The U.S. Department of Justice announced it had dismantled key infrastructure linked to a notorious Russian ransomware group, taking control of its servers and recovering about $1 million worth of bitcoin. The gang, known for deploying BlackSuit and Royal malware in cyberattacks, has been tied to a string of high-profile extortion cases worldwide.
The announcement also noted that the seized bitcoin came from a digital currency exchange account, with the funds having been frozen in January 2024.
READ: G7’s last stand: Trump’s chance to unleash America’s job creators (June 15, 2025)
The Justice Department said the takedown was the result of a coordinated international operation involving agencies from the U.S., Canada, Germany, Ireland, France, the U.K., and several other countries. On July 24, investigators confiscated four servers, shut down nine online domains, and secured roughly $1 million in digital currency. Authorities believe the same Russian hacking network is behind both the Royal and BlackSuit ransomware strains, which have been used to breach and extort critical infrastructure operators in the U.S. and other nations.
Assistant Attorney General for National Security, John A. Eisenberg said, “the BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” in the press release.
“This action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat,” said U.S. Attorney Erik S. Siebert for the Eastern District of Virginia. “When it comes to protecting U.S. businesses, critical infrastructure, and other victims from ransomware and other cyberthreat actors, we will pull no punches.”
ICE’s Homeland Security Investigations, which spearheaded the probe, said Royal and BlackSuit have infiltrated over 450 organizations in the United States, “including entities in the healthcare, education, public safety, energy and government sectors.” Since 2022, the group is believed to have collected more than $370 million in ransom payments.
READ: Microsoft relied on Chinese engineering team for SharePoint later hacked by China (August 5, 2025)
The U.S. cybersecurity agency CISA had said in an advisory last year, “BlackSuit actors have demanded over $500 million USD in total and the largest individual ransom demand was $60 million.”
The takedown marks a significant blow to one of the most active ransomware operations in recent years, underscoring the growing impact of cross-border cooperation in tackling cybercrime. While the seizure of servers, domains, and funds disrupts the gang’s immediate activities, authorities caution that such groups often re-emerge under new identities. This latest crackdown reinforces that law enforcement is steadily tightening the net around cybercriminal groups threatening essential services and infrastructure.
The U.S. is no stranger to such large-scale ransomware attacks, most notably the 2021 Colonial Pipeline breach, which caused widespread fuel shortages along the East Coast and highlighted the real-world impact of digital threats.
