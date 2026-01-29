The Russian-speaking RAMP cyber crime forum – one of the most significant players in the underground cyber criminal ecosystem – has gone dark following what appears to be major action by the US authorities.

Although at the time of writing, no official announcement has been made by the Americans, within the past 24 hours both RAMP’s dark and public web sites have been replaced with seizure notices stating the action was taken under the auspices of the FBI, the US Attorney’s Office for the Southern District of Florida, and the Department of Justice’s (DoJ’s) Computer Crime and Intellectual Property Section.

It is not unheard of for cyber criminals to fake takedowns, often amid juvenile theatrics, to start over with a ‘clean’ slate, but initial reports appear to verify the authenticity of the takedown, with DNS records showing RAMP’s web domains now point to FBI infrastructure.

The alleged operator of RAMP, a hacker going by the handle Stallman, who according to Recorded Future took over its operations about four years ago, also stated the forum was no more.

In a post on the XSS hacking forum, translated from the original Russian, Stallman said the takedown had “destroyed years of my work”.

“Although I hoped that this day would never come, deep down I always understood that it was possible. This is the risk we all take,” they wrote.

Set up around 2021, RAMP operated as both a discussion forum and an underground marketplace, with ransomware kits, malware, alongside a library of ransomware guides and tutorials for newbies.

Access to the forum was tightly restricted, with minimum activity levels required and access and registration fees payable, but at its height it still boasted several thousand members, according to a summer 2024 analysis by Rapid7, which described the RAMP community as a “critical resource” for threat actors. At the time, it supposedly had revenues of about $250,000.

Limited long-term impact Daniel Wilcock, threat intelligence analyst at Talion, described the takedown as a big win for the good guys. However, he said, RAMP’s denizens are likely to turn to alternatives, so the long-term impact on the wider criminal ecosystem will be limited. “But all is not lost,” he said. “While this doesn't signal the end of ransomware, law enforcement will be able to gain valuable information from the seizure around the threat actors using the services, such as their emails and IP addresses plus access to the financial transactions that took place on the market. “This could support further law enforcement action against the threat actors that used the site, but given that RAMP was heavily used by Russian criminals it's highly unlikely we will see many actual arrests."