US indicts Russian accused of running major global cybercrime ring

CNN

22-05-2025

A US federal indictment unsealed Thursday accused a Russian man of leading a global cybercrime ring that caused hundreds of millions of dollars in damage to victims around the world.
The crime group victimized people throughout the US and in various sectors of the economy, according to the indictment, from a dental office in Los Angeles to a music company in Tennessee.
In announcing the charges, the Justice Department said it was working to return to victims more than $24 million in cryptocurrency allegedly stolen by the Russian man and seized by the department.
It's the latest installment in a yearslong US law enforcement effort to make it more difficult for Russia-based criminals to extort and disrupt US critical infrastructure providers with ransomware attacks. On Wednesday, the Justice Department said it had seized the computer systems behind another prolific hacking tool whose mastermind is also allegedly based in Russia.
Russia and the US don't have an extradition treaty, and the Kremlin has been reluctant to pursue hackers on Russian soil as long as they don't attack Russian organizations, according to US officials.
The man indicted Thursday, Rustam Rafailevich Gallyamov, a 48-year-old based in Moscow, allegedly developed a piece of malicious software in 2008 that has been used to infect hundreds of thousands of computers in the US and globally. The malware, called Qakbot, was used in damaging ransomware attacks on health care agencies and government agencies worldwide, prosecutors have said.
Gallyamov often received a cut of the proceeds from ransomware attacks that other hackers carried out using Qakbot, according to the Justice Department. For the ransomware attack on the Tennessee music company, he received the equivalent of more than $300,000, the indictment says.
CNN has requested comment from the Russian Embassy in Washington, DC, on the charges.
The indictment provides a window into the resilient career path of an alleged cybercriminal. In 2023, the FBI and European law enforcement agencies dismantled a massive network of computers infected with Qakbot and seized millions of dollars belonging to the hackers.
Gallyamov responded to that bust by looking for other ways to make his malicious software available to cybercriminals conducting ransomware attacks, Akil Davis, assistant director in charge of the FBI's Los Angeles Field Office, said in a statement on Thursday. Gallyamov and associates allegedly started 'spam bombing' companies, or flooding their inboxes with subscription to newsletters, and then posing as IT support to offer to fix the problem, the indictment says.
The State Department in 2023 offered $10 million for information on people behind Qakbot. It's unclear if any confidential tips to the State Department led to Gallyamov's indictment. In some cases, federal prosecutors unseal an indictment when they aren't sure if a defendant will travel out of a country that doesn't have an extradition treaty with the US.
One of Gallyamov's primary customers was allegedly a ransomware gang known as Conti, which made at least $25 million from a flurry of attacks in a fourth-month span in 2021, according to crypto-tracking firm Elliptic. The ransomware gang used Gallyamov's hacking tool in attacks on a Wisconsin manufacturing firm and Nebraska tech company in the fall of 2021, according to the indictment.
The last mention of the Conti ransomware gang in the indictment is in late January 2022. A month later, Russia launched its full-scale invasion of Ukraine, and a Ukrainian leaked a trove of data on Conti in revenge for its support for the Russian government, forcing the criminal network to reconstitute. But Gallyamov allegedly moved on to other customers.