Latest news with #RustamGallyamov
Economic Times
24-05-2025
- Economic Times
$24M in crypto, 30 Bitcoins, and $700K seized as FBI takes down Russian hacker behind 700,000 computer ransomware army in Operation Endgame
Reuters FBI and international allies seize $24M in crypto from Russian hacker Rustam Gallyamov, accused of turning 700,000 computers into a global ransomware army under Qakbot malware operation For thousands of people around the world, the nightmare began the same way: a frozen screen, a blinking message, and a demand for money. Doctors, small business owners, factory workers, and even school staff found their computers suddenly hijacked. The US Department of Justice has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, for leading a global cybercriminal enterprise responsible for the notorious Qakbot malware. Alongside the charges, the Justice Department announced it had seized over $24 million in cryptocurrency linked to Gallyamov's cybercrime empire. These funds are now targeted to be returned to the victims who suffered from these attacks. Victims ranged from small dental offices in Los Angeles to technology firms in Nebraska, manufacturing companies in Wisconsin, and even real estate businesses in Canada. This indictment was unsealed on Thursday, May 22, 2025, and marks a crucial moment in America's ongoing battle against ransomware attacks that have plagued organizations worldwide. Matthew R. Galeotti, Head of the Justice Department's Criminal Division, emphasized the significance of this action: "Today's announcement of the Justice Department's latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community. We are determined to hold cybercriminals accountable and will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity." Gallyamov is accused of developing and deploying Qakbot since 2008, a sophisticated malware that infected over 700,000 computers globally. The malware facilitated ransomware attacks by granting access to co-conspirators who deployed various ransomware strains, including Conti, REvil, Black Basta, and Dopplepaymer. Despite a multinational operation targeting him in August 2023 that disrupted the Qakbot botnet, Gallyamov allegedly continued his cybercriminal activities.'Mr. Gallyamov's bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,' said Assistant Director in Charge Akil Davis of the FBI's Los Angeles Field and his associates shifted tactics, employing "spam bomb" attacks to deceive employees into granting network access, leading to further ransomware deployments as recently as January a result, the FBI under its 'Operation Endgame' seized more than 30 bitcoins and $700,000 in USDT tokens from Gallyamov under a seizure warrant executed on April 25, the Department of Justice confirmed in a Justice Department also filed a civil forfeiture complaint to seize over $24 million in cryptocurrency linked to Gallyamov's illicit activities. This was done not only to prosecute cybercriminals but also to recover assets to compensate indictment is part of Operation Endgame, a coordinated international effort involving law enforcement agencies from the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada. This operation has dismantled key infrastructures of several malware strains, including Qakbot, DanaBot, Trickbot, and others, by taking down approximately 300 servers and neutralizing 650 domains worldwide.
The Guardian
23-05-2025
- The Guardian
Russian-led cybercrime network dismantled in global operation
European and North American cyber-crime investigators say they have dismantled the heart of a malware operation directed by Russian criminals after a global operation involving US, German, French, Canadian, British, Danish and Dutch police. International arrest warrants have been issued against 20 suspects, most of them living in Russia, by European investigators while indictments were unsealed in the US against 16 individuals. Those charged include the alleged leaders of the Qakbot and Danabot malware operations, including Rustam Rafailevich Gallyamov, 48, who lives in Moscow and Aleksandr Stepanov, 39, aka 'JimmBee,' and Artem Aleksandrovich Kalinkin, 34, aka 'Onix', both of Novosibirsk, Russia, the US Department of Justice said. Cyber-attacks aimed at destabilising governments or simple theft and blackmail are becoming increasingly pernicious. High street retailer Marks & Spencer is one of the most high profile and recent victims in the UK this month. The Europeans led by the German crime agency, Bundeskriminalamt (BKA) put out public appeals in their attempts to track down 18 suspects believed to be involved in the Qakbot malware family along with a third malware known as Trickbot. BKA and their international counterparts said the majority of the suspects were Russian citizens. Russian national, Vitalii Nikolayevich Kovalev, 36, already wanted in the US, is one of BKA's most wanted. He is allegedly behind Conti, considered to be the most professional and best-organised ransomware blackmail group in the world with Kovalev described as one of the 'most successful blackmailers in the history of cybercrime' by German investigators. Using pseudonyms Stern and Ben, BKA allege he is claimed to have attacked hundreds of companies worldwide and extracted large ransom payments from them. Kovolev, 36, from Volgorod, is believed to be currently living in Moscow where several firms are registered in his name. He was identified by US investigators in 2023 as having been a member of Trickbot. Investigators now also believe he was at the helm of Conti and other blackmail groups, such as Royal and Blacksuit (founded in 2022). His own cryptowallet is said to be worth around €1bn. Bundeskriminalamt said, along with international partners, of the 37 perpetrators they identified they had enough evidence to issue 20 arrest warrants. The US attorney's office in California at the same time unsealed the details of charges against 16 defendants who allegedly 'developed and deployed the DanaBot malware'. The criminal infiltrations into victims' computers was 'controlled and deployed' by a Russia-based cybercrime organisation that has infected more than 300,000 computers around the world particularly in the US, Australia, Poland, India and Italy. It was advertised on Russian language criminal forums and also had an 'espionage variant used to target military, diplomatic, government, and non-governmental organisations' the indictment states. 'For this variant, separate servers were established, such that data stolen from these victims was ultimately stored in the Russian federation', it adds. Also on the Europe most wanted list as a result of the German operation is a 36 year old Russian-speaking Ukrainian Roman Mikhailovich Prokop, a suspected member of Qakbot, according to BKA . Operation Endgame was first instigated by the German authorities in 2022. BKA president Holger Münch said that Germany is in the particular focus of cybercriminals. The BKA in particular is investigating the suspected perpetrators' involvement in gang-related activities and commercial extortion as well as membership of an overseas-based criminal organisation. Between 2010 and 2022 the Conti group focused specifically on US hospitals, increasing its attacks during the Covid pandemic. US authorities had offered reward money of $10m to anyone who would lead them to its figureheads. Most suspects are operating in Russia, some also in Dubai. Their extradition to Europe or the US is unlikely, Münch of the BKA admitted, but their identification was significant and damaging to them, he insisted. 'With Operation Endgame 2.0, we have once again demonstrated that our strategies work – even in the supposedly anonymous darknet.'
Reuters
22-05-2025
- Reuters
US indicts Russian accused of ransomware attacks
May 22 (Reuters) - The U.S. Department of Justice on Thursday unsealed charges against a Russian national accused of leading the development and deployment of malicious software that infected thousands of computers over more than a decade. Rustam Rafailevich Gallyamov, 48, of Moscow, led a group of cybercriminals who developed and deployed Qakbot, a name for software that could be used to infect computers with additional malware, such as ransomware, as well as to conscript the computer into a botnet - or group of compromised computers and devices controlled remotely - to be used for additional malicious purposes, according to a DOJ statement, opens new tab. Prosecutors also made public a complaint seeking the forfeiture of more than $24 million in cryptocurrency and traditional funds seized over the course of the investigation, the DOJ said. The charges of conspiracy and conspiracy to commit wire fraud come a year and a half after an international law enforcement operation disrupted Qakbot infrastructure. Gallyamov continued cybercriminal activities after the disruption, prosecutors said, as recently as January 2025. Gallyamov did not immediately respond to a request for comment. The DOJ statement did not indicate his whereabouts. Also on Thursday, federal prosecutors in Los Angeles unsealed charges, opens new tab against 16 people accused of developing and deploying the DanaBot malware, which was used to infect more than 300,000 computers worldwide and cause at least $50 million in damage, according to a DOJ statement. The DanaBot charges are part of Operation Endgame, an international law enforcement and private-sector campaign targeting cybercriminal operators and infrastructure around the world. DanaBot emerged in 2018 as malware to steal banking credentials and other information, but evolved to enable wider information stealing and establish access for follow-on activity, according to researchers with Lumen's Black Lotus Labs, who participated in Operation Endgame. DanaBot remained 'highly operational through 2025,' the researchers wrote, opens new tab in a blog post, with roughly 1,000 daily victims across more than 40 countries.
CNN
22-05-2025
- CNN
US indicts Russian accused of running major global cybercrime ring
A US federal indictment unsealed Thursday accused a Russian man of leading a global cybercrime ring that caused hundreds of millions of dollars in damage to victims around the world. The crime group victimized people throughout the US and in various sectors of the economy, according to the indictment, from a dental office in Los Angeles to a music company in Tennessee. In announcing the charges, the Justice Department said it was working to return to victims more than $24 million in cryptocurrency allegedly stolen by the Russian man and seized by the department. It's the latest installment in a yearslong US law enforcement effort to make it more difficult for Russia-based criminals to extort and disrupt US critical infrastructure providers with ransomware attacks. On Wednesday, the Justice Department said it had seized the computer systems behind another prolific hacking tool whose mastermind is also allegedly based in Russia. Russia and the US don't have an extradition treaty, and the Kremlin has been reluctant to pursue hackers on Russian soil as long as they don't attack Russian organizations, according to US officials. The man indicted Thursday, Rustam Rafailevich Gallyamov, a 48-year-old based in Moscow, allegedly developed a piece of malicious software in 2008 that has been used to infect hundreds of thousands of computers in the US and globally. The malware, called Qakbot, was used in damaging ransomware attacks on health care agencies and government agencies worldwide, prosecutors have said. Gallyamov often received a cut of the proceeds from ransomware attacks that other hackers carried out using Qakbot, according to the Justice Department. For the ransomware attack on the Tennessee music company, he received the equivalent of more than $300,000, the indictment says. CNN has requested comment from the Russian Embassy in Washington, DC, on the charges. The indictment provides a window into the resilient career path of an alleged cybercriminal. In 2023, the FBI and European law enforcement agencies dismantled a massive network of computers infected with Qakbot and seized millions of dollars belonging to the hackers. Gallyamov responded to that bust by looking for other ways to make his malicious software available to cybercriminals conducting ransomware attacks, Akil Davis, assistant director in charge of the FBI's Los Angeles Field Office, said in a statement on Thursday. Gallyamov and associates allegedly started 'spam bombing' companies, or flooding their inboxes with subscription to newsletters, and then posing as IT support to offer to fix the problem, the indictment says. The State Department in 2023 offered $10 million for information on people behind Qakbot. It's unclear if any confidential tips to the State Department led to Gallyamov's indictment. In some cases, federal prosecutors unseal an indictment when they aren't sure if a defendant will travel out of a country that doesn't have an extradition treaty with the US. One of Gallyamov's primary customers was allegedly a ransomware gang known as Conti, which made at least $25 million from a flurry of attacks in a fourth-month span in 2021, according to crypto-tracking firm Elliptic. The ransomware gang used Gallyamov's hacking tool in attacks on a Wisconsin manufacturing firm and Nebraska tech company in the fall of 2021, according to the indictment. The last mention of the Conti ransomware gang in the indictment is in late January 2022. A month later, Russia launched its full-scale invasion of Ukraine, and a Ukrainian leaked a trove of data on Conti in revenge for its support for the Russian government, forcing the criminal network to reconstitute. But Gallyamov allegedly moved on to other customers.
CNN
22-05-2025
- CNN
US indicts Russian accused of running major global cybercrime ring
A US federal indictment unsealed Thursday accused a Russian man of leading a global cybercrime ring that caused hundreds of millions of dollars in damage to victims around the world. The crime group victimized people throughout the US and in various sectors of the economy, according to the indictment, from a dental office in Los Angeles to a music company in Tennessee. In announcing the charges, the Justice Department said it was working to return to victims more than $24 million in cryptocurrency allegedly stolen by the Russian man and seized by the department. It's the latest installment in a yearslong US law enforcement effort to make it more difficult for Russia-based criminals to extort and disrupt US critical infrastructure providers with ransomware attacks. On Wednesday, the Justice Department said it had seized the computer systems behind another prolific hacking tool whose mastermind is also allegedly based in Russia. Russia and the US don't have an extradition treaty, and the Kremlin has been reluctant to pursue hackers on Russian soil as long as they don't attack Russian organizations, according to US officials. The man indicted Thursday, Rustam Rafailevich Gallyamov, a 48-year-old based in Moscow, allegedly developed a piece of malicious software in 2008 that has been used to infect hundreds of thousands of computers in the US and globally. The malware, called Qakbot, was used in damaging ransomware attacks on health care agencies and government agencies worldwide, prosecutors have said. Gallyamov often received a cut of the proceeds from ransomware attacks that other hackers carried out using Qakbot, according to the Justice Department. For the ransomware attack on the Tennessee music company, he received the equivalent of more than $300,000, the indictment says. CNN has requested comment from the Russian Embassy in Washington, DC, on the charges. The indictment provides a window into the resilient career path of an alleged cybercriminal. In 2023, the FBI and European law enforcement agencies dismantled a massive network of computers infected with Qakbot and seized millions of dollars belonging to the hackers. Gallyamov responded to that bust by looking for other ways to make his malicious software available to cybercriminals conducting ransomware attacks, Akil Davis, assistant director in charge of the FBI's Los Angeles Field Office, said in a statement on Thursday. Gallyamov and associates allegedly started 'spam bombing' companies, or flooding their inboxes with subscription to newsletters, and then posing as IT support to offer to fix the problem, the indictment says. The State Department in 2023 offered $10 million for information on people behind Qakbot. It's unclear if any confidential tips to the State Department led to Gallyamov's indictment. In some cases, federal prosecutors unseal an indictment when they aren't sure if a defendant will travel out of a country that doesn't have an extradition treaty with the US. One of Gallyamov's primary customers was allegedly a ransomware gang known as Conti, which made at least $25 million from a flurry of attacks in a fourth-month span in 2021, according to crypto-tracking firm Elliptic. The ransomware gang used Gallyamov's hacking tool in attacks on a Wisconsin manufacturing firm and Nebraska tech company in the fall of 2021, according to the indictment. The last mention of the Conti ransomware gang in the indictment is in late January 2022. A month later, Russia launched its full-scale invasion of Ukraine, and a Ukrainian leaked a trove of data on Conti in revenge for its support for the Russian government, forcing the criminal network to reconstitute. But Gallyamov allegedly moved on to other customers.
