In a significant crackdown, law enforcement agencies from the U.S. and around the globe targeted the notorious BlackSuit ransomware group at the end of July. This coordinated operation led to the seizure of servers, domain names, and an estimated million dollars in cryptocurrency associated with the gang’s illicit activities.
The Justice Department announced that this operation included an unsealed warrant to confiscate digital assets, primarily spearheaded by the Department of Homeland Security. Other agencies such as the Secret Service, IRS, and FBI played crucial roles as well.
Global Law Enforcement Collaboration
The Justice Department stated that agents collaborated with law enforcement entities from countries including the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania to successfully execute this operation.
Michael Prado, deputy assistant director at the Homeland Security Investigations Cyber Crimes Center, highlighted that the goal was to dismantle the operational framework supporting these criminal organizations rather than simply taking some of their infrastructure offline.
This latest move follows a series of US initiatives, including new sanctions directed at ransomware hosting providers earlier in July.
Justice Department Announces Coordinated Disruption Actions Against BlackSuit (Royal) Ransomware Operations
Law Enforcement Seizes Servers, Domains, and Approximately $1 Million In Laundered Proceeds Owned By BlackSuit (Royal) Ransomware
“The BlackSuit ransomware gang’s… pic.twitter.com/EIXS7X0Su3
— National Security Division, U.S. Dept of Justice (@DOJNatSec) August 11, 2025
Understanding the BlackSuit Operations
Emerging as a spinoff from the infamous Royal ransomware group, BlackSuit has been operational since mid-2023.
Reportedly, the gang has focused on attacking vital infrastructure across various sectors, including healthcare, governmental buildings, manufacturing, and commercial enterprises.
Since 2022, this gang has been connected to over 450 victims in the United States alone, reportedly amassing more than $370 million in ransom payments from its unlawful activities.
Ransom requests have typically fluctuated between $1 million and $10 million in BTC, with the largest recorded single demand hitting a staggering $60 million.
Tracing the Fund Flows
Reports indicate that a ransom payment of 49 BTC — valued around $1.4 million at the time it was paid — was integral to the asset seizure. This payment underwent a series of deposits and withdrawals through a cryptocurrency exchange before the account was subsequently frozen in early 2024.
While the DOJ has not disclosed the identity of the exchange involved, officials assert that such tracing efforts and cooperation with private entities were paramount in following the financial footprints back to the gang.
This significant operation not only dismantled crucial parts of the gang’s infrastructure but also succeeded in recovering nearly $1 million linked to a group responsible for countless cyberattacks and massive ransom demands.
Nevertheless, while this incident represents a notable victory for international law enforcement, experts caution that mere disruption may not suffice in halting every future ransomware attack.
Image sourced from Bing Create, chart from TradingView
