Operation Endgame had teased the announcement earlier today in a video called, “My Happy Lie — Cortes.” Now the Department of Justice has issued the following press release about Rafailevich Gallyamov, aka “Cortes” and other aliases:
A federal indictment unsealed today charges Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, with leading a group of cyber criminals who developed and deployed the Qakbot malware. In connection with the charges, the Justice Department filed today a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov over the course of the investigation. These actions are the latest step in an ongoing multinational effort by the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime.
“Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “We are determined to hold cybercriminals accountable and will use every legal tool at our disposal to identify you, charge you, forfeit your ill-gotten gains, and disrupt your criminal activity.”
“The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals,” said U.S. Attorney Bill Essayli for the Central District of California. “The forfeiture action against more than $24 million in virtual assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”
“Mr. Gallyamov’s bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally,” said Assistant Director in Charge Akil Davis of the FBI’s Los Angeles Field Office. “The charges announced today exemplify the FBI’s commitment to relentlessly hold accountable individuals who target Americans and demand ransom, even when they live halfway across the world.”
According to court documents, Gallyamov developed, deployed, and controlled the Qakbot malware beginning in 2008. From 2019 onward, Gallyamov allegedly used the Qakbot malware to infect thousands of victim computers around the world in order to establish a network, or “botnet,” of infected computers. As alleged, once Gallyamov gained access to victim computers, he provided access to co-conspirators who infected the computers with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus. In exchange, Gallyamov was allegedly paid a portion of the ransoms received from ransomware victims.
The announcement of charges today is the latest step taken by the Justice Department against the Qakbot conspiracy. In August 2023, a U.S.-led multinational operation disrupted the Qakbot botnet and malware. At that time, the Justice Department announced the seizure of illicit proceeds from Gallyamov, including over 170 bitcoin and over $4 million of USDT and USDC tokens.
According to the indictment, after the disruption and takedown of the Qakbot botnet, Gallyamov and his co-conspirators continued their criminal activities. Instead of a botnet, they allegedly used different tactics, including “spam bomb” attacks on victim companies, where co-conspirators would trick employees at those victim companies into granting access to computer systems. The indictment alleges that Gallyamov orchestrated spam bomb attacks against victims in the United States as recently as January 2025. It also alleges that Gallyamov and his co-conspirators deployed Black Basta and Cactus ransomware on victim computers.
On April 25, 2025, pursuant to a seizure warrant, the FBI seized additional illicit proceeds from Gallyamov, including over 30 bitcoin and over $700,000 of USDT tokens. Today, the Department filed a civil forfeiture complaint in the Central District of California against all of the illicit proceeds seized from Gallyamov — worth over $24 million as of today — in order to forfeit and ultimately return those funds to victims.
The investigation of Gallyamov was led by the FBI’s Los Angeles Field Office, which worked closely with investigators from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, The Public Prosecutor’s Office of the Netherlands, France’s Anti-Cybercrime Office (Office Anti-cybercriminalité) and Cyber Division of the Paris Prosecution Office, and Europol. The Justice Department’s Office of International Affairs and the FBI Milwaukee Field Office provided significant assistance.
Trial Attorney Jessica Peck of the Justice Department’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys Khaldoun Shobaki, Lauren Restrepo, and James Dochterman for the Central District of California are prosecuting the case.
These law enforcement actions were taken in conjunction with Operation Endgame, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling and prosecuting cybercriminal organizations around the world.
Resources for victims can be found on the following website, which will be updated as additional information becomes available: https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.