bleepingcomputer.com - Law enforcement has seized the dark web leak sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.
Earlier today, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang's sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.
"This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation," the banner reads.
Other law enforcement authorities that joined this joint operation include the U.S. Secret Service, the Dutch National Police, the German State Criminal Police Office, the U.K. National Crime Agency, the Frankfurt General Prosecutor's Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others.
Romanian cybersecurity company Bitdefender was also involved in the action, but a spokesperson has yet to reply after BleepingComputer reached out for more details earlier today.
Chaos ransomware rebrand
On Thursday, the Cisco Talos threat intelligence research group reported that it had found evidence suggesting the BlackSuit ransomware gang is likely to rebrand itself once again as Chaos ransomware.
"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the researchers said.
"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks."
BlackSuit started as Quantum ransomware in January 2022 and is believed to be a direct successor to the notorious Conti cybercrime syndicate. While they initially used encryptors from other gangs (such as ALPHV/BlackCat), they deployed their own Zeon encryptor soon after and rebranded as Royal ransomware in September 2022.
In June 2023, after targeting the City of Dallas, Texas, the Royal ransomware gang began working under the BlackSuit name, following the testing of a new encryptor called BlackSuit amid rumors of a rebranding.
CISA and the FBI first revealed in a November 2023 joint advisory that Royal and BlackSuit share similar tactics, while their encryptors exhibit obvious coding overlaps. The same advisory linked the Royal ransomware gang to attacks targeting over 350 organizations worldwide since September 2022, resulting in ransom demands exceeding $275 million.
The two agencies confirmed in August 2024 that the Royal ransomware had rebranded as BlackSuit and had demanded over $500 million from victims since surfacing more than two years prior.
The U.S. Attorney’s Office for the Eastern District of Virginia announced today the seizure of approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace. The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information.
BidenCash commenced operations in March 2022. BidenCash administrators charged a fee for every transaction conducted on the website. The BidenCash marketplace had grown to support over 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated over $17 million in revenue during its operations.
The BidenCash marketplace domains will no longer be operational and will be redirected to a U.S. law enforcement-controlled server, preventing future criminal activity on these sites. The marketplace also sold compromised credentials that could be used to access computers without proper authorization.
Between October 2022 and February 2023, the BidenCash marketplace published 3.3 million individual stolen credit cards for free to promote the use of their services. The stolen data included credit card numbers, expiration dates, Card Verification Value (CVV) numbers, account holder names, addresses, email addresses, and phone numbers.
According to court records, the United States obtained court authorization to seize cryptocurrency funds that BidenCash marketplace used to receive illicit proceeds from its illegal sales.
Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia; John Szydlik, Resident Agent in Charge of the U.S. Secret Service’s Frankfurt Resident Office; and Philip Russell, Acting Special Agent in Charge of the FBI Albuquerque Field Office, made the announcement.
This case was investigated by the U.S. Secret Service’s Frankfurt Resident Office, the U.S. Secret Service’s Cyber Investigative Section, and the FBI Albuquerque Field Office.
The Department of Justice thanks the Dutch National High Tech Crime Unit, The Shadowserver Foundation and Searchlight Cyber for their assistance with the investigation.
The government is represented by Assistant U.S. Attorney Zoe Bedell in these matters.
Police in the Netherlands say they seized 127 servers this week that were used by Zservers, a bulletproof hosting service that was the subject of international sanctions issued Tuesday.
Hacker forums Cracked[.]io, Nulled[.]to, MySellIX[.]io, and StarkRDP[.]io on Wednesday are seized by the FBI, Europol, and international law enforcement as part of ‘Operation Talent.’
A large ‘‘Operation Talent’ seizure poster was splashed across most of the shady websites by Wednesday afternoon.
The simultaneous actions targeted the Star Blizzard espionage operation, which targeted government and civil society around the world.
German authorities sent a loud and clear message to criminal users of the exchanges: We found their servers and have your data — see you soon.
Investigators reported 483 000 victims worldwide, who had attempted to regain access to their phones and been phished in the process. The victims are mainly Spanish-speaking nationals from European, North American and South American countries.The successful operation took place thanks to international cooperation between law enforcement and judiciary authorities from Spain, Argentina, Chile, Colombia, Ecuador and Peru.The action week took...
Threat actors called Vanir Ransomware Group posted a few listings in July. Tonight, however, their onion site has a seized message:
” THIS HIDDEN SITE HAS BEEN SEIZED
by the State Bureau of Investigation Baden-Württemberg as a part of a law enforcement action taken against Vanir Ransomware Group “
U.S. seizes 32 Russian propaganda domains influencing U.S. elections, targets Kremlin-backed disinformation efforts.
The agency said at least 43 companies have been attacked by the group in the U.S., South America, India, Europe, the United Arab Emirates, and elsewhere.
The cybercrime and hacker forum Breach Forums has been seized by the Federal Bureau of Investigation (FBI) and the Department of Justice.
German police seized the largest German-speaking cybercrime marketplace Crimemarket and arrested one of its operators.
LockBit — the most prolific ransomware group in the world — had its website seized Monday as part of an international law enforcement operation that involved the U.K.’s National Crime Agency, the FBI, Europol and several international police agencies.
A quick summary first before the details: This week, the FBI in cooperation with international law enforcement partners took down a notorious marketplace trading in stolen identity data in an effort they've named "Operation Cookie Monster". They've provided millions of impacted email addresses and passwords to Have I Been Pwned
Authorities in Germany this week seized Internet servers that powered FlyHosting, a dark web service that catered to cybercriminals operating DDoS-for-hire services. Fly Hosting first advertised on cybercrime forums in November 2022, saying it was a Germany-based hosting firm that…
The US Justice Department seized approximately half a million dollars that North Korean government-backed hackers had either extorted from US health care organizations or used to launder ransom payments, deputy Attorney General Lisa Monaco said Tuesday as she touted an aggressive US strategy to claw back money for victims of ransomware attacks.
