US authorities reveal how over a million dollars’ worth of cryptocurrency assets laundered by the BlackSuit ransomware gang were seized ahead of a July takedown operation
By
Alex Scroxton, Security Editor
Published: 13 Aug 2025 16:40
Over a million dollars’ worth of cryptocurrency assets laundered by or on behalf of the notorious BlackSuit ransomware gang – previously known as Royal – were seized ahead of a multinational takedown operation in July, led by the US authorities with support from the UK’s National Crime Agency (NCA) and cyber cops from Canada, France, Germany, Ireland, Lithuania and Ukraine.
Operation Checkmate, which took place on 24 July, saw a coordinated action that took four servers and nine domains offline for good. The US Department of Justice (DoJ) has revealed that this week, a warrant for the seizure of crypto assets valued at $1.09m (£800,000) was unsealed by the US Attorney’s Offices for the Eastern District of Virginia and the District of Columbia. The seizure itself took place some months ago.
The funds in question were paid out on or around 4 April 2023 by a victim who handed over 49.31 bitcoin in exchange for the BlackSuit gang agreeing to decrypt their data. The payment was worth about $1.45m at the time. A portion of this total was repeatedly deposited and withdrawn into a virtual currency exchange account, before being frozen by the exchange in January 2024.
“Disrupting ransomware infrastructure is not only about taking down servers – it’s about dismantling the entire ecosystem that enables cyber criminals to operate with impunity,” said Michael Prado, deputy assistant director of the Cyber Crimes Center at Homeland Security Investigations (HSI), the investigative branch of the federal government Department of Homeland Security (DHS).
“This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable,” said Prado.
HSI Washington DC acting special agent in charge Christopher Heck added: “This investigation reflects the full reach of HSI’s cyber mission and our commitment to protecting victims – whether they’re small businesses, school systems, or hospitals. We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide.”
Deputy director Paul Foster, head of the NCA’s National Cyber Crime Unit, said: “Ransomware is the most damaging cyber crime threat globally and the BlackSuit strain has impacted victims in the UK and overseas.
“The NCA, alongside the North West Regional Organised Crime Unit worked closely with HSI and other international partners over the past year, sharing intelligence which contributed to the disruption of this criminal group.
“We continue to support UK-based victims of BlackSuit attacks and would encourage anyone who thinks they have been targeted to come forward and report it,” added Foster. “Further support and advice on protecting yourself from ransomware can be found at NCSC.gov.uk.”
This investigation reflects the full reach of HSI’s cyber mission and our commitment to protecting victims. We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide Christopher Heck, Homeland Security Investigations
A prolific ransomware actor, BlackSuit was likely comprised of individuals with historic links to the Conti gang. It first surfaced in early 2022, likely acting as an affiliate of other gangs, before emerging as Royal with its own encryptor that autumn. It went on to rebrand as BlackSuit following a major attack on the City of Dallas in Texas, but it then lay quiet until last summer, when it started to ramp up the tempo of its attacks again.
During its operational life, it is thought that BlackSuit attacked almost 500 victims in the US alone and extorted over $370m in payments.
Its targeting included victims in many critical infrastructure sectors, such as government bodies, healthcare and manufacturing. As noted, one of its most noteworthy victims was the City of Dallas, which was attacked in spring 2023.
In this infamous incident, the gang was able to gain access to the city government’s systems using a stolen account, and exfiltrated over a terabyte’s worth of files over a four-week period, before executing its ransomware payload.
While BlackSuit operated a fairly standard double encryption business model, it was somewhat noteworthy in its approach to encrypting its victims’ data, using a partial encryption approach that allowed its operators to choose how much data in a file to encrypt. This tactic meant the gang could work quicker and evade detection.
The outlook is still Chaos
Notwithstanding the success of the joint operation, ransomware actors are notoriously difficult to pin down and, when cornered, have a frustrating habit of melting into the shadows and re-emerging with a new identity further down the line.
In the case of BlackSuit, the gang’s next rebrand may already be in progress. In late July, researchers at Cisco Talos published intelligence linking an emergent ransomware-as-a-service (RaaS) operation dubbed Chaos to former BlackSuit operatives.
In their assessment, the Cisco Talos team said it was likely that based on similarities in tactics, techniques and procedures (TTPs) – including encryption commands, the broad theme and structure of its ransom note, and the use of similar tools in its attacks – Chaos was “either a rebranding of the BlackSuit ransomware or operated by some of its former members”.
This article was updated at 19:35 on 13 August to incorporate a quote from the UK’s National Crime Agency.
Read more on Hackers and cybercrime prevention
15 of the biggest ransomware attacks in history
By: Mary Pratt
A landscape forever altered? The LockBit takedown one year on
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
