Operation Checkmate: BlackSuit Ransomware Sites Seized, But Is “Chaos” Their Next Rebrand?
Law enforcement agencies have conducted a sweeping international operation to dismantle the digital infrastructure of one of the most prolific ransomware enterprises of the past decade—BlackSuit. This cybercriminal syndicate was responsible for hundreds of attacks targeting government institutions, corporations, and various organizations worldwide. Their sites on the dark web—including leak portals and negotiation pages—have now been replaced with official seizure banners.
According to the U.S. Department of Justice, the takedown, codenamed Operation Checkmate, was authorized by a court and spearheaded by Homeland Security Investigations. The effort was supported by the U.S. Secret Service, the UK’s National Crime Agency, the Frankfurt Prosecutor’s Office, Germany’s State Criminal Police, and the Dutch National Police. Cybersecurity firm Bitdefender also took part, though the specifics of its role have not been disclosed.
BlackSuit traces its origins to January 2022, when it emerged under the name Quantum, with early ties to the infamous ransomware syndicate Conti. Not long after, the group abandoned third-party encryptors in favor of its own—Zeon. By September of the same year, it rebranded as Royal, and following a high-profile attack on the city of Dallas in 2023, it assumed its current identity, BlackSuit, launching a new encryption tool alongside the rebranding.
U.S. agencies noted as early as 2023 that Royal and BlackSuit shared identical tactics, tools, and even encryption commands, including the use of LOLBins (living-off-the-land binaries), remote monitoring and management software (RMMs), and nearly identical ransom note formats. This continuity enabled analysts to conclusively link both names to the same criminal network. According to the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Royal and BlackSuit were responsible for attacks on over 350 organizations since September 2022, amassing over $500 million in ransom payments.
Yet the saga appears far from over. Researchers at Cisco Talos have reported that the group may be preparing yet another transformation, with “Chaos” emerging as the next likely alias. Confidence in this rebranding is considered “moderate,” but it is supported by consistent overlaps in attack tactics, ransom demands, and encryption techniques.
The constant evolution of identity, toolsets, and the use of so-called “threat personalization” has long been part of ransomware groups’ survival strategy—evading surveillance, maintaining anonymity, and preserving the perceived value of stolen data. Despite headline-making takedowns, the underlying criminal networks rarely vanish completely—they simply reemerge under new banners, continuing their operations with a fresh list of victims.
In this relentless cat-and-mouse game, the battle against ransomware becomes a war of attrition—where each tactical victory only delays the next assault. Operation Checkmate delivered a significant blow to BlackSuit, but as long as these groups have funding, access to skilled developers, and operational infrastructure, they will continue to forge new paths in the dark world of digital extortion.
