US officials took down significant infrastructure of notorious ransomware group BlackSuit, seizing domain names, servers, and approximately $1 million worth of cryptocurrency.
The Justice Department on Monday announced that the coordinated effort took place in late July and involved multiple U.S. and foreign agencies.
A warrant was recently made public to seize cryptocurrency assets valued at just over $1 million at the time.
Officials stressed that dismantling ransomware operations isn’t about dismantling servers but disrupting the broader ecosystem that enables cybercriminal networks to operate.
BlackSuit, tied to being a spin-off of the Royal ransomware group, has been active since at least 2023.
Also, there has been one of the targets in the United States government’s broader effort to disrupt cyber extortion networks.
They recently imposed sanctions on the ransomware hosting service Aeza Group.
Multi-Agency, International Effort Targets a Global Threat
Notably, the takedown happened with the DHS-HSI having led the operation, the efforts being assisted by the United States Secret Service, IRS, and FBI, respectively.
International partners to this operation included law enforcement agencies from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
The authorities disclosed that BlackSuit has ever-lastingly hit critical infrastructure in areas such as healthcare, government, manufacturing, and commercial establishments.
The group would typically demand ransom in Bitcoins over darknet websites and use harsh measures of extortion.
Such attacks pose a serious threat to national security, with the disruption of the provision of critical services among their purported aims, say the U.S. officials.
BlackSuit’s Illegal Activity and Ransomware Trends
BlackSuit has launched more than 450 confirmed attacks inside the United States alone since 2022, raking in more than $370 million in ransom payments.
The group employed double-extortion methods, encrypting the computers of victims and threatening to dump stolen data if ransoms were not paid.
One victim in a high-profile 2023 case paid 49.3 BTC, equivalent to around $1.4 million at the time, to decrypt data.
The frozen $1 million in cryptocurrency was from that ransom, moving back and forth between a pool account repeatedly until the money was seized early in 2024.
The ransom request by Blacksuit has varied between $1 million and $10 million, with a peak amount that totalled $60 million.
Also Read: Crypto Losses Hit $2.1B in H1 2025, Driven by Private Key Breaches and Front-End Attacks: TRM Labs
Seizures Extend Beyond BlackSuit as Ransomware Landscape Evolves
The BlackSuit shutdown is one piece of an expanded law enforcement effort against ransomware actors.
In July, UnoCrypto reported that the FBI in Dallas seized 20 BTC, valued at approximately $2.4 million, from a prominent member of the Chaos ransomware group.
Those assets are now the target of a civil forfeiture suit in Texas federal court, possibly to be added to the US Strategic Digital Asset Reserve for future ownership by the nation.
Statistics of the US government’s Bitcoin holdings are significantly varied, ranging from around 28,000 BTC to over 198,000 BTC, in assets seized from various cybercrime cases.
These operations seen in recent times showcase how federal agencies are not only crippling ransomware groups’ infrastructure but also their financial lifelines to truncate their activities.
Emerging Threats Signal Persistent Cybersecurity Challenges
Even as BlackSuit is dismantled, new ransomware groups continue to emerge.
Blockchain analytics firm TRM Labs recently identified a crew called Embargo, which is believed to be a successor to the dismantled BlackCat operation.
The crew is reportedly laundering crime proceeds in cryptocurrency wallets, with an estimated $18.8 million sitting idle in wallets of unknown origin.
These various developments highlight a persistent plague for law enforcement as ransomware communities tend to reconstitute under new names and structures.
Law enforcement have made emphasis on the need for continued international cooperation, targeted asset forfeiture, and rapid exchange of intelligence.
Also Read: Ransomware Group Embargo Has Moved About $34.2M In Crypto Since April 2024: Report