Law Enforcement Seizes Servers, Domains, and Approximately $1 Million In Laundered Proceeds Owned By BlackSuit (Royal) Ransomware
August 11, 2025
The Justice Department announced today coordinated actions against the BlackSuit (Royal) Ransomware group which included the takedown of four servers and nine domains on July 24, 2025. The takedown was conducted by the Department of Homeland Security’s Homeland Security Investigations (HSI), the U.S. Secret Service, IRS Criminal Investigation (IRS-CI), the FBI, and international law enforcement from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania. These actions include the unsealing of a warrant for the seizure of virtual currency valued at $1,091,453 at the time of the seizure. The unsealing was announced today jointly by the U.S. Attorney’s Offices for the Eastern District of Virginia and the District of Columbia.
As detailed in an announcement by HSI, an operation by U.S. law enforcement in close coordination with international partners successfully seized servers, domains, and digital assets used by the BlackSuit Ransomware group to deploy ransomware, extort victims, and launder proceeds of these activities. Some of those proceeds included approximately $1,091,453 in virtual currency (valued at the time of the theft) – which was separately seized by the U.S. Attorney’s Office for the District of Columbia using evidence collected by the U.S. Attorney’s Office for the Eastern District of Virginia on or about June 21, 2024.
As previously described in a joint FBI and Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Advisory, BlackSuit (Royal) ransomware attacks have targeted numerous critical infrastructure sectors including, but not limited to, critical manufacturing, government facilities, healthcare and public health, and commercial facilities. The advisory also describes the tactics, techniques, and procedures (TTPs) used and indicators of compromise (IOCs) to help organizations protect against ransomware.
Royal victims are typically required to pay ransoms in BTC by accessing a darknet website. On or about April 4, 2023, a victim paid a ransom of 49.3120227 Bitcoin to decrypt their data. This ransom was worth $1,445,454.86 at the time of the transaction. A portion of those proceeds ($1,091,453) was repeatedly deposited and withdrawn into a virtual currency exchange account until the funds were frozen by that exchange on or about Jan. 9, 2024.
HSI, the U.S. Secret Service, IRS-CI, and the FBI are investigating the case alongside the United Kingdom’s National Crime Agency and Northwest Regional Organized Crime Unit, Germany’s Landeskriminalamt Niedersachsen, Ireland’s An Garda Síochána – Garda National Cyber Crime Bureau, France’s Office Anti-Cybercriminalité, Canada’s Royal Canadian Mounted Police and Delta Police Department, Ukraine’s National Police – Cyber Police Department, and Lithuania’s Criminal Police Bureau.
The government is represented by Assistant U.S. Attorney Laura D. Withers for the Eastern District of Virginia, Trial Attorney Jacques Singer-Emery of the National Security Division’s National Security Cyber Section, and Assistant U.S. Attorney Rick Blaylock Jr. for the District of Columbia.
Updated August 11, 2025
Read the full press release from the DOJ Office of Public Affairs