The U.S. Justice Department has announced a powerful, coordinated strike against the BlackSuit ransomware group, also known as Royal. In a joint operation on July 24, 2025, U.S. and international law enforcement agencies dismantled key parts of the group’s cybercrime network. This takedown involved seizing four servers, nine domains, and over $1 million in virtual currency.
Assistant Attorney General John A. Eisenberg called the group’s actions a serious threat to U.S. public safety. U.S. Attorney Erik S. Siebert for the Eastern District of Virginia described the move as a “disruption-first approach” to shield businesses and communities. U.S. Attorney Jeanine Ferris Pirro for the District of Columbia pledged to meet cybercriminals “toe-to-toe” to protect victims.
International Action Disrupts Dangerous Cybercrime Operation
The operation was a joint effort between Homeland Security Investigations, the Secret Service, IRS Criminal Investigation, and the FBI, alongside law enforcement partners from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
💰 Panic in gold markets as US ruling freezes trade and triggers 39% tariff threat
The BlackSuit group had been targeting U.S. critical infrastructure for years, including industries such as manufacturing, healthcare, government facilities, and commercial sectors.
Critical infrastructure includes essential systems like healthcare, manufacturing, government services, and commercial facilities. When ransomware hits these targets, it can shut down hospitals, delay public services, and disrupt vital industries. Authorities say BlackSuit’s repeated attacks on these sectors posed direct risks to public safety and the economy, making swift action essential.
These attacks often caused serious disruption and put public safety at risk.
How the BlackSuit Ransomware Worked
Ransomware is malicious software that locks victims out of their data until a ransom is paid. BlackSuit used this tactic to demand large sums, often in Bitcoin, from businesses and organizations.
Vatican accused of having tool to change SWIFT transactions after sending
Once infected, the victim’s files were encrypted, and payment was demanded through a darknet website. In one case on April 4, 2023, a victim paid 49.3120227 Bitcoin—worth about $1.45 million at the time—to regain access to their data. About $1,091,453 of those funds were traced to a virtual currency exchange account and later frozen by authorities on January 9, 2024.
Kareem Carter, Executive Special Agent in Charge of the IRS Criminal Investigation’s Washington Field Office, said ransomware like BlackSuit is used to steal, extort, and launder criminal proceeds, and the IRS-CI works to follow the money trail to stop these crimes.
Investigators revealed that BlackSuit often reused servers and websites while hiding their financial activities through complex laundering schemes. The seized servers and domains were crucial in shutting down the group’s ability to operate.
Chip tithe to Uncle Sam — US cashes in as Nvidia, AMD pay 15% for China AI sales licenses
A Global Effort to Dismantle Cybercrime
Michael Prado, Deputy Assistant Director for Homeland Security Investigations’ Cyber Crimes Center, explained that the takedown was the result of “tireless international coordination” to dismantle the ecosystem enabling ransomware attacks. William Mancino, Special Agent in Charge of the U.S. Secret Service’s Criminal Investigative Division, described the seizure as a “critical blow” to BlackSuit’s operations.
This action brought together agencies from North America and Europe, pooling intelligence and technical expertise to locate and seize the group’s infrastructure and digital assets. Evidence gathered during the investigation led to court-authorized seizures of cryptocurrency and online domains.
By striking the servers, websites, and finances, law enforcement significantly weakened BlackSuit’s ability to launch future attacks. Officials emphasized the importance of cooperation between countries to track down cybercriminals, even when they operate across borders.
The result is a strong signal that law enforcement is committed to dismantling ransomware networks and holding their operators accountable, wherever they may hide.