A massive coordinated international operation led by U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI) successfully dismantled the critical infrastructure of the BlackSuit ransomware group, seizing servers, domains, and over $1 million in laundered cryptocurrency proceeds.
Operation Checkmate: Global Coordination Against Cybercrime
The takedown, dubbed “Operation Checkmate,” involved law enforcement agencies from eight countries working together under a Europol Joint Cyber Action Task Force initiative. The international coalition included:
- United States: HSI, FBI, Secret Service, IRS Criminal Investigation
- United Kingdom: National Crime Agency and Northwest Regional Organized Crime Unit
- Germany: Landeskriminalamt Niedersachsen
- Ireland: Garda National Cyber Crime Bureau
- France: Office Anti-Cybercriminalité
- Canada: Royal Canadian Mounted Police and Delta Police Department
- Ukraine: Cyberpolice Department
- Lithuania: Criminal Police Bureau
Massive Criminal Enterprise Disrupted
BlackSuit, which emerged as the successor to the notorious Royal ransomware group, had been wreaking havoc across critical infrastructure since 2022. The criminal operation’s scope was staggering:
- Over 450 known victims in the United States alone
- $370 million in total ransom payments collected (based on current cryptocurrency valuations)
- Targeted sectors included healthcare, education, public safety, energy, and government
The groups employed double-extortion tactics, encrypting victims’ systems while simultaneously threatening to leak stolen data to coerce payment. This approach proved particularly devastating for critical infrastructure sectors where operational disruption could have life-threatening consequences.
Seizures and Financial Impact
The July 24, 2024 operation resulted in significant seizures:
- Four servers and nine domains dismantled
- Approximately $1 million in laundered proceeds seized on July 24
- Additional $1,091,453 in virtual currency seized around June 21, 2024
“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado.
High-Profile Attacks and Rebranding
The criminal enterprise gained notoriety through several high-profile attacks, including the devastating 2023 attack that shut down the city of Dallas, which damaged emergency services, courts, and government operations. The group had demanded more than $500 million in ransoms, with some individual demands reaching as high as $60 million.
After drawing significant law enforcement attention, Royal rebranded as BlackSuit, but continued its aggressive targeting of critical infrastructure, including attacks on U.S. grade schools, colleges, prominent companies, and local governments.
Ongoing Prosecution and Future Challenges
The case is being prosecuted by the U.S. Attorney’s Office for the Eastern District of Virginia, which continues collaborating with international partners to pursue legal accountability. However, cybersecurity experts warn that no arrests have been made, and the operators behind BlackSuit retain the skills and funding to potentially restart operations under a new banner. Indeed, former BlackSuit members have already emerged under a new ransomware group called “Chaos” as early as February.
