U.S. Seeks Forfeiture of Crypto Assets Connected to Qakbot Malware Scheme

U.S. Seeks Forfeiture of Crypto Assets Connected to Qakbot Malware Scheme

News | June 2, 2025 By:

On Thursday, May 22, 2025, the United States government filed an in rem forfeiture action in the US District Court for the Central District of California, targeting virtual currency and $2,061,517.68 in U.S. currency. The case seeks to seize assets allegedly linked to a cybercriminal operation led by Rustam Rafailevich Gallyamov, accused of orchestrating the Qakbot malware scheme.

The defendant assets include various virtual currencies, such as Tether (USDT), USD Coin (USDC), Bitcoin (BTC), Ether (ETH), Tron (TRX), Toncoin (TON), Monero (XMR), and Ever (EVER), seized from multiple virtual currency wallets. These assets were confiscated following federal seizure warrants issued on July 29, 2024, August 25, 2023, and April 18, 2025. The USDT was frozen on August 25, 2023, and later transferred to the government, while the USDC, valued at approximately $2.06 million, was seized on October 27, 2023. The assets are currently held or will be transferred to the custody of the United States Marshals Service in Los Angeles.

According to the complaint, the assets are proceeds from ransomware payments facilitated by the Qakbot conspiracy, which infected hundreds of thousands of computers since 2008. The malware enabled unauthorized access to victim systems, forming a botnet that supported ransomware attacks by groups like Prolock, Doppelpaymer, and Conti. Victims, including businesses in New York, Wisconsin, and Missouri, paid ransoms primarily in Bitcoin, with Gallyamov allegedly receiving a share of these payments. The complaint details specific transactions, such as a New York law firm’s payment of 15.61359 BTC in October 2022 and a Colorado technology company’s payment of 179.760005 BTC in March 2023.

The government alleges that Gallyamov and his coconspirators laundered these proceeds through complex blockchain transactions to obscure their origins. Funds were moved through intermediary addresses, converted into stablecoins like USDT and USDC, and pooled in wallets to conceal their criminal source. Some funds were also sent to coconspirators or exchanged for fiat currency. Blockchain analysis and records from virtual asset service providers confirmed the illicit nature of these transactions.

On May 2, 2025, a grand jury indicted Gallyamov for conspiracy to commit computer fraud and wire fraud.

The forfeiture action claims the assets are traceable to violations of computer fraud, wire fraud, and money laundering statutes. The government seeks a court decree to forfeit the assets for disposition under U.S. law and has requested due process to notify interested parties, including Gallyamov and Qakbot victims, to contest the forfeiture.

Please contact BlockTribune for access to a copy of this filing.