hundreds of millions of dollars in damage. In just 18 months, financial damages exceeded $58 million.
In 2023, the Qakbot botnet was dismantled by the FBI, after hacking parts of its infrastructure and taking control of one computer used by a Qakbot administrator.
Despite this, Gallyamov continued malicious operations and “orchestrated spam bomb attacks against victims in the United States as recently as January 2025.”
Earlier today, the Justice Department filed a forfeiture complaint against more than $24 million in cryptocurrency seized from Gallyamov during the investigation.
Last month, the FBI seized more illegal assets – 30 bitcoins and $700,000 in USDT tokens, worth more than $4 million at today’s exchange rate.
Law enforcement actions were taken in conjunction with Operation Endgame, an international effort that led to seizing more than 100 servers used by multiple botnets and malware loaders (e.g. IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC).
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
