Skip to main content
Sign in
BlackSuit1 decision on this page

Audit log

Every state-changing event for BlackSuit: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-16 03:55:55Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 420,042,403
    sig
    5QxVSAq2NToW…XKz8e1fNexplorer ↗
    hash
    DQPuDHq2qnVw…ZXLuJqoLsha256 → base58
    verifying row…full verify ↗
    canonical bytes (4404 B) ▸
    {"actor":"system:backfill","investigation_id":"4577d3b2-53dc-4eb0-8992-d7bfb7be9c1d","kind":"publish","page_slug":"blacksuit","published_at":"2026-05-16T03:55:55.045Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"BlackSuit","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebranding of the Royal ransomware gang, itself a successor to the Conti cybercrime syndicate believed to be operated by Russian-speaking threat actors. The group employed double-extortion tactics across critical infrastructure sectors including healthcare, automotive, education, and government, compromising over 450 U.S. victims and demanding more than $500 million in ransom, primarily in Bitcoin, before international law enforcement dismantled its infrastructure in July 2025 under Operation Checkmate.","timeline":[{"date":"2022-05-01","event":"Conti ransomware syndicate publicly dissolves following a major internal data leak; members splinter into successor groups including Quantum and Zeon.","source":"","source_url":"https://blog.barracuda.com/2024/10/29/blacksuit-ransomware--8-years--6-names--1-cybercrime-syndicate"},{"date":"2022-09-01","event":"Royal ransomware operation begins activity, drawing membership from former Conti operators; targets U.S. critical infrastructure sectors.","source":"","source_url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"},{"date":"2023-05-01","event":"BlackSuit ransomware first observed by security researchers; payload shares significant code overlap with Royal ransomware.","source":"","source_url":"https://www.picussecurity.com/resource/blog/blacksuit-ransomware-group"},{"date":"2023-11-15","event":"CISA and FBI issue joint advisory warning that Royal ransomware actors are testing a potential rebrand to BlackSuit.","source":"","source_url":"https://techcrunch.com/2023/11/15/cisa-fbi-royal-ransomware-blacksuit-sanctions/"},{"date":"2024-04-17","event":"BlackSuit attacks Octapharma Plasma, forcing temporary closure of more than 160 blood plasma donation centers across the United States.","source":"","source_url":"https://therecord.media/plasma-donation-company-cyberattack-blacksuit"},{"date":"2024-06-18","event":"BlackSuit launches ransomware attack against CDK Global, disrupting dealer management systems at approximately 15,000 North American automotive dealerships.","source":"","source_url":"https://www.esentire.com/security-advisories/blacksuit-ransomware-impacts-cdk-global"},{"date":"2024-06-21","event":"On-chain analysis identifies approximately 387 Bitcoin (~$25 million) transferred to a wallet assessed to be controlled by BlackSuit, consistent with a CDK Global ransom payment.","source":"","source_url":"https://cyberscoop.com/cdk-ransom-blacksuit-25-million/"},{"date":"2024-08-07","event":"CISA and FBI release updated joint advisory formally confirming Royal ransomware actors have rebranded as BlackSuit; aggregate extortion demands reported to exceed $500 million.","source":"","source_url":"https://www.cisa.gov/news-events/alerts/2024/08/07/royal-ransomware-actors-rebrand-blacksuit-fbi-and-cisa-release-update-advisory"},{"date":"2025-07-24","event":"Operation Checkmate: U.S. DOJ, ICE HSI, FBI, Europol, and international partners seize four BlackSuit servers, nine domains, and $1,091,453 in cryptocurrency; BlackSuit's darknet leak site displays seizure banner.","source":"","source_url":"https://www.ice.gov/news/releases/ice-washington-dc-leads-international-takedown-blacksuit-ransomware-infrastructure"},{"date":"2025-08-12","event":"DOJ publicly announces Operation Checkmate results; former BlackSuit members assessed to have migrated to INC ransomware and Chaos ransomware successor groups.","source":"","source_url":"https://www.axios.com/2025/08/12/doj-blacksuit-ransomware-cryptocurrency-seizure"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 6739eec1-6391-4165-bf85-af36c74ebf82
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.