On July 24–25, 2025, law enforcement agencies from around the world executed “Operation Checkmate,” successfully seizing several .onion domains operated by the BlackSuit ransomware gang—including their data leak and negotiation portals. Anyone now visiting these pages on the dark web finds banners announcing:
“This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation.”
The operation was truly global, involving more than a dozen agencies:
Who were BlackSuit?
Active since April/May 2023, BlackSuit operated as a private ransomware gang—not as a Ransomware-as-a-Service (RaaS). The group is widely believed to have succeeded Royal, itself linked to Quantum and the infamous Conti syndicate. Over their operational span, BlackSuit:
Is ransomware gone for good? Not quite.
Experts at Cisco Talos warn that remnants of BlackSuit may have reassembled as the newly identified Chaos ransomware group. Signs of this evolution include:
Chaos emerged around February 2025, mainly hitting U.S. targets and offering its services in a RaaS model. Security analysts assess with moderate confidence that Chaos may be a straight rebrand or a project run by former BlackSuit members.
Written by
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights delivered to your inbox.