BlackLock Ransomware gang infrastructure breached and info passed to law enforcement

For the first time, a team of security researchers has successfully infiltrated the network of a ransomware operation, exploiting a vulnerability to gather critical information and pass it on to law enforcement authorities. This unprecedented action has given law enforcement crucial insights into the activities of the BlackLock ransomware gang, allowing them to preemptively neutralize threats and take proactive security measures.

In November 2024, Resecurity, a renowned cybersecurity firm, discovered a vulnerability in a data leak website accessible only through the TOR network. Using this vulnerability, they were able to infiltrate the network of the BlackLock ransomware gang, a notorious group responsible for widespread cyber-attacks. By gaining access to this network, Resecurity was able to gather significant intelligence, including information on the gang’s location, earnings, future attack plans, and financial activities.

By March 2025, Resecurity had compiled enough evidence to pass on to law enforcement agencies, providing them with a detailed understanding of the gang’s operations. This intelligence was crucial in giving cybercrime investigators the upper hand, allowing them to implement proactive security measures before an attack could take place. In one notable instance, this intelligence helped prevent a Canadian organization from being targeted by a ransomware attack. The company, which was scheduled to be attacked two weeks later, was safeguarded due to the timely intervention of law enforcement.

In an interesting turn of events, the Resecurity researchers discovered that the BlackLock gang had a 6-folder database, 5 of which were not encrypted. Upon further analysis, the researchers uncovered detailed records of the gang’s earnings over the past year from various victim organizations. This discovery highlighted not only the scale of the ransomware group’s operations but also the immense financial gains they had accrued from their malicious activities.

While the cybersecurity industry typically discourages hacking and illegal activities, this incident raises important questions about the role of cybersecurity firms in combating cybercrime. If cybersecurity companies can infiltrate and disrupt ransomware operations by exploiting vulnerabilities in hacker infrastructure, they could significantly reduce the crime rate. Such actions could create an environment where cybercriminals are either deterred from launching attacks or find it increasingly difficult to operate within the dark web ecosystem. This, in turn, could lead to a decrease in cybercrime and force threat actors to reconsider their involvement in such illicit activities, potentially seeking alternative careers outside the world of cybercrime.