In a blow to cybercriminals worldwide, an international law enforcement operation has struck at the head of the Qakbot criminal network with criminal charges being filed in Minneapolis and Pittsburgh against a Russian national, Rustam Rafailevich Gallyamov, the administrator of the Qakbot network.
The joint action named “Operation Endgame” also saw the seizure of more than $24 million in cryptocurrency associated with Gallyamov’s activities.
Since 2008, Qakbot (aka Qbot or Pinkslipbot) has been an ever-present and ever-evolving malware family. It was first intended as a banking trojan, but became a crucial instrument in the arsenal of ransomware gangs, serving as the initial penetration point into the networks of victims around the globe.
Qakbot is believed to have compromised more than 700,000 machines worldwide and inflicted hundreds of millions of dollars’ worth of damage on businesses, health care providers and government agencies.
Unsealed in the United States, the indictment alleges that Gallyamov created and leveraged Qakbot and benefited from the software being used in ransomware attacks carried out by a number of cybercriminal groups, known as REvil, Conti, and Black Basta. Despite an international operation previously having disrupted Qakbot’s infrastructure in August 2023, Gallyamov apparently kept up his criminal activities, utilising novel strategies like “spam bomb” campaigns.
“The Justice Department’s announcement of its most recent use of law enforcement authorities to disrupt the Qakbot malware scheme makes clear to the cybercrime community that network attacks have consequences,” said Matthew R. Galeotti, Special Agent in Charge of the Justice Department’s Criminal Division.
“We are committed to holding cybercriminals accountable and to do so, we will use all the tools at our disposal to target them, charge them, and ultimately dismantle their operations and prevent future harm, whether that harm comes in the form of reaching into American consumers’ pockets or holding their data ransom,” he added.
Police from America, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada have worked together on Operation Endgame, which was launched to “disrupt the banking trojan Qakbot as part of a shared commitment to disrupt and apprehend malware operators.” This brought down nearly 300 servers and took out 650 domains worldwide.
And more importantly, the operation aimed at the financial foundation of Gallyamov’s criminal business, too. Investigators also managed to confiscate more than $24 million worth of cryptocurrency, comprising 30 Bitcoin and $700,000 worth of USDT tokens, associated with the Qakbot campaign. Those funds are now facing civil forfeiture with the intention of providing restitution to the victims of the malware attacks.
With Gallyamov still on the run and likely in Russia, this global operation has delivered a major blow to the Qakbot network and sends a clear message that we are committed to to fighting against evolving and advanced crimes and that criminals will be held accountable.
The takedown of the cryptocurrency results in a measure of justice for the countless victims affected over the years, including financial losses and business interruptions caused by this rampant malware.
