The United States Department of Justice (DOJ) has announced the seizure of over $24 million in cryptocurrency linked to a Russian national accused of developing and deploying the notorious Qakbot malware. This move forms part of a broader initiative to dismantle one of the most prolific cybercrime infrastructures in recent years.

DOJ Targets Qakbot Developer with Civil Forfeiture Complaint

On 22 May 2025, the DOJ revealed it had filed a civil forfeiture complaint to claim virtual assets allegedly owned by Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow. Gallyamov stands accused of being the key developer behind Qakbot, a long-running piece of malware used in major cyberattacks globally.

The US Attorney’s Office for the Central District of California stated that the forfeiture aims to recover over $24 million worth of cryptocurrency, including Bitcoin and stablecoins such as USDT and USDC. These assets are considered ill-gotten gains from Gallyamov’s malware operations.

The complaint accompanies a federal indictment charging Gallyamov with conspiracy to commit computer fraud, wire fraud, and money laundering. Authorities allege that Qakbot enabled a sprawling cybercriminal ecosystem for over a decade.

Qakbot’s Role in Global Ransomware Operations

Initially detected in 2008, Qakbot evolved into a modular and sophisticated botnet, capable of infiltrating thousands of systems. Once infected, the compromised devices became part of a botnet, granting remote access to cybercriminals who utilised them for ransomware attacks.

According to the indictment, Gallyamov monetised this botnet by selling access to other threat actors. These groups then deployed notorious ransomware strains such as ProLock, DoppelPaymer, Egregor, REvil, Conti, Black Basta, and Cactus—some of the most destructive malware families used in high-profile attacks on healthcare systems, critical infrastructure, and corporate networks.

Despite a US-led international operation in 2023 that temporarily crippled Qakbot’s infrastructure, prosecutors claim Gallyamov persisted. He allegedly adopted new techniques and continued operations by distributing ransomware directly, shifting from intermediary malware operations to more direct deployment of threats like Black Basta and Cactus.

DOJ and FBI Send a Message to Cybercriminals

Speaking on the enforcement action, Matthew Galeotti, head of the DOJ’s Criminal Division, stated:

“Today’s announcement sends a clear message to the cybercrime community: the DOJ will use every legal tool to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity.”

Galeotti emphasised the department’s unwavering commitment to holding cybercriminals accountable, reinforcing that digital anonymity does not guarantee impunity.

Screenshot of the indictment. Source: US Department of Justice

US Attorney Bill Essayli also highlighted that the seizure of assets is a crucial part of ensuring justice for victims:

“The forfeiture action against more than $24 million demonstrates the Justice Department’s commitment to compensating victims by seizing assets derived from criminal activity.”

Continued Enforcement and Global Cybercrime Crackdown

The FBI, which played a key role in the 2023 takedown of Qakbot, reiterated its dedication to combating cybercrime. Akil Davis, Assistant Director in Charge at the FBI’s Los Angeles Field Office, explained that while the original Qakbot infrastructure was dismantled, Gallyamov’s continued efforts justified ongoing investigations.

The case underscores the evolving nature of cyber threats and the critical role of international cooperation in identifying, disrupting, and prosecuting cybercrime networks. It also highlights the growing use of civil forfeiture as a tool to reclaim assets and disrupt the financial motivations behind such operations.

With this latest move, the DOJ and its partners demonstrate that even sophisticated cybercriminals face real-world consequences, including the seizure of digital assets intended to shield illicit profits.

The $24 million crypto seizure from Rustam Gallyamov is more than a legal milestone—it marks a significant blow against cybercrime infrastructure and affirms the DOJ’s proactive stance in the ongoing digital arms race. As cybercriminals become more elusive and technically capable, enforcement agencies are evolving to match them step for step.