DOJ Claws Back $24M in Crypto from Qakbot Malware Architect – More Takedowns Ahead?

Another day, another crypto haul seized by the feds. This time, it’s $24 million in digital assets traced back to the developer behind Qakbot—a malware strain that’s been fleecing victims for years. The DOJ’s cybercrime unit isn’t just chasing petty thieves anymore; they’re dismantling wallets.

Why this matters: Crypto’s ’untraceable’ myth keeps crumbling. Every seizure like this proves blockchain’s transparency cuts both ways—great for honest investors, terrible for crooks who think Tether is a get-out-of-jail-free card.

What’s next? Watch for more high-profile grabs. The feds have been quietly building crypto-tracing muscle, and they’re hungry to flex it. Meanwhile, Wall Street still can’t decide if Bitcoin is a risk asset or inflation hedge—but at least they agree it’s a compliance nightmare.

U.S. Charges Russian Hacker Behind Qakbot and Disrupts Its Operation

According to the DOJ, Gallyamov created and controlled the malware beginning in 2008 and later used it to infect thousands of computers worldwide. These infected systems were then used to build a botnet, which became a platform for widespread ransomware attacks.

“Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, head of the DOJ’s Criminal Division. “We are determined to hold cybercriminals accountable and will use every legal tool at our disposal.”

From 2019 onward, Gallyamov is accused of giving access to this botnet to other cybercriminal groups. These groups then deployed ransomware strains such as REvil, Conti, Black Basta, and Cactus. In return, Gallyamov allegedly received a share of the ransom payments.

The Qakbot botnet was disrupted in August 2023 as part of a U.S.-led international operation. At the time, authorities seized over 170 Bitcoin and more than $4 million in USDT and USDC from Gallyamov.

However, according to prosecutors, Gallyamov continued his cyber activities even after the takedown. Instead of relying on the botnet, Gallyamov and his associates allegedly switched to new tactics, including “spam bomb” attacks.

These involved flooding victims with emails to trick employees into granting access to their systems. Prosecutors say he continued this activity as recently as January 2025.

“The charges announced today exemplify the FBI’s commitment to relentlessly hold accountable individuals who target Americans and demand ransom, even when they live halfway across the world,” said Akil Davis, Assistant Director in Charge of the FBI’s Los Angeles Field Office.

On April 25, the FBI executed a seizure warrant against Gallyamov, collecting an additional 30 bitcoin and over $700,000 in USDT. All seized assets, valued at over $24 million, are now subject to a civil forfeiture complaint filed in the Central District of California. The DOJ intends to return these funds to ransomware victims.

U.S. Attorney Bill Essayli emphasized the department’s goals, stating, “The forfeiture action against more than $24 million in VIRTUAL assets also demonstrates the Justice Department’s commitment to seizing ill-gotten assets from criminals in order to ultimately compensate victims.”

The investigation was led by the FBI’s Los Angeles Field Office in coordination with law enforcement in France, Germany, the Netherlands, Denmark, the UK, Canada, and Europol.

New DOJ Cases Indicate Broader U.S. Crackdown on Crypto-Backed Cybercrime

The $24 million crypto seizure from a Qakbot-linked developer is only the latest in a sweeping U.S. crackdown on cybercrime.

In December 2024, U.S. authorities charged Rostislav Panev, a dual Russian-Israeli national, for his alleged role in the notorious LockBit ransomware group.

Panev, who was arrested in Israel last August, remains in custody as extradition proceedings continue. The DOJ describes him as a key developer behind malware tools used to disable antivirus software, access victim networks, and issue ransom demands.

Authorities say he was behind malware that disabled antivirus software and delivered ransom notes via infected devices. Investigators also traced over $230,000 in crypto payments allegedly linked to his activity.

His lawyer claims he unknowingly created software used by the group and is cooperating with law enforcement.

Meanwhile, in a sweeping May 2025 indictment, U.S. officials charged 12 people, including Americans and foreign nationals mostly aged 18 to 21, for a crypto-driven racketeering scheme that netted $263 million.

Prosecutors allege the group engaged in coordinated cyberattacks, laundering stolen funds through lavish purchases like private jets, exotic cars, and luxury goods.

Federal charges are also advancing against Roman Storm, the developer of the sanctioned mixing service Tornado Cash. Authorities claim the platform was instrumental in laundering billions in illicit crypto.