Skip to content

US Homeland Security seizes BlackSuit ransomware extortion site

  • by
  • 2 min read

Illustration: JMiks | Shutterstock

US law enforcement agencies have seized dark web extortion sites of notorious ransomware gang BlackSuit, known for targeting hundreds of organisations globally. However, security researchers have found evidence to suggest that the gang is coming back after a rebrand.

The US Department of Justice confirmed the takedown in an email seen by BleepingComputer. The takedown, dubbed Operation Checkmate, was a joint operation carried out by several law enforcement agencies around the world including the U.S. Secret Service, the Dutch National Police, the German State Criminal Police Office, the U.K. National Crime Agency, the Frankfurt General Prosecutor’s Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others.

BlackSuit’s .onion websites were replaced by banners claiming that the site has been seized by the US Homeland Security Investigations as part of a “coordinated international law enforcement investigation.” Cybersec firm Bitdefender was also part of the operation.

This is an image of ransomware 32988sd

However, the operation might not be the checkmate move law enforcement is hoping for. The Cisco Talos threat intelligence research group reported that the gang is likely to rebrand itself as Chaos ransomware, a name that’s already been active since at least February 2025. The Ransomware-as-a-service group has been actively promoting its services on the dark web Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP).

Chaos ransomware’s offering is compatible with Windows, ESXi, Linux, and NAS systems. It also boasts features like individual file encryption keys, rapid encryption speeds, and network resource scanning with an emphasis on high-speed encryption and built-in safety measures.

BlackSuits ransomware is already a rebrand of Royal Ransomware, which emerged in September 2022. Royal ransomware was, in turn, a rebrand of Quantum ransomware that started in January 2022. It’s common practice for ransomware gangs to rebrand themselves under new names and tactics, especially after a takedown by law enforcement.

In the News: US citizen running North Korean IT worker scheme jailed for 8.5 years

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>