On January 28, 2026, U.S. federal authorities executed a coordinated law enforcement action that resulted in the seizure of the controversial Russian-language cybercrime forum RAMP, both on the public internet (“clearnet”) and on the Tor dark web. The site’s domains, including ramp4u[.]io, now display official seizure banners and the nameservers have been reconfigured to ns1.fbi.seized.gov and ns2.fbi.seized.gov, indicating that the FBI has full technical control of the platform.
The seizure notice on RAMP clearly states that the site has been taken over by the Federal Bureau of Investigation (FBI), in cooperation with the U.S. Attorney’s Office for the Southern District of Florida and the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS), and directs anyone with information on cybercriminal activity to report it via IC3.gov.
What RAMP Was and How It Evolved
Although the name RAMP originally belonged to a darknet drug marketplace that operated from 2012 to 2017, the modern incarnation that was seized in 2026 was not a drug market but a sophisticated cybercrime forum that emerged around mid-2021. While the old RAMP focused on narcotics, the revived RAMP became one of the most prominent hubs for ransomware-related activity and malware trade in the underground ecosystem.
The forum was designed mainly for Russian-speaking cybercriminals, including ransomware affiliates, underground malware developers, and Initial Access Brokers (IABs) — threat actors who specialize in selling access to hacked corporate networks. Because RAMP did not prohibit ransomware topics (unlike some other forums that banned such content under law enforcement pressure), it quickly garnered a reputation as a place where “ransomware was allowed” and even encouraged.
Technical Role in the Cybercrime Ecosystem
RAMP functioned much like other sophisticated underground forums, but with a heavy focus on ransomware-as-a-service (RaaS) and the trade of malware, exploits, leaks, and compromised access credentials. Typical offerings included:
- Leaked data auctions and extortion deals — cybercriminals would sell or trade stolen data, often tied to ransomware extortion.
- Malware and botnet rentals — software for distributing ransomware and controlling infected machines.
- Custom exploits and crypters — tools to evade antivirus detection and penetrate victims’ systems.
- Initial Access Broker listings — selling pre-compromised corporate network access, a valuable asset for ransomware crews.
- Recruitment and affiliate programs — connecting ransomware operators with partners who could deploy attacks.
Because of this specialization, RAMP became a go-to destination for threat actors after the takedowns of other forums and groups, including prominent ransomware operations like REvil and DarkSide in late 2021 and early 2022.
Underground Reaction and Unknown Arrests
In the wake of the seizure, an underground user known as Stallman — allegedly linked to RAMP’s administration — posted on another cybercrime forum acknowledging the shutdown. He described RAMP as “the most free forum in the world” but said he would not attempt to rebuild it.
As of now, there has been no public confirmation of arrests of core operators or high-profile users tied to RAMP. Whether the FBI has retained server data that could lead to indictments remains unclear.
What This Means Going Forward
The seizure of RAMP represents a significant blow to a major node in the global ransomware infrastructure and demonstrates U.S. law enforcement’s growing capability to infiltrate hidden cybercrime networks. Security professionals will be watching closely for how the underground ecosystem adapts, whether activity migrates to other forums or encrypted channels, and if further charges emerge from the seized data.
