Justice Department Announces Coordinated Disruption Actions Against BlackSuit (Royal) Ransomware Operations

The Justice Department announced today coordinated actions against the BlackSuit (Royal) Ransomware group which included the takedown of four servers and nine domains on July 24, 2025. The takedown was conducted by the Department of Homeland Security’s Homeland Security Investigations (HSI), the U.S. Secret Service, IRS Criminal Investigation (IRS-CI), the FBI, and international law enforcement from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania. These actions include the unsealing of a warrant for the seizure of virtual currency valued at $1,091,453 at the time of the seizure. The unsealing was announced today jointly by the U.S. Attorney’s Offices for the Eastern District of Virginia and the District of Columbia.

“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”

“This action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat,” said U.S. Attorney Erik S. Siebert for the Eastern District of Virginia. “When it comes to protecting U.S. businesses, critical infrastructure, and other victims from ransomware and other cyberthreat actors, we will pull no punches.”

“Too often we see the damage ransomware causes to systems that then allows cybercriminals to wreak havoc on corporations and others,” said U.S. Attorney Jeanine Ferris Pirro for the District of Columbia. “Whether these criminals target law enforcement, other government agencies, or private companies, my office and our law enforcement partners stand ready to go toe-to-toe with criminals and make victims whole.”

“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Deputy Assistant Director Michael Prado for HSI’s Cyber Crimes Center (C3). “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”

“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said Special Agent in Charge William Mancino of the U.S. Secret Service’s Criminal Investigative Division. “The U.S. Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”

“This announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency,” said Executive Special Agent in Charge Kareem Carter of the IRS-CI Washington Field Office. “Criminal software like the BlackSuit Ransomware group is deployed to steal, extort victims, and launder proceeds of these activities. IRS Criminal Investigation Washington, D.C., Cyber Crimes Unit will continue to work hand in hand with our law enforcement partners to leverage all available tools to identify, apprehend and hold accountable these bad actors and put an end to their illicit activity.”

As detailed in an announcement by HSI, an operation by U.S. law enforcement in close coordination with international partners successfully seized servers, domains, and digital assets used by the BlackSuit Ransomware group to deploy ransomware, extort victims, and launder proceeds of these activities. Some of those proceeds included approximately $1,091,453 in virtual currency (valued at the time of the theft) – which was separately seized by the U.S. Attorney’s Office for the District of Columbia using evidence collected by the U.S. Attorney’s Office for the Eastern District of Virginia on or about June 21, 2024.

As previously described in a joint FBI and Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Advisory, BlackSuit (Royal) ransomware attacks have targeted numerous critical infrastructure sectors including, but not limited to, critical manufacturing, government facilities, healthcare and public health, and commercial facilities. The advisory also describes the tactics, techniques, and procedures (TTPs) used and indicators of compromise (IOCs) to help organizations protect against ransomware.

Royal victims are typically required to pay ransoms in BTC by accessing a darknet website. On or about April 4, 2023, a victim paid a ransom of 49.3120227 Bitcoin to decrypt their data. This ransom was worth $1,445,454.86 at the time of the transaction. A portion of those proceeds ($1,091,453) was repeatedly deposited and withdrawn into a virtual currency exchange account until the funds were frozen by that exchange on or about Jan. 9, 2024.

HSI, the U.S. Secret Service, IRS-CI, and the FBI are investigating the case alongside the United Kingdom’s National Crime Agency and Northwest Regional Organized Crime Unit, Germany’s Landeskriminalamt Niedersachsen, Ireland’s An Garda Síochána – Garda National Cyber Crime Bureau, France’s Office Anti-Cybercriminalité, Canada’s Royal Canadian Mounted Police and Delta Police Department, Ukraine’s National Police – Cyber Police Department, and Lithuania’s Criminal Police Bureau.

The government is represented by Assistant U.S. Attorney Laura D. Withers for the Eastern District of Virginia, Trial Attorney Jacques Singer-Emery of the National Security Division’s National Security Cyber Section, and Assistant U.S. Attorney Rick Blaylock Jr. for the District of Columbia.