US Seized $1M in Crypto and Servers from BlackSuit Ransomware Group

The United States has seized servers, domain names, and approximately $1 million in cryptocurrency from the BlackSuit ransomware group, a notorious cybercriminal operation linked to hundreds of attacks on critical infrastructure. 

The Justice Department (DOJ) announced Monday that the action was the result of a coordinated international law enforcement effort conducted in late July.

The DOJ revealed that the operation involved the unsealing of a seizure warrant for cryptocurrency valued at just over $1 million at the time. 

“Disrupting ransomware infrastructure is not only about taking down servers, it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Michael Prado, deputy assistant director at the Homeland Security Investigations Cyber Crimes Center.

International Operation Targets BlackSuit Network

BlackSuit, believed to be a spinoff of the Royal ransomware gang, has been active since at least 2023. The latest seizure follows other U.S. measures against ransomware networks, including sanctions on Aeza Group, a known ransomware hosting provider, in July.

The DOJ said the takedown was spearheaded by the Department of Homeland Security’s Homeland Security Investigations, with support from the U.S. Secret Service, IRS, FBI, and law enforcement agencies from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.

According to the DOJ, BlackSuit persistently targeted critical infrastructure sectors such as healthcare, government services, manufacturing, and commercial facilities. The group used double-extortion tactics — encrypting victims’ systems while threatening to leak stolen data to force payment — and demanded ransoms primarily in Bitcoin through darknet websites.

Since 2022, BlackSuit has compromised over 450 known U.S. victims and collected more than $370 million in ransom payments.

Bitcoin Ransom Payments Tracked and Seized

One notable case in 2023 saw a victim pay 49.3 BTC, worth about $1.4 million at the time, to regain access to encrypted data. The DOJ reported that part of this ransom — the seized $1 million — was cycled repeatedly through a cryptocurrency exchange account until the funds were frozen in early 2024. The exchange involved was not identified.

Ransom demands from BlackSuit typically ranged from $1 million to $10 million in Bitcoin, with the largest demand reaching $60 million, according to the Cybersecurity and Infrastructure Security Agency.

The DOJ noted that ransomware activity remains dynamic, with new groups emerging to replace dismantled networks. In July, the FBI in Dallas seized 20 BTC (about $2.4 million) from a member of the Chaos ransomware group. 

Last week, analysts at TRM Labs identified a potential BlackCat successor called Embargo, which has over $18.8 million in crypto sitting in dormant wallets.