Category: Cybercrime / Ransomware Infrastructure Takedown
Features: International joint operation, darknet infrastructure seizure, cryptocurrency asset confiscation, pivot to successor group
Delivery Method: Coordinated server/domain seizures, forensic exploitation of seized data, cryptocurrency tracing and asset recovery
Threat Actor: BlackSuit ransomware gang (formerly Royal) — known affiliates now forming Chaos ransomware
The U.S. Justice Department has officially confirmed what the cyber underground has been whispering for two weeks — BlackSuit’s empire has fallen.
The ransomware syndicate, a rebranded continuation of the notorious Royal operation, has been stripped of its darknet extortion sites, its negotiation portals, and much of the technical infrastructure that fueled one of the most profitable ransomware campaigns in recent years.
This takedown, the result of Operation Checkmate, was led by Europol in conjunction with U.S. Homeland Security Investigations (HSI), the FBI, and police forces from over nine countries — including Germany, France, and the United Kingdom. It’s the first public acknowledgment from U.S. authorities since BlackSuit’s leak site was replaced by a seizure banner on its TOR domains.
From Royal to BlackSuit — and $370 Million in Damage
BlackSuit didn’t emerge from nowhere. It was born from Royal, the group responsible for the 2023 cyberattack that crippled the City of Dallas — cutting off critical services, halting courts, and disrupting emergency response. Since their rebrand in 2022, investigators say the gang has struck over 450 U.S. targets, netting more than $370 million in ransom payments. At its peak, Royal/BlackSuit was demanding ransoms exceeding $60 million per victim.
Victims spanned the full spectrum of critical sectors:
- U.S. school districts and universities — disrupting operations and exposing sensitive student data.
- Local governments and municipal networks — including multiple high-profile U.S. cities.
- Global corporations — from Japan’s Kadokawa media empire to the Tampa Bay Zoo.
- Healthcare and life sciences — including the April 2024 Octapharma attack that shut down nearly 200 plasma donation centers nationwide.
The Infrastructure Kill Shot
Two weeks ago, both the public victim portal and private negotiation sites of BlackSuit vanished, replaced with an HSI-led seizure notice. German law enforcement later confirmed the confiscation of core hosting infrastructure — and importantly, the capture of “substantial amounts of operational data” now being forensically analyzed.
U.S. officials revealed the scope of the takedown: servers, domains, and cryptocurrency wallets used to deploy ransomware, communicate with victims, and launder proceeds.
This was not a single blow — it was a systemic disassembly of the ecosystem enabling BlackSuit to operate.
“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,”
— Michael Prado, Deputy Assistant Director, HSI Cyber Crimes Center.
The Royal lineage had made them a prime target for years. The Dallas attack alone put them under persistent surveillance by multiple agencies. Their repeated assaults on public safety networks sealed their fate.
Bitdefender, Europol, and the Private Sector Role
Bitdefender played an operational support role in decryptor development and threat intel coordination, while Cisco Talos’ post-takedown research identified what many feared — elements of the BlackSuit crew are already regrouping.
The new outfit, dubbed Chaos, shares encryption methods, ransom note structure, and operational tooling with BlackSuit. This suggests a straight-line migration of personnel and code — a common resilience tactic among top-tier ransomware groups.
Financial Seizures and the ‘Hors’ Connection
The DOJ has already moved to disrupt Chaos financially. Investigators seized $2.4 million in cryptocurrency tied to an address controlled by a Chaos-linked actor known as “Hors.”
This same actor is suspected of ransomware operations targeting Texas-based organizations and other U.S. entities. The wallet seizure signals an intention to hunt ransomware operators beyond infrastructure seizures — going after the money directly.
The TRJ Verdict
BlackSuit’s fall is a win — but it’s a tactical win, not a strategic one. The same operators, codebases, and laundering channels can re-emerge under new branding in weeks.
The Royal → BlackSuit → Chaos progression shows that ransomware at this scale is no longer a gang — it’s a franchise model. Infrastructure seizures disrupt, but they don’t destroy the skill sets, contacts, and cryptocurrency pipelines that keep these operations alive.
The deeper fight is in denying safe havens, choking off laundering channels, and targeting leadership tiers instead of only the visible infrastructure. Until then, the threat just changes masks.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
It’s always good to hear when disruptive lawbreakers are brought to justice. At least, I hope that’s what happens. I think the punishment should fit the crime, that the criminals should be held responsible for the losses they have caused. A strong message must be sent to the next gang who attempts something like this so that it might make the next group consider harsh consequences for such actions.
Thank you for the information, John.
You’re very welcome, Chris — I couldn’t agree more. Disruptive lawbreakers like this need to be held fully accountable, not just for the sake of justice in the present case, but to send a clear warning to others who might follow the same path. The punishment should absolutely fit the crime, and restitution for the losses they’ve caused should be non-negotiable. Only by setting strong consequences can we hope to deter the next group from attempting something similar. Always greatly appreciated, Chris — I hope you have a great day and night. 😎
Thanks, John. I hope you have a great day as well!
These hackers are a real public menace. I am sure I read somewhere that many of them are just kids. Is that right?
Thanks for the comment, Paul — you’re absolutely right, they are a serious public menace. And yes, in some cases, ransomware operators or their affiliates can be quite young, sometimes even teenagers, especially when they’re recruited through underground forums or “as-a-service” kits that lower the technical barrier. But make no mistake — regardless of age, the damage they cause is real and can be devastating.
What makes it even worse is that some of these kids aren’t willing participants at all. Criminal groups have been known to traffic or coerce minors into cybercrime — luring them with fake tech jobs, recruiting them through gaming or chat platforms, or even forcing them into cyber “sweatshop” conditions where they have no choice but to participate. In those cases, it’s both a cybersecurity threat and a human trafficking issue, and it’s every bit as serious as it sounds.
Truly frightening stuff. Thanks for the info! 👍🏻
You’re welcome, Paul! 😎
Look at that, another kewl article. Thanks for the update.
You’re welcome — and thank you! I’m glad you enjoyed it. Always happy to keep these updates coming so the threats stay on everyone’s radar. I hope you have a great day. 😎