Homeland Security Investigations (HSI), the investigative arm of the Department of Homeland Security (DHS) and part of U.S. Immigration and Customs Enforcement (ICE), has released further information about last month’s seizure of dark web domains used by the BlackSuit ransomware group.
On July 24, 2025, the U.S. Department of Justice (DoJ) confirmed that an international law enforcement operation codenamed Operation Checkmate resulted in the seizure of domains used by the BlackSuit ransomware group. Banners were added to those sites confirming they were under the control of law enforcement. The sites were used by the BlackSuit ransomware group to leak data stolen and to communicate with victims to negotiate ransom payments.
The HSI confirmed in an August 7, 2025, announcement that BlackSuit was the successor to Royal ransomware. Both groups have terrorized critical infrastructure entities around the world since Royal emerged in 2022. Royal was the successor to Quantum ransomware, which is thought to be one of the groups operated by former members of the disbanded Conti ransomware operation.
Since 2022, Royal and BlackSuit have conducted more than 450 successful ransomware attacks on companies in the United States, including many critical infrastructure entities in healthcare, education, public safety, energy, and the government. The ransomware groups engaged in double extortion, stealing data and encrypting files, demanding payment to prevent the data from being leaked and to obtain the decryption keys. Victims have paid the Royal and BlackSuit more than $370 million in ransom payments, based on current cryptocurrency values.
The operation involved the HSI Cyber Crimes Center, IRS Criminal Investigation’s Cyber Crimes Unit, the U.S. Secret Service, the FBI, Europol, and multiple international law enforcement partners, and resulted in the seizure of the group’s servers, domains, and digital assets used to support the group’s attacks, data theft, extortion, and money laundering.
“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
A DoJ announcement on August 11, 2025, explained that laundered cryptocurrency valued at $1,091,453 had been seized as part of the operation, along with four servers and nine domains. The DoJ explained that one of the victims of the Royal ransomware group paid a 49.3120227 Bitcoin ransom to decrypt their data, which was valued at $1,445,454.86 at the time of the transaction. Some of the proceeds, $1,091,453, were repeatedly deposited and withdrawn in a virtual currency exchange to hide the source of the funds. The funds were frozen by the exchange on or around January 9, 2024, and were obtained by U.S. authorities after issuing a warrant for seizure.
“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”
July 25, 2025: BlackSuit Ransomware Dark Web Sites Seized by Law Enforcement
The dark web sites of the BlackSuit ransomware group have been seized as part of an international law enforcement operation. The takedown includes BlackSuit’s negotiation and data leak sites, following a court order that authorized the seizure.
The dark web sites have been replaced with banners advising visitors about the seizure by U.S. Homeland Security Investigations, part of Operation CheckMate. Several law enforcement partners assisted with the operation, including the U.S. Department of Justice, Federal Bureau of Investigation (FBI), the U.S. Office of Foreign Assets Control (OFAC), Europol, the UK National Crime Agency, and law enforcement agencies in Canada, Germany, Ukraine, Lithuania, Ireland, and France. The Romanian cybersecurity firm BitDefender also assisted during the operation. The authorities have yet to make an announcement about the operation and any other achievements.
BlackSuit ransomware first appeared in June 2023, having rebranded following an attack on the City of Dallas in Texas. The group previously operated under the name Royal from September 2022 to June 2023. Prior to that, Royal operated under the name Quantum and is believed to have been started by members of the Conti ransomware group. Operating as BlackSuit, the group is thought to have claimed more than 180 victims worldwide and more than 350 victims under the name Royal.
While the takedown is good news, researchers have suggested that BlackSuit may have already rebranded or that some former members of BlackSuit have formed a new group, Chaos ransomware. Researchers at Cisco Talos explained in a June 24, 2025, blog post that they have assessed with moderate confidence that the new group was formed by members of the BlackSuit ransomware group due to similarities in the encryption methodology, ransom note, and toolset used in attacks. Chaos has already conducted at least ten attacks, mostly in the United States. The new group does not appear to be targeting any specific industries.
“The disruption of BlackSuit’s infrastructure marks another important milestone in the fight against organized cybercrime,” stated a representative of the Draco Team, Bitdefender’s cybercrime unit, who participated in the takedown. “We commend our law enforcement partners for their coordination and determination. Operations like this reinforce the critical role of public-private partnerships in tracking, exposing, and ultimately dismantling ransomware groups that operate in the shadows. When global expertise is aligned, cybercriminals have fewer places to hide.”
On July 28, 2025, FBI Dallas announced the seizure of 20 Bitcoins (now valued at $2.3 million) from a cryptocurrency address belonging to a member of the Chaos ransomware group. The funds were tracked to a Bitcoin wallet used by an affiliate with the moniker “Hors” who is suspected of conducting attacks and extorting payments from companies in the Northern District of Texas and elsewhere. The U.S. Department of Justice filed a civil complaint in the Northern District of Texas on July 24, 2025, seeking the forfeiture of the funds, which were seized by the FBI in Dallas in mid-April.
The post Feds Confirm Seizure of BlackSuit Ransomware Infrastructure appeared first on The HIPAA Journal.