Malware affiliate pyramid scheme is shuttered by US feds: here’s how to keep safe
- FBI’s huge Qakbot bust only paused the malware’s reign; it returned stronger and stealthier
- Qakbot’s new spam bomb attacks trick employees into unleashing ransomware inside their own companies
- Despite billions seized, the Qakbot mastermind remains free in Russia, far from US law enforcement
In a major cybercrime crackdown, the FBI and international partners declared victory against Qakbot – also known as Qbot – back in August 2023.
The malware operation, which infected over 700,000 computers globally (including around 200,000 in the US), was linked to $58 million in ransomware-related losses.
Described by U.S. Attorney Martin Estrada as “the most significant technological and financial operation ever led by the Department of Justice against a botnet,” Operation Duck Hunt led to the seizure of 52 servers and the confiscation of $8.6 million in cryptocurrency – but, as with many supposed knockouts in cybercrime, the celebration was premature.
Qakbot re-emerges
Within just three months, Qakbot re-emerged, demonstrating that even coordinated, resource-intensive law enforcement actions can have disappointingly limited long-term impact.
Following the 2023 takedown, alleged ringleader Rustam Rafailevich Gallyamov and his crew didn’t retreat, they adapted – rather than relying on traditional phishing to distribute malware, they reportedly shifted to more deceptive tactics.
And according to The Register, newly unsealed indictments reveal a novel strategy involving “spam bomb attacks” – overwhelming employees’ inboxes with unwanted subscription emails.
The attackers would then pose as IT staff offering to help, tricking victims into running malicious code.
This tactic enabled the group to regain access to company systems, encrypt files, and exfiltrate sensitive data.
“Defendant Gallyamov and co-conspirators would launch targeted spam bomb attacks at employees of victim companies,” court documents state, “and then contact those employees, posing as information technology workers.”
Once access was granted, the consequences were swift and severe: data theft, encryption, and ransom demands.
Qakbot malware enables attackers to backdoor systems, install additional threats, and harvest credentials.
Operators behind ransomware strains such as REvil, Black Basta, and Conti allegedly paid Gallyamov and his associates for access, or even shared a portion of their extorted proceeds.
In April 2025, additional illicit funds, over 30 bitcoin and US $700,000 were seized from Gallyamov, but he remains in Russia, beyond the reach of US law enforcement.
As federal officials put it, “unless he foolishly decides to leave the protection of the motherland,” Gallyamov is likely to remain untouchable.
To stay protected from these kinds of threats, organizations need to invest in the best antivirus – additionally, using a leading endpoint protection platform can help detect and isolate suspicious activity before it escalates into a data breach or ransomware attack.
You might also like
FBI’s huge Qakbot bust only paused the malware’s reign; it returned stronger and stealthier Qakbot’s new spam bomb attacks trick employees into unleashing ransomware inside their own companies Despite billions seized, the Qakbot mastermind remains free in Russia, far from US law enforcement In a major cybercrime crackdown, the FBI…
