In a coordinated international law enforcement effort dubbed Operation Checkmate, authorities have successfully seized the key dark web domains operated by BlackSuit, one of the world’s most prolific ransomware gangs. This operation marks a significant advance in the global battle against ransomware, crippling a network that extorted hundreds of organizations and garnered over half a billion dollars in ransom payments.
A Coordinated International Takedown
The seizure, which took place in July 2025, involved collaborative efforts among U.S. Homeland Security Investigations (HSI), the FBI, Europol, the UK’s National Crime Agency, and law enforcement agencies from Germany, Ukraine, Lithuania, and Canada. Cybersecurity company Bitdefender also provided vital intelligence and victim support, highlighting the growing importance of public–private partnerships in combating cybercrime.
BlackSuit’s seized .onion sites—previously used for data leaks and ransom negotiations—now feature banners declaring law enforcement control. These sites were central to the group’s operations, enabling the publication of stolen data and facilitating extortion schemes against organizations across healthcare, education, government, and business sectors.
The Legacy of BlackSuit: Tactics and Lineage
First emerging in spring 2023, BlackSuit employed a sophisticated double-extortion model: encrypting victims’ files while simultaneously threatening to release confidential data unless a ransom was paid. Investigations suggest that the group avoided targeting organizations in the Commonwealth of Independent States, a common characteristic of cybercriminals operating from Russia or neighboring regions.
Cybersecurity experts believe BlackSuit is a rebranding of the Royal ransomware group, itself descended from the notorious Conti syndicate, one of the most infamous Russian cybercrime gangs. Over several years, BlackSuit and its predecessors are estimated to have extorted more than $500 million, with individual ransom demands sometimes exceeding $2 million.
The Ongoing Threat: Rebranding as Chaos
While law enforcement agencies celebrate the disruption, cyber threat analysts caution that such groups often reconstitute under new names. Within months of the takedown, researchers from Cisco Talos and others observed a new actor—Chaos ransomware—adopting similar tactics and targeting a broad range of systems, including Windows, Linux, and ESXi platforms. Evidence suggests that Chaos is operated by former BlackSuit affiliates, continuing their campaign of double extortion against global victims.
