Global law enforcement agencies have dealt a significant blow to the notorious BlackSuit ransomware gang, successfully seizing their darknet data leak and negotiation portals in a coordinated international operation on Thursday, July 24, 2025. This decisive action marks a major victory against a group responsible for extorting hundreds of millions of dollars from victims worldwide.
The seized darknet sites, which BlackSuit used to publish stolen data from uncooperative victims and facilitate ransom negotiations, now display a splash page announcing their seizure by U.S. Homeland Security Investigations (HSI) and a coalition of international law enforcement entities. The page prominently features the logos of 17 participating agencies alongside cybersecurity firm Bitdefender, underscoring the collaborative nature of the takedown.
BlackSuit, believed to be a rebrand of the prolific Royal ransomware group and with reported ties to the infamous Russian-linked Conti operation, emerged in April/May 2023. The group quickly became one of the most active threats, employing “double extortion” tactics: not only encrypting victims’ systems but also exfiltrating sensitive data and threatening to leak it publicly if ransoms, often ranging from $1 million to $10 million, were not paid. The FBI and CISA had previously estimated BlackSuit’s total demands to exceed $500 million.
Victims of BlackSuit’s attacks spanned various critical sectors, including healthcare, education, and government. Notable incidents attributed to the group include attacks against Japanese media giant Kadokawa and the Tampa Bay Zoo, as well as a significant disruption to blood plasma collection centers operated by Octapharma in April 2024.
The seizure of these crucial digital assets is expected to severely hamper BlackSuit’s operations, disrupting their ability to pressure victims and profit from their illicit activities. While the core operators may still be at large, the disruption to their infrastructure is a clear message that international law enforcement is actively pursuing cybercriminals across borders. This operation highlights the increasing effectiveness of global cooperation in combating the ever-evolving threat of ransomware.
