Hold up, as the summary doesn't jive with the facts. From the DOJ's release, emphasis mine,
According to industry estimates, Citadel, and other botnets like it, infected approximately 11 million computers worldwide and are responsible for over $500 million in losses. In 2012, Belorossov downloaded a version of Citadel, which he then used to operate a Citadel botnet primarily from Russia. Belorossov remotely controlled over 7,000 victim bots, including at least one infected computer system with an IP address resolving to the Northern District of Georgia.
This guy didn't create the malware, he wasn't responsible for 11 million infections, nor was he responsible for $500 million in losses. He downloaded and tweaked some existing bank trojan, got it onto 7,000 computers, and stole some undetermined amount of money, which the DOJ has not disclosed but which is probably much closer to his restitution amount of ~$320K than it is to $500M.