The US Department of Justice (DOJ) has filed a civil forfeiture complaint to seize more than $24 million in cryptocurrency from Rustam Rafailevich Gallyamov, a Russian national accused of developing the Qakbot malware.

According to a May 22 announcement, the DOJ unsealed charges against the 48-year-old Moscovite with a federal indictment. Gallyamov is allegedly the malware developer behind the Qakbot botnet.

“Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew Galeotti, head of the DOJ’s criminal division.

Screenshot of the indictment. Source: US Department of Justice

Galeotti highlighted that the DOJ is “determined to hold cybercriminals accountable.” He added that the department will “use every legal tool” to “identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity.”

Related: Microsoft takes legal action against infostealer Lumma

Over $24 million forfeited

US Attorney Bill Essayli for the Central District of California explained that “the criminal charges and forfeiture case announced today are part of an ongoing effort” to “identify, disrupt, and hold accountable cybercriminals.” He added:

“The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”

Assistant Director in Charge Akil Davis of the FBI’s Los Angeles Field Office said that Qakbot was crippled by the agency and its partners in 2023. Still, Gallyamov allegedly continued deploying alternative methods to offer his malware to potential partners.

Related: Chinese printer maker spread Bitcoin stealing malware — Report

Qakbot used in global ransomware attacks

Gallyamov allegedly operated the Qakbot malware as far back as 2008. In 2019, he allegedly used it to infect thousands of victim computers to establish a so-called botnet.

Access to computers that were part of the botnet was sold to others who infected them with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Bast and Cactus. In 2023, a US-led international operation disrupted the Qakbot botnet and malware.

At the time, over 170 Bitcoin (BTC) and over $4 million in USDt (USDT) and USDC (USDC) stablecoins were seized from Gallyamov. According to the indictment, he and his collaborators continued the activity after it was disrupted, adopting new techniques, including directly deploying Black Basta and Cactus ransomware.

Magazine: Report on Crypto Exchange Hacks