United States law enforcement agencies have seized the dark web and clearnet domains of the RAMP cybercrime forum, dealing a significant blow to one of the most widely used online marketplaces for ransomware and other illicit digital activities. RAMP, short for Russian Anonymous Marketplace, had established itself as a central hub for ransomware as a service operators, extortion groups, initial access brokers, and other actors involved in cybercrime. Visitors attempting to access the platform are now met with a seizure notice stating that the sites have been taken over by the FBI in coordination with the US Attorney Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.
The seizure notice also includes a mocking banner declaring that it is the only place ransomware is allowed, accompanied by an image of Masha, a character from a Russian animated television series, shown winking. While the FBI has not publicly commented on the operation, domain name system records indicate that federal authorities have taken control of the RAMP domains. The takedown has drawn widespread attention within cybersecurity circles due to the forum role as a trusted venue for advertising malware, selling exploits, negotiating ransomware partnerships, and recruiting affiliates. Over time, RAMP had gained a reputation for stability and reach within the underground economy, making it a preferred platform for criminal collaboration.
Confirmation of the seizure also appeared to come from one of the forum alleged operators, who uses the alias Stallman. In a post shared on the XSS hacking forum and circulated across social media platforms, Stallman acknowledged that law enforcement had gained control of RAMP. He wrote that the event destroyed years of effort spent building what he described as a free forum, while admitting that the risk of such an outcome had always existed. Stallman stated that he would not attempt to create a replacement forum but would continue operating his core business of purchasing illicit network access, signaling that individual criminal activities may persist even as platforms are dismantled.
Security researchers note that the removal of RAMP does not signal an end to ransomware or the broader cybercrime ecosystem. Criminal forums have historically proven resilient, with users often dispersing to alternative marketplaces following takedowns. Tammy Harper, a senior threat intelligence researcher at Flare specializing in ransomware activity, described the loss of RAMP as a meaningful disruption to a core piece of criminal infrastructure rather than a decisive victory. She explained that past takedowns have shown that eliminating a major hub typically forces migration rather than elimination, with groups such as Nova and DragonForce reportedly shifting activity toward other platforms like Rehub. According to Harper, these transitions are frequently disorganized and introduce new risks for threat actors, including damaged reputations, unstable escrow systems, increased operational exposure, and a higher likelihood of infiltration during efforts to rebuild trust.
Harper also highlighted that law enforcement seizures of this nature can create valuable opportunities for defenders and threat intelligence teams. Disrupting a central marketplace can interrupt ongoing criminal coordination while also offering potential insight into affiliate relationships, financial flows, and operational security weaknesses. As ransomware groups and access brokers scramble to reestablish communication channels and trading venues, the resulting instability can expose patterns and vulnerabilities that are otherwise difficult to observe. While the underground is expected to adapt, the seizure of RAMP underscores the continued focus of US authorities on targeting the infrastructure that supports large scale cybercrime operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
