Law enforcement authorities have seized the notorious cybercrime forum RAMP, which advertised and facilitated the sale of various hacking services, including ransomware.
Since 2021, RAMP has operated with impunity, serving primarily Russian, Chinese, and English-speaking users, with a membership of about 14,000 and an annual profit of about $250,000.
The takedown operation involved the Federal Bureau of Investigation, the US Attorney’s Office for the Southern District of Florida, and the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS).
The FBI takes over cybercrime forum RAMP
The clandestine law enforcement operation resulted in the seizure of both the underground forum and the clearnet domain ramp4u[.]io, which was used to advertise cybercrime services.
Currently, the clearnet domain displays an FBI banner reading “This Site Has Been Seized.” It also displays the site’s original header image, which reads “The Only Place Where Ransomware Allowed.” The banner features a winking Masha, the animated character from the Russian children’s TV series “Masha and the Bear.”
Authorities may also have seized large volumes of data, including IP addresses, email addresses, usernames, transaction records, and private messages, which could help identify members of the cybercrime forum. The FBI also invites people to submit additional tips through its Internet Crime Complaint Center (IC3) portal.
Meanwhile, the feds have yet to announce the seizure of the cybercrime forum. While cybercriminals could fake takedowns to scam their peers, RAMP’s DNS records now point to the FBI’s seized domain name servers, ns1.fbi.seized[.]gov and ns2.fbi.seized[.]gov.
“RAMP first appeared in 2021, created by Mikhail Matveev after other major Russian forums started banning ransomware-related posts,” explained Damon Small, Board of Directors, Xcape. “Matveev, who faces a U.S. indictment and has a $10 million reward for information leading to his capture, built the forum using leftover infrastructure from the now-defunct Babuk ransomware group. He became known for encouraging criminals to remain in Russia to avoid extradition, famously saying, ‘Mother Russia will help you.’”
Cybercrime forum RAMP permanently shuts down
Stallman, one of the alleged RAMP operators, also confirmed that the feds had seized the hacking forum and completely ruined his years of hard work.
“I regret to inform you that law enforcement has seized control of the Ramp forum,” Stallman posted on the rebranded XSS forum. “This event destroyed years of my work to create the most free forum in the world, and although I hoped this day would never come, deep down I always understood that it was possible. This is the risk we all take.”
However, he ruled out creating another cybercrime forum but vowed to maintain his core business of buying initial access.
“Although I no longer manage Ramp and will not be creating a new forum from scratch, I will continue to purchase access. My main business remains unchanged.”
Cybercrime persists despite law enforcement takedowns
RAMP was among the few popular hacking forums allowing the sale of ransomware services. However, other cybercrime services are widely available on the dark web. Subsequently, cybercriminals would migrate to other forums and continue trading illicit services despite RAMP shutting down.
“Another marketplace is gone, and history tells us what happens next,” said Denis Calderone, CRO & COO, Suzu Labs. “When AlphaBay and Hansa went down in 2017, users migrated to Dream Market within weeks. RAMP will follow the same pattern. Expect a brief dip in activity, maybe a week or two of quiet while users regroup and vet new platforms, then business as usual. Forum seizures create temporary disruption, but market demand will ensure that not much ultimately changes.”
However, disrupting cybercrime infrastructure prevents hackers from operating freely, thus reducing their effectiveness. It also introduces the risk of exposure during migration and sign-up on new hacking forums, as well as the risk of losing funds and reputation.
“Another forum will fill the void. Someone is probably registering domains right now. But every takedown raises the operational cost for the ecosystem. Forums get younger, less trusted, more fragmented. That friction matters even if it doesn’t eliminate the threat,” said Michael Bell, Founder & CEO, Suzu Labs.
According to Calderone, “nothing fundamentally changes” for organizations, as threat actors will buy initial access from other brokers: “The Initial Access Broker market continues regardless of which specific forums are online or offline. Focus on making your network access harder to sell in the first place.”
Meanwhile, law enforcement operations have previously disrupted cybercrime activity with varying degrees of success. In July 2025, Europol arrested the administrator of XSS after a successful raid on his Kyiv residence.
In 2023 and 2024, authorities seized one of the most notorious cybercrime forums, BreachForums, only for it to relaunch in 2025.
In 2022, the FBI also seized the English-language cybercrime forum RaidForums, which traded in stolen data, hacking tools, and illicit content.
