Operation "Checkmate": How Hackers Lost $500 Million Overnight
The intelligence agencies of five countries joined forces against the successors of a legendary criminal syndicate.
The intelligence agencies of five countries joined forces against the successors of a legendary criminal syndicate.
Law enforcement authorities have conducted an international operation to dismantle the digital infrastructure of one of the most active ransomware projects of the past decade — BlackSuit. This cybercriminal group was behind hundreds of attacks on government institutions, corporations, and other organizations worldwide. Their sites on the dark web — including leak sites and negotiation portals — have now been replaced with official seizure banners.
According to the U.S. Department of Justice, the operation was codenamed Operation Checkmate and was authorized by a court. The primary work was carried out by the Homeland Security Investigations unit with participation from the U.S. Secret Service, the UK’s National Crime Agency, the Frankfurt Prosecutor’s Office, Germany’s Federal Criminal Police, and the Netherlands National Police. Cybersecurity company Bitdefender was also involved, although details of their role have not yet been disclosed.
BlackSuit originated as Quantum in January 2022 and had ties from the beginning to the infamous ransomware syndicate Conti. Soon after launching, they abandoned third-party encryptors and created their own — Zeon. In September of the same year, the project was renamed to Royal, and following an attack on the city of Dallas in 2023, it rebranded again as BlackSuit, accompanied by the introduction of a new encryptor.
U.S. agencies had already reported in 2023 that Royal and BlackSuit used the same tactics, tools, and even similar encryption commands — including the use of system utilities (LOLbins), remote monitoring and management tools (RMMs), and identical ransom note styles. This continuity allowed analysts to definitively link the two names to the same criminal network. According to estimates from the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, since September 2022, over 350 organizations have been attacked by Royal and BlackSuit, with total ransom demands exceeding $500 million.
However, the story doesn't end there. Researchers from Cisco Talos have reported that the group is likely preparing for another rebrand. The new suspected alias is Chaos. Confidence in this assessment is rated as "moderate," but is supported by matching attack tactics, ransom note structure, and encryption techniques.
Shifting identities, changing toolsets, and using so-called “threat personalization” has long been part of the ransomware playbook — helping attackers evade detection, maintain anonymity, and increase the perceived value of stolen data. Despite high-profile takedowns, the criminal networks behind these operations rarely disappear entirely — they simply reemerge under new names and continue targeting victims.
In this ongoing evolution, the fight against ransomware becomes a war of attrition, where each temporary win is only a delay before the next assault. Operation Checkmate delivered a major blow to BlackSuit, but as long as these groups have funding, access to developers, and infrastructure, they will continue to find new ways to exploit digital extortion.
