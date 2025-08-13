The US authorities have revealed more details of a major law enforcement operation to disrupt a prolific ransomware group, including the seizure of funds stolen from one of its victims.

The Department of Justice (DoJ) said this week that it coordinated actions leading to the takedown of four servers and nine domains thought to have been used by the BlackSuit group.

It also unsealed a warrant for the seizure of cryptocurrency valued at around $1.1m at the time of the theft, from a BlackSuit victim. This related to a ransom payment of 43 bitcoin made in April 2023, worth $1.4m at the time of the transaction, the DoJ said.

Some $1.1m of these funds was “repeatedly deposited and withdrawn” from a crypto-exchange account until it was frozen by that exchange in January 2024, it explained.

This seizure, kept a secret until now, pre-empted Operation Checkmate, a US-led global law enforcement initiative to disrupt the ransomware group.

That DoJ-coordinated operation featured the Department of Homeland Security’s Homeland Security Investigations (HSI), the US Secret Service, IRS Criminal Investigation (IRS-CI), the FBI, the UK’s National Crime Agency (NCA), and investigators from Germany, Ireland, France, Canada, Ukraine and Lithuania.

It resulted in the seizure of domains and servers on July 24 2025, as well as unspecified “digital assets” apparently designed to help the group deploy ransomware, extort victims and launder its proceeds.

“This action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat,” said US attorney Erik Siebert.

“When it comes to protecting US businesses, critical infrastructure, and other victims from ransomware and other cyber-threat actors, we will pull no punches.”

A Royal Rebrand

BlackSuit rebranded from “Royal” in July 2023 and has been in operation since September 2022, and also has ties to the now-defunct Conti group.

An August 2024 report from the US Cybersecurity and Infrastructure Security Agency (CISA) claimed it had demanded more than $500m from its victims over that time, although it’s unclear how much it was actually able to extort.

BlackSuit/Royal frequently targeted critical manufacturing, government facilities, healthcare and commercial facilities, according to the DoJ.

It was most notably responsible for an attack on the City of Dallas in 2023 which resulted in the compromise of several servers and widespread disruption to public services, including 911 dispatch systems.