RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
Royal / BlackSuit / Chaos
Private Ransomware Operation → RaaS  •  Conti Team One Lineage  •  Three-Generation Rebrand Chain
Critical Threat Operation Checkmate (2025) Conti Lineage Active Rebrand: Chaos
Royal First Observed
Sep 2022
Secureworks CTU / Unit 42
Combined Victims
308+
Royal 123 + BlackSuit 185+
Ransom Demands
$500M+
Combined Royal & BlackSuit (FBI/CISA)
Funds Seized
$1.09M
BTC, Operation Checkmate 2025
LE Disruptions
1
Op. Checkmate, Jul 2025
Lineage
Conti
Team One / Royal Spider
Current Rebrand
Chaos
Active from Feb 2025 (Talos)
Chaos Victims (Live)
--
via ransomware.live
01

Executive Summary and Group Overview

Royal, BlackSuit, and the 2025 Chaos RaaS represent a single, continuous threat lineage originating from within the Conti organization. First emerging as Royal in September 2022 following Conti's dissolution, the group operated as a private, closed ransomware operation targeting US critical infrastructure, healthcare, municipalities, and manufacturing. It rebranded as BlackSuit in May 2023, retaining core operators, tooling, and the signature "security test" extortion narrative. Following Operation Checkmate (July 2025), in which international law enforcement seized the group's infrastructure and approximately $1.09 million in laundered Bitcoin, Cisco Talos assessed with moderate confidence that BlackSuit rebranded again as the Chaos RaaS, which emerged in February 2025 and remains active.

The group collectively demanded more than $500 million in ransom across the Royal and BlackSuit periods (FBI/CISA advisory). No arrests or indictments have been made public. The Chaos rebrand marks a structural shift from a private operation to a full Ransomware-as-a-Service model with open affiliate recruitment on the RAMP forum.

AttributeDetail
Tracking aliases (CrowdStrike)ROYAL SPIDER (covers Royal, BlackSuit, and Chaos/BlackChaos). Parent Conti entity: Wizard Spider (not a group-specific designation for this lineage).
Tracking aliases (Secureworks)GOLD SOUVENIR (covers Royal and BlackSuit). Parent Conti entity: Gold Ulrick (not group-specific).
Tracking aliases (Unit 42)Ignoble Scorpius (BlackSuit-specific; Royal tracked separately under "Royal ransomware" threat assessment).
Tracking aliases (CISA/FBI)"BlackSuit (Royal)" as unified lineage designation in joint advisory (August 2024 update).
Tracking aliases (Cisco Talos)"Chaos ransomware RaaS group" (Chaos-specific; distinct from earlier Chaos builder families).
Tracking aliases (HHS HC3)Separate analyst notes: "Royal ransomware" and "BlackSuit ransomware" published individually.
Operational modelRoyal/BlackSuit: Private closed operation, no open RaaS. Chaos: Full RaaS with affiliate recruitment on RAMP forum.
Extortion mechanicRoyal/BlackSuit: Double extortion (encryption + data publication threat). Chaos: Triple extortion (encryption + data theft + DDoS threat).
Assessed jurisdictionRussia / CIS (CREDIBLE; no confirmed formal state nexus).
LE disruption statusOperation Checkmate (July 24, 2025): 4 servers, 9 domains seized; $1,091,453 BTC seized. No arrests or indictments.
Decryptor availabilityNone publicly available for Royal, BlackSuit, or the 2025 Chaos RaaS as of May 2026. Note: older Chaos builder-family decryptors do not apply (different codebase).
Data Leak Site & Branding
02

Lineage and Organizational Heritage

Lineage Chain: Conti → Royal → BlackSuit → Chaos (2025)

The Royal/BlackSuit/Chaos cluster is assessed as one of the primary successor operations to the Conti organization, specifically linked to what Bitdefender and TrustedInternet characterize as Conti Team One - a specialized sub-unit within the Conti hierarchy. The lineage spans four named iterations across approximately four years of operation.

NamePeriodVictimsModelStatus
RoyalSep 2022 – Jul 2023~123Private closed operationSuperseded by BlackSuit
BlackSuitMay 2023 – Jul 2025185+Private closed operationDisrupted; assessed rebranded as Chaos
Chaos (2025 RaaS)Feb 2025 – presentOngoingFull RaaS, open affiliates (RAMP)Active as of mid-2026
Evidentiary Pillar Assessment: Conti to Royal
Credible — multi-source convergence; no single definitive technical confirmation
Pillar 1 — Credible
Personnel Continuity
Multiple vendors report that Royal was formed by or absorbed former Conti operators. Bitdefender references a "Conti Team One" specialized unit as the organizational nucleus. Timing of Royal's emergence (September 2022) aligns precisely with post-Conti personnel dispersal. Negotiation phrasing and victim communication style reuse Conti conventions.
Pillar 2 — Credible
TTP Continuity
Royal replicated Conti's signature tools: Cobalt Strike, RMM abuse, VPN credential exploitation, and big-game hunting targeting. Victimology overlaps with Conti's preferred sectors (US critical infrastructure, healthcare, municipalities). "Security audit" ransom note language mirrors earlier Conti negotiation framing.
Pillar 3 — Credible
Operational Timing
Royal began operations concurrently with Conti's dissolution (May 2022), consistent with an orchestrated transition rather than an independent emergence. Unlike many post-Conti groups that had public forum presence, Royal maintained deliberate opacity, reflecting lessons learned from the February 2022 Conti chat leaks.
Pillar 4 — Analyst Inference
Closed Operational Profile
Royal's refusal to operate a public RaaS, its hand-selected operator pool, and its avoidance of dark web forum advertising are consistent with a group that deliberately adopted counter-OPSEC lessons from Conti's collapse. This behavioral continuity suggests core leadership continuity, not merely code inheritance.
Evidentiary Pillar Assessment: Royal to BlackSuit
Confirmed — high-confidence, multi-vendor consensus
Pillar 1 — Confirmed
Code and Parameter Overlap
BlackSuit's encryptor retains Royal's partial encryption logic, command-line parameter structure (including the "-ep" encryption percentage flag), and encryption extension test artifacts. Some observed Royal binaries appended a ".blacksuit" extension before the full rebrand, confirming the same developer team produced both strains. Secureworks (GOLD SOUVENIR), Unit 42 (Ignoble Scorpius), and HHS HC3 all cite this as primary evidence.
Pillar 2 — Confirmed
Operational Timeline Handover
Royal's last victim was posted in July 2023. BlackSuit's first victims appeared in May 2023, two months prior, consistent with a staged rebrand rather than Royal's collapse. Secureworks explicitly states BlackSuit emerged in May 2023 and "CTU researchers assess with high confidence that GOLD SOUVENIR began the process of rebranding to BlackSuit ransomware in May 2023."
Pillar 3 — Confirmed
Ransom Note Continuity
BlackSuit ransom notes mirror Royal's in structure, tone, and specific framing: "Good whatever time of day it is" greeting, "security test" narrative, Tor-based negotiation portal, promise of a post-payment security report, and double-extortion data publication threats. The wording continuity across rebrand is the clearest behavioral signature of operator identity.
Pillar 4 — Confirmed
Government Attribution
HSI formally confirmed in August 2025 that "BlackSuit was the successor to Royal ransomware." CISA/FBI's August 2024 updated advisory explicitly retitles the group "BlackSuit (Royal)" and describes both as a single threat lineage. Unit 42 states Ignoble Scorpius is "a direct evolution of Royal."
Evidentiary Assessment: BlackSuit to Chaos (2025 RaaS)
Credible — single primary vendor (Talos); moderate confidence; not yet corroborated by independent formal assessment
Pillar 1 — Credible
Encryption Configuration Parallels
Cisco Talos documented matching functional parameters between Chaos and BlackSuit encryptors: Chaos "lkey" (32-byte encryption key) parallels BlackSuit "id"; "encrypt_step" parallels "ep" (partial encryption step size); "kill_vms" parallels "stopvm." These are configuration semantics, not simple code copying, suggesting the same developer team structured the new encryptor.
Pillar 2 — Credible
Ransom Note Near-Identity
Chaos ransom notes preserve Royal/BlackSuit's core structure: "security test" theme, double extortion messaging, confidentiality assurances, onion URL format, and a reward/punishment scheme. The thematic continuity across three named iterations without structural deviation is difficult to explain absent operator-level continuity.
Pillar 3 — Credible
Temporal Coincidence
Chaos RaaS emerged in February 2025 during a period of sharp decline in BlackSuit activity. Operation Checkmate (July 2025) seized BlackSuit infrastructure. The pre-seizure decline in BlackSuit attacks beginning November 2024 matches the pre-Royal-to-BlackSuit lull, consistent with a deliberate pre-rebrand operational drawdown.
Analyst Inference
Conflicting View
Some vendors treat Chaos as a distinct "new" group while acknowledging overlap. Rapid7 (2026) documents at least one incident where a state-sponsored actor used Chaos branding as a false flag, adding attribution complexity. Fortinet and Talos explicitly distinguish the 2025 Chaos RaaS from earlier Chaos builder families, which are unrelated by codebase.
Vendor Designation Disambiguation
Critical rule: Wizard Spider (CrowdStrike) and Gold Ulrick (Secureworks) designate the parent Conti organization only. These designations describe shared heritage and must not be applied to Royal, BlackSuit, or Chaos as group-specific identifiers. The group-specific designations are: ROYAL SPIDER (CrowdStrike), GOLD SOUVENIR (Secureworks), and Ignoble Scorpius (Unit 42 / BlackSuit-specific).
VendorParent Conti DesignationRoyal/BlackSuit/Chaos DesignationCoverage Notes
CrowdStrikeWizard SpiderROYAL SPIDERCovers Royal, BlackSuit, and BlackChaos/Chaos as a single adversary
Secureworks CTUGold UlrickGOLD SOUVENIRCovers Royal and BlackSuit; high-confidence rebrand assessment published
Palo Alto Unit 42(Not separately designated)Ignoble ScorpiusBlackSuit-specific; Royal tracked under separate "Royal ransomware" threat assessment
CISA / FBI(Not applicable)"BlackSuit (Royal)"Unified designation in August 2024 joint advisory
Cisco Talos(Not applicable)"Chaos ransomware RaaS group"Chaos-specific; explicitly separates from earlier Chaos builder families
HHS HC3(Not applicable)Separate notes for "Royal ransomware" and "BlackSuit ransomware"Healthcare sector focus; published individually
03

Operational Model

Royal (Sep 2022 – Jul 2023): Private Operation

Royal operated as a closed, private group rather than a public RaaS. Affiliate access, if any, was by invitation only with no open forum recruitment. The group maintained deliberate operational opacity, explicitly avoiding public advertising after observing how Conti's public profile contributed to its downfall through the 2022 chat leaks.

  • Extortion model: Double extortion (encryption + data publication threat). Leak site operated on Tor. Data published when negotiations failed.
  • Ransom demands: Low to mid-millions USD for large organizations; significant flexibility documented in negotiations with 50-80% reductions observed.
  • Negotiation framing: Presented intrusion as a "security test" and offered a "security report" as part of the payment package. Tor-based contact portals only.
  • Communication: Ransom notes delivered personally; no public social media or forum presence. Victims instructed to use Tor-based chat or encrypted email.
BlackSuit (May 2023 – Jul 2025): Private Operation, Evolved Scale

BlackSuit maintained Royal's private, non-public operational model while expanding victim volume significantly (123 to 185+ across the transition). Unit 42 and HHS HC3 both confirm BlackSuit operated without open affiliates. Bitdefender notes the group developed "experienced in-house teams" to assess victim revenue as part of structured target selection.

  • Demands: Hundreds of thousands to multiple millions USD. Some individual payments exceeded $2 million (Bitdefender). Total demands across both eras exceeded $500 million (FBI/CISA advisory).
  • Extortion escalation: Beyond data publication, BlackSuit threatened to contact regulators, media, customers, and victim employees to amplify pressure. LinkedIn pages for victim contacts were posted on the DLS.
  • Post-payment breach: In at least one late 2024 case, BlackSuit leaked victim data after receiving nearly $3 million in payment, a significant violation of the implicit contract that drives ransomware negotiations.
  • Ransom note (confirmed text excerpt): "Good whatever time of day it is! Your safety service did a really poor job of protecting your files against our professionals. Extortioner named BlackSuit has attacked your system..."
Chaos (Feb 2025 – Present): Full RaaS with Open Affiliates

Chaos represents a structural shift from the group's prior private model to a public Ransomware-as-a-Service offering advertised on the RAMP forum. This transition mirrors the pattern observed across other post-disruption Conti-lineage operations.

Documented Demand
$300K
Single confirmed Chaos negotiation (Talos)
Extortion Layers
3
Encryption + data theft + DDoS threat
Example Data Volume
69 GB
Optima Tax Relief victim (Talos)
Affiliate Recruitment
RAMP
Russian-language eCrime forum
  • Triple extortion: Encryption plus data theft plus active DDoS threat. Chaos explicitly introduced a "reward vs. punishment" framing in ransom notes: additional benefits for rapid payment, escalating consequences (DDoS, competitor/client notification) for non-payment.
  • Affiliate exclusions (claimed, not verified): Chaos forum advertisements claim no operations in BRICS/CIS countries and exclusion of hospitals and government. Victim list including the Salvation Army (a charity) undercuts adherence to an ethics code. Treat as policy claims, not confirmed binary kill-switch behavior.
  • Revenue split: Not publicly confirmed. Standard RaaS model assumed; specific percentages not disclosed in open sources (Talos).
04

Technical Capabilities

Malware Variants and Platform Support
VariantEraExtensionPlatformsKey Notes
RoyalSep 2022–Jul 2023.royalWindows (primary)AES + RSA-protected keys; partial encryption via -ep flag; multi-threaded; ".blacksuit" extension observed in pre-rebrand test binaries
BlackSuit (Windows)May 2023–Jul 2025.blacksuitWindowsInherits Royal partial-encryption logic; vssadmin.exe for VSS deletion; readme.BlackSuit.txt ransom note; appends extension after encryption
BlackSuit (ESXi/Linux)2023–2025.blacksuitVMware ESXi, LinuxTargets virtual infrastructure; ESXi-specific binary; explicit hypervisor attack capability
Chaos-C++Feb 2025+.chaosWindows, ESXi, Linux, NASPartial multi-threaded encryption; clipboard hijacker; destructive behaviors; "lkey", "encrypt_step", "kill_vms" config parameters
Mad Cat2025VariesWindowsChaos variant; anti-sandbox behavior; Tinexta analysis published March 2025
Initial Access Methods
VectorGroup(s)Notes
Phishing / malicious PDFsRoyal, BlackSuitMalicious PDF attachments in phishing emails; also malvertising campaigns delivering initial payloads (CISA advisory)
Malicious installer (fake Zoom)BlackSuitFake Zoom installers delivering RAT and subsequent BlackSuit payload (DFIR Report, March 2025)
RDP exploitationRoyal, BlackSuitStolen or brute-forced RDP credentials used for initial entry
Public-facing application weaknessesRoyal, BlackSuitExploitation of vulnerable edge services; specific CVEs vary by incident
VPN credential abuseRoyal, BlackSuitPhishing-delivered credentials or purchased access; consistent with Conti-lineage preference
Vishing (voice phishing)ChaosSpam email prompts victim to call a number; actor impersonates IT staff; victim guided to enable Microsoft Quick Assist or AnyDesk; actor gains remote control and deploys tools
Kill Chain Toolset
PhaseTools / MethodsGroup(s)
Discovery / ReconSharpShares, SoftPerfect NetWorx, SoftPerfect NetScan, network enumeration via net.exeRoyal, BlackSuit
Credential AccessLSASS harvesting; Cobalt Strike credential modules; Gozi (infostealer)BlackSuit
PersistenceSystemBC (registry modification, scheduled tasks); RMM tools installed as servicesBlackSuit
Lateral MovementSMB with valid admin accounts, PsExec, domain controller access; AnyDesk/ScreenConnect post-exploitationRoyal, BlackSuit, Chaos
Remote Access / C2AnyDesk, ScreenConnect, TeamViewer, Cobalt Strike beacons; Chaos actors reset domain user passwords via net.exe, deleted PowerShell logs, and removed MFA/security appsAll
ExfiltrationRClone, Brute Ratel, Cobalt Strike; staging to remote serversBlackSuit, Chaos
Defense EvasionPowerShell log deletion; MFA application removal; .bat file privilege escalation scripts; VSS deletion via vssadmin.exeBlackSuit, Chaos
Encryption Implementation

Royal: Hybrid encryption combining strong symmetric encryption (AES) for file content with asymmetric RSA protection for keys. Partial encryption is configurable via the "-ep" flag (encryption percentage per file), enabling fast processing of large files. Selective targeting by file type and directory, with option to skip specified paths. Multi-threaded execution.

BlackSuit: Inherits Royal's partial-encryption architecture with renamed parameters. ".blacksuit" extension appended to encrypted files. Volume Shadow Copies deleted via vssadmin.exe. ESXi Linux variant targets virtual disk files on VMware hypervisors. No publicly available decryptor.

Chaos: Uses a 32-byte "lkey" symmetric key; "encrypt_step" controls the size of encrypted segments within each file (partial encryption for speed); "kill_vms" parameter stops running virtual machines before encrypting their disk files, analogous to BlackSuit's "stopvm." The Chaos-C++ variant adds a clipboard hijacker and destructive payload options beyond standard ransomware behavior. Cross-platform encryptors for Windows, ESXi, Linux, and NAS are offered as a core RaaS selling point.

CIS Exclusion Behavior
Credible (policy claim) / Analyst Inference (binary enforcement)

Royal and BlackSuit are reported to implement locale or keyboard-layout checks consistent with Conti-lineage CIS-avoidance conventions, exiting when Russian or related CIS keyboard layouts are detected. Binary-level confirmation is limited in open public technical write-ups; the behavior is inferred primarily from operational absence of CIS victims.

Chaos forum advertisements explicitly claim no operations in BRICS/CIS countries, but binary-level enforcement via locale checks has not been consistently confirmed in open publications. Treat as a stated policy claim rather than a proven technical kill-switch.

05

Financial Infrastructure

Payment Mechanics and Cryptocurrency

Royal, BlackSuit, and Chaos all demand payment in Bitcoin (BTC) as the primary instrument. Victims access payment portals via Tor-based links embedded in ransom notes. Royal specifically required victims to access a darknet website for payment processing (per DOJ charging documents). Some flexibility toward privacy coins (Monero) has been reported in individual negotiations, though documented cases focus on BTC addresses.

Each victim is assigned a unique BTC deposit address, enabling the operators to track individual payments and attribute them to specific victims during the decryption-key release process. Per-victim address generation is standard Conti-lineage practice and complicates attribution-by-wallet without comprehensive blockchain forensic tooling.

On-Chain Laundering: Confirmed Case (Operation Checkmate)
Confirmed seizure trace: On April 4, 2023, a Royal victim paid 49.3120227 BTC (valued at $1,445,454.86 at time of payment). A portion of $1,091,453 was repeatedly deposited and withdrawn through a virtual currency exchange account in a layering pattern consistent with ransomware laundering. The exchange froze the funds on January 9, 2024. A US court formally seized the funds on June 21, 2024 (US Attorney, District of Columbia, with evidence collected by EDVA). This seizure was publicly announced August 11, 2025 as part of Operation Checkmate.
1
Initial Receipt
Victim pays ransom in BTC to a unique per-victim deposit address. Payment triggers decryption key release. The April 4, 2023 case: 49.31 BTC at $1.45M value.
2
Layering via Exchange Cycling
Proceeds repeatedly deposited and withdrawn through a virtual currency exchange account. This deposit/withdrawal cycling is a classic layering technique designed to break chain-of-custody traceability and generate multiple transaction hops.
3
Exchange Freeze and Law Enforcement Action
The exchange froze $1,091,453 in funds on January 9, 2024, likely triggered by internal compliance review or an IRS-CI or FBI production request. US legal seizure executed June 21, 2024. Remaining ransom value ($354,002) not publicly accounted for in available reporting, suggesting earlier successful laundering or a different wallet path.
4
Broader Laundering Pattern
TRM Labs' 2026 Crypto Crime Report identifies cross-chain bridge activity growing 66% and mixer use declining 37% across the ransomware ecosystem in 2024-2025, with BlackSuit cited as one of the disrupted groups that displaced affiliates and laundering infrastructure. Group-specific wallet maps for Royal/BlackSuit have not been publicly released by Chainalysis, TRM Labs, or Elliptic beyond high-level threat reporting.
Sanctions and Regulatory Context

No specific OFAC designation has been issued for Royal, BlackSuit, or Chaos wallets or operators as of May 2026. However, US agencies treat payments to any Conti-lineage actor as existing within a sanctions-risk context given OFAC's prior designations of Conti-linked wallet infrastructure. Organizations that pay ransoms to Royal/BlackSuit/Chaos affiliates are advised to seek OFAC compliance guidance prior to payment.

Blockchain forensics firm assessments: TRM Labs and Chainalysis have published broadly on Conti-lineage financial flows, but group-specific detailed wallet cluster maps for Royal/BlackSuit/Chaos are not widely available in open-source publications. The Operation Checkmate seizure represents the first confirmed public on-chain trace and asset recovery for this lineage.

06

Victim Profile and Targeting

Royal Victims
~123
Sep 2022 – Jul 2023
BlackSuit Victims
185+
May 2023 – Jul 2025 (Bitdefender)
Combined Demands
$500M+
FBI/CISA advisory, Aug 2024
Max Individual Payment
$3M+
BlackSuit; data leaked anyway (Bitdefender)
Sector Distribution
SectorPeriodConfidenceNotes
ManufacturingBlackSuit (primary)CONFIRMEDLargest single BlackSuit sector per Bitdefender. High revenue and operational sensitivity drive targeting.
Healthcare / Public HealthRoyal, BlackSuitCONFIRMEDHHS HC3 issued dedicated analyst notes for both Royal and BlackSuit targeting healthcare organizations. Critical sector per CISA advisory.
Education / ResearchBlackSuit (primary)CONFIRMEDSecond-largest BlackSuit sector per Bitdefender.
ConstructionBlackSuitCONFIRMEDSignificant victim count; Unit 42 notes construction as one of top two industries for Ignoble Scorpius (alongside manufacturing).
Government / MunicipalitiesRoyal (primary)CONFIRMEDCity of Dallas (2023) is most prominent named victim. Critical government facilities sector explicitly cited in CISA advisory.
Retail / ConsumerBlackSuitCREDIBLECDK Global (software vendor to automotive dealers) breach affected 950,000 individuals.
Charity / NGOChaosCREDIBLESalvation Army targeted by Chaos RaaS, contradicting stated exclusion of humanitarian organizations.
Tax / Financial ServicesChaosCREDIBLEOptima Tax Relief (69 GB data stolen).
Geographic Distribution

The group is heavily US-focused across all three iterations. Bitdefender documented that the majority of BlackSuit victims were US-based, with secondary clusters in Great Britain, Canada, Belgium, and Spain. Chaos victims have been identified in the US, UK, New Zealand, and India. No CIS-region victims have been documented in open sources for any named iteration.

Notable Named Victims
VictimGroupSectorNotes
City of Dallas, TexasRoyalGovernment / Municipality2023; major US municipal disruption; city systems and 911 dispatch affected; extensively covered in vendor reporting
CDK Global (software vendor)BlackSuitTechnology / AutomotiveData of 950,000 individuals stolen; major downstream impact on US automotive dealerships
Optima Tax ReliefChaosFinancial Services69 GB data allegedly exfiltrated; listed on Chaos DLS (Talos reporting)
Salvation ArmyChaosCharity / NGOTargeted despite Chaos' stated exclusion of humanitarian organizations; undermines claimed ethics code
[Named victim, $3M ransom]BlackSuitUnknownBitdefender: victim paid nearly $3M ransom; data leaked anyway. Demonstrates group's willingness to breach negotiated agreements.
Victim Size Profile and Selection Model

All three iterations prioritize big-game hunting: medium-to-large enterprises and public-sector organizations with high operational disruption sensitivity, significant cyber insurance coverage, and revenue profiles that justify multi-million dollar demands. BlackSuit maintained a structured process to assess victim revenue before setting demands, per Bitdefender analysis.

The Chaos RaaS model introduces affiliate heterogeneity that may produce a wider victim-size distribution over time, consistent with how other Conti-lineage groups (Akira, BlackBasta) expanded victim breadth after shifting to a RaaS structure.

07

Law Enforcement and Regulatory Response

Operation Checkmate (July 24, 2025 / Announced August 11, 2025)
CONFIRMED: International law enforcement operation seized BlackSuit's data leak site, negotiation portals, 4 servers, and 9 domains. Approximately $1,091,453 in Bitcoin was seized. No arrests or criminal indictments have been made public as of May 2026.
AttributeDetail
Operation nameOperation Checkmate
Execution dateJuly 24, 2025 (infrastructure seized); August 11, 2025 (DOJ formal announcement)
Assets seized4 servers; 9 domains (data leak site and negotiation portals); $1,091,453 in BTC
Lead US agencyDHS Homeland Security Investigations (HSI), Washington D.C. field office
Additional US agenciesUS Secret Service (Criminal Investigative Division); IRS Criminal Investigation (Washington D.C. Cyber Crimes Unit); FBI
International partnersUK National Crime Agency; UK Northwest Regional Organized Crime Unit; Germany Landeskriminalamt Niedersachsen; Ireland An Garda Siochana – Garda National Cyber Crime Bureau; France Office Anti-Cybercriminalite; Canada Royal Canadian Mounted Police + Delta Police Department; Ukraine National Police Cyber Police Department; Lithuania Criminal Police Bureau
Private sector assistBitdefender (Draco Team; provided expert technical assistance)
Legal team (US)AUSA Laura D. Withers (EDVA); Trial Attorney Jacques Singer-Emery (NSD National Security Cyber Section); AUSA Rick Blaylock Jr. (DC)
Arrests / indictmentsNone publicly announced as of May 2026
Total demands cited$500M+ across Royal and BlackSuit eras (per FBI/CISA advisory cited in DOJ press release)
Bitcoin Seizure Trace

The DOJ unsealing documents provide a confirmed on-chain chain of custody for one seized ransom: On April 4, 2023, a victim paid 49.3120227 BTC ($1,445,454.86 at the time of transaction) to Royal. A $1,091,453 portion was repeatedly cycled through a virtual currency exchange in a layering pattern. The exchange froze the funds on January 9, 2024, and a US court order formally seized them on June 21, 2024 (evidence collected by EDVA, seizure warrant unsealed by DC). This is the first publicly confirmed on-chain asset recovery directly linked to this lineage.

Government Advisories and Regulatory Actions
Document / ActionDateIssuerSignificance
CISA/FBI Joint Advisory: #StopRansomware — Royal RansomwareMar 2023CISA, FBIInitial public advisory on Royal TTPs and IOCs; healthcare and critical infrastructure focus
HHS HC3 Analyst Note: Royal ransomware2023HHS Health Sector Cybersecurity Coordination CenterHealthcare-sector-specific warning on Royal targeting
HHS HC3 Analyst Note: BlackSuit ransomware2023-2024HHS HC3Separate healthcare note flagging BlackSuit as possible Royal successor
CISA/FBI Updated Joint Advisory: BlackSuit (Royal)Aug 7, 2024CISA, FBIFormal retitling to "BlackSuit (Royal)"; updated TTPs, IOCs, and $500M demand figure; unified lineage designation
DOJ/HSI Operation Checkmate announcementAug 11, 2025DOJ, HSI, multiple agenciesInfrastructure seizure; $1.09M BTC seizure; formal confirmation of BlackSuit/Royal succession
Assessment: Disruption Impact
Analyst inference: Operation Checkmate disrupted BlackSuit's operational infrastructure but did not result in arrests or prosecutorial action against identified operators. The near-simultaneous emergence of Chaos RaaS (February 2025, predating the July 2025 seizure) suggests the group was already in transition before law enforcement action. This pattern, where operators rebrand pre-emptively and law enforcement seizure targets the prior-generation infrastructure, is consistent with prior Conti-lineage disruptions. Operational continuity for the threat cluster remains high.
08

Attribution and State Nexus

Jurisdiction Assessment
Credible — Russia / CIS-based criminal actors; no confirmed state directorship

Royal, BlackSuit, and Chaos are assessed as Russia-based or CIS-based criminal actors on the basis of multiple converging indicators: operational avoidance of CIS-region victims across all iterations; no confirmed attacks on Russian or CIS targets; Russian-language forum advertising (RAMP, Chaos); operator communications in Russian where observed; and the group's Conti lineage, which was established by US government indictments as a Russia-based criminal enterprise.

The absence of prosecutions of named operators within Russia is consistent with de facto safe harbor for criminal groups that avoid domestic targeting. This pattern applies broadly to Conti-lineage successor operations. No confirmed evidence of formal state direction, intelligence-sharing arrangements, or explicit tasking by FSB, SVR, or GRU has been publicly documented for any named iteration of this lineage.

HSI and DOJ press releases describe the group as responsible for attacks on "US critical infrastructure" and public safety, using language that frames the group as a national security concern without formally attributing state nexus.

Conti Team One Connection
Credible — single-source characterization (Bitdefender / TrustedInternet); not independently confirmed by Mandiant or Recorded Future in open publications

Bitdefender and TrustedInternet describe the personnel nucleus of Royal as deriving from "Conti Team One," characterized as a specialized sub-unit within the Conti organizational structure. This framing distinguishes the Royal/BlackSuit lineage from other post-Conti splinters (Akira, BlackBasta, Karakurt) and implies a more centralized leadership tier with direct Conti operational heritage.

No named individuals have been publicly attributed to Royal, BlackSuit, or Chaos operations as of May 2026. No sanctions designations have been issued against specific operators in this cluster.

State Actor False-Flag Usage (Chaos)
Analyst Inference — single source (Rapid7, 2026); not corroborated in open publications

Rapid7 (2026) documented at least one incident in which a state-sponsored threat actor used Chaos RaaS branding as a false flag for a targeted state-sponsored operation. This does not imply that Chaos itself is a state-directed group. The stronger interpretation is that Chaos is an opportunistic criminal RaaS whose branding and tooling were co-opted by a separate state actor in a specific operation to obscure attribution.

This finding adds attribution complexity for defenders and intelligence analysts: not all Chaos-attributed incidents should be assessed as criminal ransomware activity. Some may represent state-directed operations using the Chaos cover to complicate attribution and frustrate law enforcement response.

Named Individuals

No named individuals have been publicly attributed to Royal, BlackSuit, or Chaos operations in any indictment, sanctions designation, or law enforcement press release as of May 2026. This absence of individual identification contrasts with disruptions of LockBit and ALPHV/BlackCat, where operator identities were published, and represents a significant gap in the accountability record for this lineage.

09

Trajectory Assessment

Historical Rebrand Pattern

This lineage has executed two confirmed, planned rebrands in three years: Royal to BlackSuit (2023) and BlackSuit to Chaos (2025). Each transition followed a similar template: gradual operational drawdown under the prior name, parallel emergence of the successor brand 2-4 months before the prior name went dark, retention of core TTPs and note structure, and avoidance of public attribution of the transition until independent researchers connected the dots. The pattern is deliberate and competent.

Key signal: BlackSuit attack volume declined sharply after November 2024, seven months before Operation Checkmate. This pre-seizure drawdown, combined with Chaos RaaS launching in February 2025, suggests the operators anticipated or detected law enforcement attention and executed a pre-emptive rebrand. Law enforcement seized the infrastructure of the prior iteration; the active threat cluster had already migrated.
Structural Shift: Private to RaaS

The Chaos iteration represents a meaningful structural shift from the tight, closed operational model of Royal/BlackSuit to a public RaaS with open affiliate recruitment. This expansion increases attack surface and victim volume but also introduces affiliate management risk and potential OPSEC degradation. Prior Conti-lineage groups (Akira) have demonstrated that the RaaS model enables rapid victim volume growth; the Chaos iteration may follow the same trajectory.

The triple-extortion model (encryption + data theft + DDoS) adopted by Chaos represents a tactical escalation over Royal/BlackSuit's double-extortion approach, likely designed to close payment rates on victims with strong backup posture by adding the DDoS threat as a separate, backup-agnostic pressure vector.

Connected Group Cluster
GroupRelationshipConfidenceVendor Coverage
ContiParent organization; Conti Team One as personnel nucleus for Royal emergenceCREDIBLEBitdefender, TrustedInternet (Team One framing); Unit 42, Secureworks, HHS HC3 (general Conti lineage)
BlackSuitDirect rebrand of Royal (GOLD SOUVENIR, Ignoble Scorpius, ROYAL SPIDER)CONFIRMEDSecureworks, Unit 42, HHS HC3, CISA/FBI, DOJ, HSI, Bitdefender
Chaos (2025 RaaS)Probable rebrand of BlackSuit or formed by former BlackSuit membersCREDIBLE (moderate)Cisco Talos (primary); SC World, Infosecurity Magazine (repeat Talos findings). Not yet independently assessed by Mandiant or Recorded Future in open publications.
AkiraSeparate Conti-diaspora stream; distinct operational identity; shared Conti heritage onlyCONFIRMED (separation)CrowdStrike: PUNK SPIDER (separate from ROYAL SPIDER). No operational overlap documented.
BlackBastaSeparate Conti-diaspora stream; no operational linkage to Royal/BlackSuit documentedCONFIRMED (separation)Distinct vendor designations across all major vendors.
Note: Mandiant and Recorded Future have not published formal open-source assessments linking Chaos to BlackSuit/Royal as of May 2026. The Chaos-to-BlackSuit connection rests primarily on Cisco Talos' June 2025 analysis.
Intelligence Gaps and Trajectory Indicators
  • No named operators: Unlike LockBit (Khoroshev et al.) or Conti (multiple indictments), no individuals connected to Royal, BlackSuit, or Chaos have been publicly identified or charged. This represents the primary unresolved accountability gap.
  • Chaos affiliate roster unknown: Open-source reporting does not identify Chaos affiliates, revenue splits, or the size of the affiliate pool. Growth trajectory depends heavily on affiliate satisfaction and law enforcement attention to the new infrastructure.
  • On-chain mapping incomplete: The $1.09M seizure is the only confirmed public on-chain recovery. The broader wallet cluster infrastructure for Royal/BlackSuit proceeds has not been publicly documented by Chainalysis, TRM Labs, or Elliptic.
  • State-false-flag complexity: The Rapid7 2026 finding that a state actor used Chaos branding in at least one operation means attribution of Chaos-attributed incidents requires additional corroboration before classifying as criminal vs. state-directed.
  • Fourth-generation rebrand risk: Given the two-to-four year cadence of prior rebrands, a Chaos successor cannot be ruled out if law enforcement pressure on Chaos infrastructure increases materially in 2026.
10

Recent Reporting

Loading recent intelligence reporting…
REF

Sources

Government Advisories
Vendor Research
Media / Aggregator