On July 24, 2025, U.S and international law enforcement agencies carried out a coordinated operation against the BlackSuit (formerly Royal) ransomware group. Authorities dismantled four servers, seized nine domains, and confiscated over one million dollars in illicit cryptocurrency.
The takedown was conducted under Operation Checkmate, a Europol Joint Cybercrime Action Task Force (J–CAT) initiative targeting BlackSuit. The group and its predecessor, Royal, have been responsible for extensive attacks worldwide, including targeting Octapharma Plasma in the United States, organizations in Germany, and Japanese media giant Kadokawa.
BlackSuit and Royal’s Criminal Impact
A 2024 advisory from the Cybersecurity and Infrastructure Security Agency (CISA) identified BlackSuit as the successor to the Royal ransomware group, which operated between 2022 and 2023. The two share numerous coding similarities, and Blacksuit has carried forward many of its predecessor’s methods, including double-extortion tactics that combine system encryption with threats to leak stolen data. Together, the two groups compromised more than 450 known U.S. victims across healthcare, public safety, energy, education, and government institutions, extorting over $370 million in ransom payments.
A Multinational Disruption
Authorities from Canada, France, Germany, Ireland, Lithuania, Ukraine, the United Kingdom, and the United States struck at both the infrastructure and finances that enabled BlackSuit’s operations. They seized servers, domains, and digital assets that supported key elements of the criminal group’s campaigns, from deploying ransomware to extorting victims, and obfuscating criminal proceeds.
Operation Checkmate advances the objectives laid out in the Ransomware Task Force’s 2021 recommendations: disrupting the systems that facilitate ransom payments (Objective 2.1); dismantling infrastructure used by ransomware operators (Objective 2.2); and disrupting ransomware developers, affiliates, and variants (Objective 2.3). The takedown also follows Action 2.3.1, which calls for increasing government intelligence sharing on ransomware. By targeting both the technical backbone and the financial flows, Operation Checkmate demonstrates how collaborative law enforcement action can erode the ransomware business model.
To build on this progress, disruptions like Operation Checkmate should be approached as elements of a broader, sustained public-private anti-ransomware campaign (Action 1.2.3). Such a campaign would be continuous, adaptive, and collaborative—allowing the public and private sectors to work together in ways that turn successful disruption into lasting strategic gains.
Follow the Money
This takedown highlights that ransomware endures because it is profitable, and seizing illicit funds strikes at that incentive. IST’s 2024 Information Sharing in the Ransomware Payment Ecosystem report examined three case studies, including the Colonial Pipeline ransom recovery that underscored how recovering ransoms can both mitigate the financial harm to victims and deprive attackers of the resources they need to operate.
Seizing ransom payments represents more than a one-time victory. Each recovery fractures the ransomware business model, making it harder for cyber criminals to reinvest in infrastructure and expand their reach in a process identified as the resourcing phase. When paired with infrastructure takedowns and public-private information sharing, financial disruption can amplify the long-term impact of law enforcement actions.
Conclusion
Some reporting notes that BlackSuit has already begun to rebrand as Chaos. Even so, Operation Checkmate is still impactful both tactically and symbolically: it illustrates how coordinated international action can raise costs for attackers, signal continued pressure from law enforcement, and strengthen the playbook for future disruptions. As ransomware groups continue to fragment and rebrand, such operations remind us that persistent, multinational collaboration can deliver meaningful setbacks to organized cybercrime.
