The European and North American law enforcement agencies have dismantled what investigators call the “nerve center” of Russian cybercrime. Operation Endgame, led by Germany’s Bundeskriminalamt (BKA), has resulted in arrest warrants for 20 suspects and indictments against 16 others—unmasking the masterminds behind the infamous Qakbot, Danabot, and Conti malware operations. With links to ransomware attacks on hospitals, espionage campaigns, and nearly €1 billion in stolen cryptocurrency, the suspects—many shielded by Russian borders—now find themselves globally exposed and digitally cornered.
A Shadow Empire Exposed: The Faces Behind the Malware
The investigation, years in the making, has revealed the true scale of cybercriminal operations led by Russian nationals and their collaborators. Among the indicted: Rustam Rafailevich Gallyamov, a key player in the Qakbot network; Aleksandr Stepanov (alias “JimmBee”), and Artem Kalinkin (alias “Onix”) of the Danabot malware gang—all residing in Russia. The United States unsealed indictments against these and 13 others, accusing them of infecting over 300,000 systems worldwide, including critical infrastructure in the US, India, Australia, Poland, and Italy.
At the top of the most-wanted list is Vitalii Kovalev, a 36-year-old Russian citizen dubbed the “most successful blackmailer in the history of cybercrime” by German authorities. Allegedly operating under pseudonyms Stern and Ben, Kovalev is said to have led Conti, a ransomware gang that terrorized U.S. hospitals during the pandemic, raking in multi-million-dollar ransoms. He is also linked to newer ransomware entities like Royal and Blacksuit, and controls a crypto wallet estimated to hold €1 billion in stolen digital assets.
ALSO READ: FCRF Launches Campus Ambassador Program to Empower India’s Next-Gen Cyber Defenders
Investigators believe Kovalev’s operations ran like multinational corporations—sophisticated, well-staffed, and fiercely protected by Russian jurisdiction. Despite a $10 million reward offered by U.S. authorities, Kovalev remains at large, living openly in Moscow.
The Malware Web: How Qakbot, Danabot, and Trickbot Wreaked Global Havoc
The Qakbot malware—sometimes known as “Qbot”—has long been a primary weapon in the cybercriminal arsenal, allowing hackers to take over devices, steal passwords, and deploy ransomware. Its infrastructure was severely disrupted in this latest sweep, alongside that of Danabot and Trickbot—three of the most dangerous malware families in use over the past decade.
In one striking example, the Danabot espionage variant was configured to specifically target military, diplomatic, and government entities, with stolen data funneled back to servers in Russia. The malware was marketed on Russian-language cybercrime forums and allowed attackers to infiltrate networks undetected for years.
Another key suspect, Roman Mikhailovich Prokop, a Ukrainian national believed to be part of the Qakbot syndicate, is also among those named by the BKA.
The impact of these malware operations has been far-reaching. The UK’s Marks & Spencer was recently targeted in a major cyberattack, one of many high-profile corporate victims across Europe. In the U.S., the Conti group’s attack on hospitals during COVID-19 prompted emergency responses and triggered federal investigations.
A Global Response to a Borderless Threat
Operation Endgame—named to signify the intent to close the chapter on malware syndicates—was launched by Germany’s BKA in 2022 and joined by cybercrime units from the UK, US, France, Canada, Denmark, the Netherlands, and Interpol. Together, they identified 37 key individuals and issued 20 international arrest warrants.
Despite the breakthrough, authorities acknowledge extradition is unlikely for most suspects operating out of Russia and Dubai. But the public identification, asset tracking, and data seizures are significant deterrents. “We’ve pulled back the curtain,” said BKA President Holger Münch, “and shown these criminals they can’t hide behind anonymity forever.”
The DOJ emphasized that stolen data from victims—including those targeted for espionage—was hosted on Russian-controlled servers, confirming long-standing suspicions about the geopolitical dimensions of cybercrime. “This isn’t just theft—it’s national security,” one U.S. official said.