Multiagency investigation leads to seizure of cryptocurrency and servers linked to BlackSuit ransomware operations
Alexandria, Virginia – The Justice Department announced the takedown of the BlackSuit (Royal) Ransomware group’s infrastructure, marking a significant blow to one of the most persistent cybercriminal operations targeting U.S. critical infrastructure. The coordinated action, which took place on July 24, resulted in the seizure of four servers, nine domains, and virtual currency valued at $1,091,453 at the time of seizure.
The joint operation was carried out by the Department of Homeland Security’s Homeland Security Investigations (HSI), the U.S. Secret Service, IRS Criminal Investigation (IRS-CI), the FBI, and law enforcement agencies from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania. The U.S. Attorney’s Offices for the Eastern District of Virginia and the District of Columbia announced the unsealing of the warrant connected to the cryptocurrency seizure.
Leaders Praise Disruption of Criminal Network
“This action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat,” said Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia. “When it comes to protecting U.S. businesses, critical infrastructure, and other victims from ransomware and other cyberthreat actors, we will pull no punches.”
Assistant Attorney General for National Security John A. Eisenberg warned of the severe risks posed by such criminal groups. “The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” he said. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”
U.S. Attorney Jeanine Ferris Pirro for the District of Columbia echoed the determination to combat cybercrime. “Too often we see the damage ransomware causes to systems that then allows cybercriminals to wreak havoc on corporations and others,” she said. “Whether these criminals target law enforcement, other government agencies, or private companies, my office and our law enforcement partners stand ready to go toe-to-toe with criminals and make victims whole.”
Targeting the Core of Ransomware Operations
The investigation struck at the heart of BlackSuit’s ecosystem, targeting not just its digital infrastructure but also the financial flows that sustain it. “Disrupting ransomware infrastructure is not only about taking down servers—it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Michael Prado, Deputy Assistant Director for HSI’s Cyber Crimes Center (C3).
Christopher Heck, Special Agent in Charge of HSI Washington, D.C., highlighted the broader mission impact. “This investigation reflects the full reach of HSI Washington, D.C.’s cyber mission and our commitment to defending victims—whether they’re small businesses, school systems, or hospitals,” he said.
The U.S. Secret Service also emphasized the operational blow dealt to the group. “This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said William Mancino, Special Agent in Charge of its Criminal Investigative Division.
Following the Money Trail
IRS Criminal Investigation played a key role in tracing and seizing the group’s illicit profits. “This announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency,” said Executive Special Agent in Charge Kareem Carter.
Authorities revealed that the seized funds were part of proceeds from a ransom payment made on April 4, 2023, when a victim paid 49.3120227 Bitcoin—valued at $1,445,454.86 at the time—for a decryption key. The funds, totaling $1,091,453, were later frozen by a virtual currency exchange on January 9, 2024.
Ongoing Threats and Defensive Measures
According to a joint FBI and Cybersecurity & Infrastructure Security Agency (CISA) advisory, BlackSuit (Royal) ransomware has targeted multiple critical sectors, including manufacturing, government facilities, healthcare, public health, and commercial entities. The advisory also provided details on the tactics, techniques, and procedures (TTPs) used by the group, along with indicators of compromise (IOCs) to aid in prevention and mitigation.
Royal ransomware victims are typically directed to pay in Bitcoin via darknet portals, a method designed to obscure identities and complicate recovery efforts. This latest takedown is intended to not only disrupt operations but also signal the global resolve to pursue cybercriminals across borders.
Through close collaboration between U.S. agencies and international partners, authorities aim to ensure that ransomware groups like BlackSuit face constant disruption, limited operational capacity, and reduced ability to profit from their attacks.
