US Hits BlackSuit RansomWare Gang Hard, Takes Down Servers And Seizes $1 Million In Crypto

S and global law enforcement dismantled the BlackSuit ransomware group, seizing $1M in crypto in a coordinated crackdown.

US and international law enforcement agencies have taken down servers and websites linked to BlackSuit. For context, BlackSuit is a ransomware group that has been responsible for hundreds of cyberattacks over the last three years. 

The coordinated takedown led to the seizure of around $1 million in crypto and the removal of the group’s servers and websites.

BlackSuit’s Role in Ransomware Attacks

According to the Justice Department, the operation took place in late July. It involved multiple agencies, including Homeland Security Investigations, the FBI, the Secret Service and the IRS. 

Law enforcement from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania also participated.

BlackSuit Ransomware site seized by US Homeland Security pic.twitter.com/7b9kLHjgy6

— vxdb (@vxdb) July 24, 2025

As a backstory, BlackSuit was a successor to the Royal ransomware gang and has been active for at least the last three years. Authorities say the group targeted infrastructure sectors like healthcare, manufacturing, government facilities and commercial enterprises.

The Department of Homeland Security’s Cyber Crimes Centre stated that the group used double-extortion tactics. Victims’ systems were encrypted, and stolen data was threatened with public release to pressure payment. 

Most ransom demands were made in Bitcoin, with amounts typically ranging from $1 million to $10 million. In particular, the largest known demand reached $60 million.

How the Funds Were Seized

The Justice Department revealed that one victim in particular paid 49.3 BTC. This was worth about $1.4 million at the time to regain access to their data. 

About $1 million was moved in and out of a crypto exchange account before being frozen early last year.

Authorities did not disclose the name of the exchange, but since it first became active, BlackSuit has attacked over 450 known victims in the United States. The group has also collected more than $370 million in ransom payments. 

Officials believe that this figure includes incidents linked to the Royal group before its rebranding.

International Cooperation in the Takedown

The takedown effort was not limited to the United States. Agencies across Europe and North America also played a part in disabling BlackSuit’s reign of terror. UK, German, Irish, French, Canadian, Ukrainian and Lithuanian law enforcement worked alongside US agencies to track and seize the group’s assets.

William Mancino, a special agent in charge at the US Secret Service, said that the operation “strikes a blow” against BlackSuit. 

However, cybersecurity experts are warning that ransomware groups often regroup and rebrand after law enforcement actions.

BlackSuit’s Criminal Reach

The Homeland Security Investigations division of US Immigration and Customs Enforcement estimated that BlackSuit had over 150 entries on its data leak site before it went offline. 

These entries represented organisations whose data the group threatened to publish unless a ransom was paid.

Bitdefender, a cybersecurity company involved in the operation, confirmed that the group was behind some of the harshest attacks in the last year. These were against industries like education, research, health care, and construction.

In all, ransom demands from this group often fell between $1 million and $10 million. 

The Justice Department and its international partners are still on the lookout for signs of BlackSuit’s possible return or transformation into a new group.