A major figure behind one of the world’s most destructive malware operations has been indicted in the United States. Rustam Rafailevich Gallyamov, a 48-year-old Russian national, is accused of leading the group behind Qakbot, a malware campaign that infected hundreds of thousands of devices globally.
U.S. prosecutors say Gallyamov developed and controlled Qakbot since 2008. Known also as Pinkslipbot or QBot, the malware spread through phishing emails, hijacked conversations, and vulnerable internet-connected systems. By 2019, the operation had expanded into a full-fledged global botnet targeting healthcare, tech, real estate, insurance, and telecom companies across the U.S.
Gallyamov and his team allegedly sold access to compromised machines. Other criminals then used these systems to launch ransomware attacks using tools like Black Basta, Conti, REvil, and Doppelpaymer. The group demanded ransom payments to unlock systems or prevent the release of stolen data.
The indictment claims Gallyamov didn’t just run the infrastructure—he also carried out ransomware attacks himself. Victims were infected with Black Basta and Cactus, and then extorted. If victims paid, Gallyamov and his partners collected a portion of the ransom.
In August 2023, international law enforcement shut down Qakbot’s main infrastructure and seized millions in cryptocurrency. But Gallyamov continued his operations. Without the botnet, he turned to spam bombing to infect new targets.
Authorities say his hacking efforts are ongoing. As of May 2025, he’s still involved in malware deployment, data theft, and extortion.
On April 25, 2025, the U.S. seized another $4 million in cryptocurrency linked to Gallyamov. This adds to a total of more than $24 million in assets taken from the group.
The indictment is part of Operation Endgame, a coordinated effort among global law enforcement agencies to stop major cybercrime networks. This week, authorities also dismantled other malware operations like DanaBot and Lumma Stealer under the same operation.
