Global Operation Seizes BlackSuit Ransomware Infrastructure and $1M in Crypto

On July 24, 2025, U.S. and international law enforcement agencies carried out a coordinated operation to dismantle infrastructure tied to the BlackSuit ransomware group, resulting in the seizure of four servers, nine domains, and approximately $1 million in cryptocurrency. The action, part of an effort later revealed as Operation Checkmate, was spearheaded by the Department of Homeland Security’s Homeland Security Investigations, working alongside the U.S. Secret Service, IRS Criminal Investigation, FBI, and agencies from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania. The Department of Justice (DoJ) confirmed that the seized cryptocurrency was linked to a ransom payment made in April 2023, when a victim transferred 43–49.3 Bitcoin (worth roughly $1.4 million at the time) to recover encrypted data. These funds were cycled through a crypto exchange until frozen in early 2024, preventing further laundering.

Authorities described the takedown as a significant disruption to BlackSuit’s operations, which have targeted critical infrastructure sectors including healthcare, government, manufacturing, and commercial facilities. BlackSuit, a rebrand of the Royal ransomware gang with ties to the former Conti group, has been active since at least September 2022 and is known for double-extortion tactics—encrypting victim systems while threatening to leak stolen data to coerce payment. According to the DoJ, the group has compromised over 450 U.S. victims, collecting more than $370 million in ransom payments, with demands often ranging from $1 million to $10 million in Bitcoin. In one case, their ransom demand reached as high as $60 million. Notable incidents include the 2023 attack on the City of Dallas, which disrupted public services and impacted 911 dispatch systems.

Statements from law enforcement emphasized that dismantling ransomware networks involves more than just removing technical infrastructure, it requires undermining the financial systems, hosting environments, and operational tools that enable these actors to operate. “Disrupting ransomware infrastructure is not only about taking down servers, it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Michael Prado of Homeland Security Investigations. U.S. Attorney Erik Siebert added that the operation reflects a “disruption-first” strategy to protect U.S. businesses and critical services from ransomware threats. Officials also warned that, despite this takedown, ransomware groups often rebrand or splinter, with successor operations, like Embargo, suspected to follow BlackCat continuing to emerge.