The U.S. Department of Justice (DOJ) announced August 11 that it has disrupted the operations of the BlackSuit ransomware group, also known as Royal, seizing four servers, nine domains, and over $1 million in laundered cryptocurrency.

The coordinated action took place on July 24 and involved the FBI, the Secret Service, Homeland Security Investigations, IRS Criminal Investigation, and law enforcement from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.

According to U.S. Immigration and Customs Enforcement, BlackSuit has been one of the most prolific ransomware actors since 2022. Since then, it has targeted more than 450 organizations and collected over $370 million in ransom payments.

Its attacks have hit critical infrastructure sectors, including healthcare, manufacturing, and government facilities. Assistant Attorney General for National Security John A. Eisenberg called the group’s activity “a serious threat to U.S. public safety.”

The DOJ said the takedown also included the unsealing of a warrant for the seizure of virtual currency valued at $1,091,453 at the time of confiscation. These funds were part of a ransom payment made in Bitcoin by a victim in April 2023 and were later moved through a virtual currency exchange until frozen in January 2024.

“This action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat,” said U.S. Attorney Erik S. Siebert for the Eastern District of Virginia. Special Agent in Charge William Mancino of the Secret Service added that the operation “strikes a critical blow to BlackSuit’s infrastructure and operations.”

BlackSuit was previously linked to attacks against the city of Dallas, users of vulnerable Citrix products, and multiple healthcare providers. The FBI and CISA have released advisories outlining the group’s phishing-based intrusion tactics, data exfiltration methods, and extortion strategies, urging organizations to review indicators of compromise and strengthen defenses.

HSI’s Deputy Assistant Director Michael Prado said the disruption was “about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” emphasizing the role of international coordination in the takedown. The DOJ said investigations into the group’s members and associates are ongoing.