Verify a decision
Every moderation decision on AVOID.NET is anchored to the Solana blockchain. You don't have to trust us — you can verify cryptographically that we committed to a verdict at a specific moment and have not rewritten it.
How verification works
- We commit. When a moderator accepts/rejects a submission, we serialize the decision into deterministic UTF-8 bytes (
payload_canonical_string), hash it with SHA-256, encode the digest as base58, and write it to Solana inside an SPL Memo v2 transaction. - We store the bytes. The exact bytes we hashed are stored alongside the decision in our database. Anyone can read them and recompute the hash in any language.
- You compare three values. Database hash, your independently-recomputed hash, and the hash inside the on-chain memo. If all three match, the decision is authentic and timestamped.
The on-chain memo format is
AVOID.NET|v1|h:<b58-sha256>|d:<id>|t:<iso>Find a signature on any investigation page's decision log, or run python -m src.verify_decision --signature <sig> for a CLI check.
Decision
publish · BlackSuit
- Sequence
- #1
- Score
- →
- Cluster
- mainnet-beta
- Slot
- 420042403
- Off-chain at
- 2026-05-16T03:55:55.106Z
- Anchored at
- —
- Block time
- —
Independent verification
- 1. Database (off-chain)
- DQPuDHq2qnVwvjifaAAkxSnitQp4fR4hcEhjZXLuJqoL
- 2. Recomputed (your browser)
- computing…
- 3. On-chain (Solana memo)
- fetching…
Canonical bytes hashed (4404 chars)
{"actor":"system:backfill","investigation_id":"4577d3b2-53dc-4eb0-8992-d7bfb7be9c1d","kind":"publish","page_slug":"blacksuit","published_at":"2026-05-16T03:55:55.045Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"BlackSuit","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023 as a rebranding of the Royal ransomware gang, itself a successor to the Conti cybercrime syndicate believed to be operated by Russian-speaking threat actors. The group employed double-extortion tactics across critical infrastructure sectors including healthcare, automotive, education, and government, compromising over 450 U.S. victims and demanding more than $500 million in ransom, primarily in Bitcoin, before international law enforcement dismantled its infrastructure in July 2025 under Operation Checkmate.","timeline":[{"date":"2022-05-01","event":"Conti ransomware syndicate publicly dissolves following a major internal data leak; members splinter into successor groups including Quantum and Zeon.","source":"","source_url":"https://blog.barracuda.com/2024/10/29/blacksuit-ransomware--8-years--6-names--1-cybercrime-syndicate"},{"date":"2022-09-01","event":"Royal ransomware operation begins activity, drawing membership from former Conti operators; targets U.S. critical infrastructure sectors.","source":"","source_url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"},{"date":"2023-05-01","event":"BlackSuit ransomware first observed by security researchers; payload shares significant code overlap with Royal ransomware.","source":"","source_url":"https://www.picussecurity.com/resource/blog/blacksuit-ransomware-group"},{"date":"2023-11-15","event":"CISA and FBI issue joint advisory warning that Royal ransomware actors are testing a potential rebrand to BlackSuit.","source":"","source_url":"https://techcrunch.com/2023/11/15/cisa-fbi-royal-ransomware-blacksuit-sanctions/"},{"date":"2024-04-17","event":"BlackSuit attacks Octapharma Plasma, forcing temporary closure of more than 160 blood plasma donation centers across the United States.","source":"","source_url":"https://therecord.media/plasma-donation-company-cyberattack-blacksuit"},{"date":"2024-06-18","event":"BlackSuit launches ransomware attack against CDK Global, disrupting dealer management systems at approximately 15,000 North American automotive dealerships.","source":"","source_url":"https://www.esentire.com/security-advisories/blacksuit-ransomware-impacts-cdk-global"},{"date":"2024-06-21","event":"On-chain analysis identifies approximately 387 Bitcoin (~$25 million) transferred to a wallet assessed to be controlled by BlackSuit, consistent with a CDK Global ransom payment.","source":"","source_url":"https://cyberscoop.com/cdk-ransom-blacksuit-25-million/"},{"date":"2024-08-07","event":"CISA and FBI release updated joint advisory formally confirming Royal ransomware actors have rebranded as BlackSuit; aggregate extortion demands reported to exceed $500 million.","source":"","source_url":"https://www.cisa.gov/news-events/alerts/2024/08/07/royal-ransomware-actors-rebrand-blacksuit-fbi-and-cisa-release-update-advisory"},{"date":"2025-07-24","event":"Operation Checkmate: U.S. DOJ, ICE HSI, FBI, Europol, and international partners seize four BlackSuit servers, nine domains, and $1,091,453 in cryptocurrency; BlackSuit's darknet leak site displays seizure banner.","source":"","source_url":"https://www.ice.gov/news/releases/ice-washington-dc-leads-international-takedown-blacksuit-ransomware-infrastructure"},{"date":"2025-08-12","event":"DOJ publicly announces Operation Checkmate results; former BlackSuit members assessed to have migrated to INC ransomware and Chaos ransomware successor groups.","source":"","source_url":"https://www.axios.com/2025/08/12/doj-blacksuit-ransomware-cryptocurrency-seizure"}]},"v":1}