Do Son 
U.S. authorities have formally charged Rustam Gallyamov, identified as the mastermind behind the sprawling Qakbot botnet—a malicious infrastructure responsible for infecting over 700,000 computers worldwide and facilitating access for ransomware operations.
According to court documents, development of the Qakbot malware—also known as Qbot or Pinkslipbot—began as early as 2008. Initially, Gallyamov employed it as a self-propagating banking Trojan, equipped with keylogging capabilities, a downloader for additional malware, and a backdoor. Over time, a team of developers coalesced around the project, contributing to the creation of various other types of malicious software.
By 2019, Qakbot had become a primary infection vector for ransomware campaigns orchestrated by notorious groups such as Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, Doppelpaymer, Black Basta, and Cactus. In exchange for granting access to compromised systems, Gallyamov received a share of the ransom payments, the amount of which varied depending on the terms of collaboration with each group.
Investigators report that Qakbot infections inflicted severe financial damage on hundreds of organizations across the globe—including private enterprises, medical institutions, and government agencies. In just eighteen months, documented losses surpassed $58 million.
In 2023, the FBI succeeded in partially dismantling Qakbot’s infrastructure by compromising key components and gaining control over one of the botnet operator’s central systems. Nevertheless, Gallyamov continued to orchestrate malicious operations until January 2025, including large-scale spam campaigns targeting U.S. users.
During the investigation, digital assets valued at more than $24 million were seized from Gallyamov. These included cryptocurrencies such as 30 Bitcoins and $700,000 in USDT tokens—amounting to over $4 million at current market rates. The U.S. Department of Justice has filed a separate forfeiture action to claim these assets.
Efforts to dismantle Qakbot were conducted as part of Operation Endgame, a coordinated international initiative that resulted in the seizure of over 100 servers supporting the operations of multiple botnets and malware loaders, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.
Donate