The U.S. Department of Justice (DOJ) has filed a civil forfeiture complaint to seize $24 million in cryptocurrency assets related to Russian national Rustam Rafailevich Gallyamov.
According to a press release released on May 22, the Justice Department said Gallyamov played a central role in deploying Qakbot as part of a wider cybercrime operation that infected computers and enabled ransomware attacks worldwide.
From malware deployment to global ransomware attack
Federal prosecutors claim that Gallyamov, who resides in Moscow, operated the botnet infrastructure behind Qakbot, a sophisticated piece of malware first deployed in 2008. The malware was used to compensate computers and then provide access to co-conspirators, who executed ransomware campaigns using variants such as REvil, Conti, Black Basta, and Cactus.
In return, Galimav reportedly received part of the ransom gain. The Justice Department stressed that this seizure reflects ongoing international efforts involving law enforcement agencies in the United States, Europe and Canada to undermine cybercrime networks.
According to a U.S. Department of Justice prosecution, Galimatv’s network operations have intensified since 2019 as Qakbot is used to penetrate thousands of systems and build vast botnets. Once compromised, these systems are handed over to ransomware operators.
In August 2023, a U.S.-led multinational contingent successfully interrupted the Qakbot network and captured various crypto assets associated with the program, including 170 BTC and millions of Stablecoins (such as USDT and USDC). Despite this cancellation, the Justice Department claims that Galimav and his partner continue to use alternative methods to target victims.
The latest Justice Department complaint details how defendants can change their strategies after sabotage in 2023, including adopting “spam bomb” technology to deceive employees into opening up internal systems. Prosecutors assert that this newer approach enables the deployment of ransomware to continue until 2025.
The attacks reportedly included the use of black basta and cactus ransomware to target victims in the United States. As part of the ongoing investigation, the FBI seized again on April 25, 2025, retrieving more than 30 BTC and more than $700,000 of Stablecoins.
International coordination and recovery work of the Ministry of Justice
The Justice Department’s civil forfeiture complaint aims to formally seize more than $24 million in illegal cryptocurrency proceeds with the aim of returning the funds to the victims. The effort highlights a global campaign involving the FBI’s field offices in Los Angeles and Milwaukee, Europol, and cybersecurity departments from France, Germany, Germany, the Netherlands and other countries.
The Justice Department attributes this collaboration to the rapid identification and destruction that enabled Galimatif operations. Assistant U.S. attorneys from Central California and officials from the Justice Department’s Computer Crime and Intellectual Property Division are leading the prosecution.
In a public address, the Justice Department and FBI officials reiterated their commitment to demolishing the global cybercrime infrastructure and using all available legal tools, including prosecutions, forfeiture of litigation, and international law enforcement cooperation to hold perpetrators accountable and compensate victims. U.S. Attorney Bill Essayli, Central California Region, said:
The forfeiture lawsuit for more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten gains from criminals to ultimately compensate the victims.
Feature images created with DALL-E, TradingView’s chart
Editing process For Bitcoin experts, focus on thorough research, accurate and impartial content. We adhere to strict procurement standards and each page is diligently evaluated by our top technical experts and experienced editorial team. This process ensures the integrity, relevance and value of our content to our readers.
