Washington, D.C. — In a major international crackdown on cybercrime, the U.S. Department of Justice (DOJ) revealed today the coordinated disruption of the BlackSuit ransomware group, also known as Royal — a criminal organization associated with extensive attacks on critical infrastructure in the U.S.
On July 24, 2025, federal agencies, in collaboration with law enforcement partners from seven nations, successfully dismantled significant components of BlackSuit’s worldwide network. This operation resulted in the shutdown of four servers, the seizure of nine internet domains, and the confiscation of around $1.1 million in laundered cryptocurrency tied to ransom payments.
This extensive multi-agency initiative involved the Department of Homeland Security’s Homeland Security Investigations (HSI), the FBI, the U.S. Secret Service, IRS Criminal Investigation (IRS-CI), along with prosecutors from the Eastern District of Virginia and the District of Columbia. International partners included law enforcement agencies from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “We are proud to be part of a global coalition defending our critical systems.”
Assistant U.S. Attorney Erik S. Siebert called the operation a “disruption-first approach” against ransomware threats, vowing that U.S. law enforcement would “pull no punches” to protect victims.
U.S. Attorney Jeanine Ferris Pirro for the District of Columbia emphasized the damage these groups cause: “Whether these criminals target law enforcement, other government agencies, or private companies, we are ready to go toe-to-toe with them.”
$1.1 Million in Crypto Seized
As per the recently unsealed court documents, the Department of Justice confiscated around $1,091,453 in cryptocurrency that is thought to be linked to a ransomware payment made in 2023. On April 4, 2023, a victim paid a ransom of 49.31 Bitcoin — valued at over $1.4 million at that time — in order to recover access to their encrypted data. A segment of these funds was channeled through a virtual currency exchange and was subsequently frozen by authorities in January 2024.
“This announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency,” said Executive Special Agent in Charge Kareem Carter.
Officials highlighted that the operation aimed not just at shutting down servers, but also at breaking apart the infrastructure that underpins the ransomware economy.
“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said Special Agent in Charge William Mancino of the U.S. Secret Service’s Criminal Investigative Division.
“It is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable,” added HSI Cyber Crimes Center Deputy Assistant Director Michael Prado.
Targeting U.S. Critical Infrastructure
BlackSuit, which was previously referred to as Royal, has been associated with ransomware attacks that target critical U.S. infrastructure sectors such as healthcare, manufacturing, and government systems. A collaborative advisory from the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) has earlier outlined the group’s strategies and offered recommendations to organizations on how to protect themselves against these threats.
The Department of Justice acknowledged the contributions of Assistant U.S. Attorney Laura D. Withers, National Security Division Trial Attorney Jacques Singer-Emery, and Assistant U.S. Attorney Rick Blaylock Jr. for their significant roles in spearheading the prosecution and asset seizure initiatives.
As ransomware continues to develop into a significant global menace, today’s announcement highlights the effectiveness of international cooperation in dismantling these increasingly advanced cybercriminal enterprises.
