Qakbot Indictment
p. 1
Share
U.S. Department of
JUSTICE
The Department of Justice is posting this court document as a courtesy to the public. An official
copy of this court document can be obtained (irrespective of any markings that may indicate
that the document was filed under seal or otherwise marked as not available for public
dissemination) on the Public Access to Court Electronic Records website at
https://pacer.uscourts.gov. In some cases, the Department may have edited the document to
redact personally identifiable information (PII) such as addresses, phone numbers, bank
account numbers, or similar information, and to make the document accessible under Section
508 of the Rehabilitation Act of 1973, which requires federal agencies to make electronic
information accessible to people with disabilities.
JUSTICE
The Department of Justice is posting this court document as a courtesy to the public. An official
copy of this court document can be obtained (irrespective of any markings that may indicate
that the document was filed under seal or otherwise marked as not available for public
dissemination) on the Public Access to Court Electronic Records website at
https://pacer.uscourts.gov. In some cases, the Department may have edited the document to
redact personally identifiable information (PII) such as addresses, phone numbers, bank
account numbers, or similar information, and to make the document accessible under Section
508 of the Rehabilitation Act of 1973, which requires federal agencies to make electronic
information accessible to people with disabilities.
p. 2
Share
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
UNITED STATES DISTRICT COURT
FOR THE CENTRAL DISTRICT OF CALIFORNIA
January 2025 Grand Jury
UNITED STATES OF AMERICA,
Plaintiff,
v.
RUSTAM RAFAILEVICH GALLYAMOV,
aka “Cortes,”
aka “Tomperz,”
aka “Chuck,”
Defendant.
CR
I N D I C T M E N T
[18 U.S.C. § 371: Conspiracy; 18
U.S.C. § 1349: Conspiracy to
Commit Wire Fraud; 18 U.S.C. §§
981(a)(1)(C), 982, and 28 U.S.C. §
2461(c): Criminal Forfeiture]
The Grand Jury charges:
INTRODUCTORY ALLEGATIONS AND DEFINITIONS
At all times relevant to this Indictment:
A. THE DEFENDANT & THE CONSPIRACY
1. Defendant RUSTAM RAFAILEVICH GALLYAMOV, also known as
(“aka”) “Cortes,” aka “Tomperz,” aka “Chuck,” (“GALLYAMOV”) whose
photograph is attached as Exhibit A, was a resident of Russia.
2. Qakbot (or Qbot) was malicious computer software developed,
deployed, and controlled since 2008 by members of a cybercriminal
conspiracy led by defendant GALLYAMOV. From at least 2019, defendant
GALLYAMOV and his coconspirators infected hundreds of thousands of
2:25-cr-00340-SB
5/2/25
MRV
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
UNITED STATES DISTRICT COURT
FOR THE CENTRAL DISTRICT OF CALIFORNIA
January 2025 Grand Jury
UNITED STATES OF AMERICA,
Plaintiff,
v.
RUSTAM RAFAILEVICH GALLYAMOV,
aka “Cortes,”
aka “Tomperz,”
aka “Chuck,”
Defendant.
CR
I N D I C T M E N T
[18 U.S.C. § 371: Conspiracy; 18
U.S.C. § 1349: Conspiracy to
Commit Wire Fraud; 18 U.S.C. §§
981(a)(1)(C), 982, and 28 U.S.C. §
2461(c): Criminal Forfeiture]
The Grand Jury charges:
INTRODUCTORY ALLEGATIONS AND DEFINITIONS
At all times relevant to this Indictment:
A. THE DEFENDANT & THE CONSPIRACY
1. Defendant RUSTAM RAFAILEVICH GALLYAMOV, also known as
(“aka”) “Cortes,” aka “Tomperz,” aka “Chuck,” (“GALLYAMOV”) whose
photograph is attached as Exhibit A, was a resident of Russia.
2. Qakbot (or Qbot) was malicious computer software developed,
deployed, and controlled since 2008 by members of a cybercriminal
conspiracy led by defendant GALLYAMOV. From at least 2019, defendant
GALLYAMOV and his coconspirators infected hundreds of thousands of
2:25-cr-00340-SB
5/2/25
MRV
p. 3
Share
2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
victim computers around the world with the Qakbot malware, thereby
gaining unauthorized access to and control of those computers. Using
this access, defendant GALLYAMOV and his coconspirators further
infected victim computers with ransomware, including Prolock,
Doppelpaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and
Cactus. Sometimes, defendant GALLYAMOV and his coconspirators gained
access to victim computers by means other than the Qakbot malware.
In those instances, victim computers were also infected with
ransomware. Ransomware victims were then extorted by defendant
GALLYAMOV and his coconspirators to pay ransoms to regain access to
and/or prevent the dissemination of their private data. Defendant
GALLYAMOV and his coconspirators received a portion of any ransom
paid.
B. QAKBOT’S VICTIMS
3. The “Los Angeles Dental Office” was located in the Central
District of California.
4. The “Nebraska Technology Company” was located in Nebraska.
5. The “Wisconsin Manufacturer” was located in Wisconsin.
6. The “Canadian Real Estate Company” was located in Canada.
7. The “Wisconsin Marketing Company” was located in Wisconsin.
8. The “Tennessee Music Company” was located in Tennessee.
9. The “Colorado Communications Company” was located in
Colorado.
10. The “Pennsylvania Technology Company” was located in
Pennsylvania.
11. The “Maryland Insurance Company” was located in Maryland.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
victim computers around the world with the Qakbot malware, thereby
gaining unauthorized access to and control of those computers. Using
this access, defendant GALLYAMOV and his coconspirators further
infected victim computers with ransomware, including Prolock,
Doppelpaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and
Cactus. Sometimes, defendant GALLYAMOV and his coconspirators gained
access to victim computers by means other than the Qakbot malware.
In those instances, victim computers were also infected with
ransomware. Ransomware victims were then extorted by defendant
GALLYAMOV and his coconspirators to pay ransoms to regain access to
and/or prevent the dissemination of their private data. Defendant
GALLYAMOV and his coconspirators received a portion of any ransom
paid.
B. QAKBOT’S VICTIMS
3. The “Los Angeles Dental Office” was located in the Central
District of California.
4. The “Nebraska Technology Company” was located in Nebraska.
5. The “Wisconsin Manufacturer” was located in Wisconsin.
6. The “Canadian Real Estate Company” was located in Canada.
7. The “Wisconsin Marketing Company” was located in Wisconsin.
8. The “Tennessee Music Company” was located in Tennessee.
9. The “Colorado Communications Company” was located in
Colorado.
10. The “Pennsylvania Technology Company” was located in
Pennsylvania.
11. The “Maryland Insurance Company” was located in Maryland.
p. 4
Share
p. 5
Share
p. 6
Share
p. 7
Share
p. 8
Share
p. 9
Share
p. 10
Share
p. 11
Share
p. 12
Share
p. 13
Share
p. 14
Share
p. 15
Share
p. 16
Share