Invaders
Back to Blog

Operation Checkmate: BlackSuit Extortion Sites Seized

July 26, 2025
7 min read
Operation Checkmate: BlackSuit Extortion Sites Seized

A Landmark Blow Against BlackSuit Ransomware

On July 24–25, 2025, law enforcement agencies from around the world executed “Operation Checkmate,” successfully seizing several .onion domains operated by the BlackSuit ransomware gang—including their data leak and negotiation portals. Anyone now visiting these pages on the dark web finds banners announcing:

“This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation.”

International Collaboration

The operation was truly global, involving more than a dozen agencies:

  • U.S. Homeland Security Investigations (HSI)
  • Department of Justice (DOJ)
  • FBI
  • U.S. Secret Service
  • Europol
  • UK National Crime Agency
  • German State Criminal Police
  • Dutch National Police
  • Ukraine Cyber Police
  • Support from Bitdefender’s Draco Team, among others.

The Rise (and Fall) of BlackSuit

Who were BlackSuit?
Active since April/May 2023, BlackSuit operated as a private ransomware gang—not as a Ransomware-as-a-Service (RaaS). The group is widely believed to have succeeded Royal, itself linked to Quantum and the infamous Conti syndicate. Over their operational span, BlackSuit:

  • Allegedly demanded over $500 million in ransom.
  • Breached hundreds of organizations globally—including hospitals, schools, manufacturers, and even the Tampa Bay Zoo and Japan’s Kadokawa.
  • Used classic double-extortion: encrypting files and threatening to publish sensitive data if the ransom went unpaid.

Aftermath & New Threats: The Rise of Chaos

Is ransomware gone for good? Not quite.
Experts at Cisco Talos warn that remnants of BlackSuit may have reassembled as the newly identified Chaos ransomware group. Signs of this evolution include:

  • Similarities in command structure and ransom notes.
  • Continued use of living-off-the-land binaries (LOLbins) and remote admin tools (AnyDesk, ScreenConnect).

Chaos emerged around February 2025, mainly hitting U.S. targets and offering its services in a RaaS model. Security analysts assess with moderate confidence that Chaos may be a straight rebrand or a project run by former BlackSuit members.

Why This Takedown Matters

  • Seizing BlackSuit’s leak and negotiation sites is a body blow to their criminal business model, severing channels for victim communication and public extortion.
  • Ransomware gangs are resilient: BlackSuit’s rapid rebranding as Chaos is a textbook example of how criminal groups quickly adapt, evade law enforcement, and resume malicious operations.
  • International teamwork works: Operation Checkmate highlights a new level of effectiveness in global, public-private cybercrime disruption—and the ever-growing need for proactive defense.

Key Takeaways

  • If your organization is hit by ransomware, check official sources for updates—attackers’ portals may be seized or inactive during law enforcement action.
  • Stay alert: Even after a major takedown, successor gangs often surface with fresh tactics.
  • Invest in defense: Security awareness, patch management, and incident response planning remain vital as threat actors continually evolve.

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.