The Federal Bureau of Investigation has seized control of RAMP, the Russian Anonymous Marketplace, a key cybercrime hub where ransomware gangs openly advertised operations, recruited affiliates, and traded malware and network access. Both the forum’s Tor site and clearnet domain, ramp4u.io, now bear a stark seizure notice: “The Federal Bureau of Investigation has seized RAMP.” The banner taunts operators with their own slogan, “THE ONLY PLACE RANSOMWARE ALLOWED!”, paired with a winking Masha from the Russian cartoon “Masha and the Bear.”

This operation, coordinated with the U.S. Attorney’s Office for the Southern District of Florida and the Department of Justice’s Computer Crime and Intellectual Property Section, switched domain name servers to FBI-controlled ns1.fbi.seized.gov and ns2.fbi.seized.gov. Law enforcement now holds vast user data—including emails, IP addresses, and private messages—potentially exposing threat actors who skimped on operational security. BleepingComputer reported the FBI declined comment when contacted.

Alleged former operator “Stallman” confirmed the seizure on the XSS hacking forum, lamenting in a translated post: “I regret to inform you that law enforcement has seized control of the Ramp forum. This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It’s a risk we all take.” Stallman added he would continue buying network accesses, signaling business as usual elsewhere. The Register shared the post widely on social media.

RAMP’s Birth from Ransomware Bans

RAMP emerged in July 2021 after major Russian-speaking forums Exploit and XSS banned ransomware promotions amid global backlash from attacks like DarkSide’s Colonial Pipeline hit. Founded by threat actor “Orange”—real name Mikhail Matveev, aliases Wazawaka and BorisElcin, ex-Babuk ransomware admin—it repurposed Babuk’s Tor domain. Matveev, indicted in 2023 for Babuk, LockBit, and Hive ransomware extorting U.S. healthcare and infrastructure, told Recorded Future’s Dmitry Smilyanets that RAMP reused Babuk infrastructure but yielded no profit amid DDoS attacks, prompting his exit. Krebs on Security linked Matveev to the forum’s origins.

The platform quickly became ransomware central, hosting sections for malware sales, affiliate recruitment, and corporate network access trades. Multilingual support in Russian, English, and Mandarin drew diverse actors, including overtures to Chinese hackers by Conti and others. High barriers—requiring two months’ activity on Exploit/XSS or a $500 fee—ensured a vetted crowd of over 14,000 members. RAMP facilitated ransomware-as-a-service models, where affiliates deployed tools for profit shares. BleepingComputer noted early Chinese registrations.

Ownership shifted: Orange to “Kajit,” then to Stallman amid forum dramas, including LockBit disputes where Stallman arbitrated. RAMP endured DDoS waves blamed on ex-Babuk rivals and grew despite mockery on rival forums. Its partner programs thrived where others banned them, drawing groups like Groove, Sugar, and later RansomHub. Rapid7’s analysis of 2024 access sales highlighted trends like premium U.S. targets. Rapid7.

Seizure’s Immediate Shockwaves

The takedown disrupts a rare open ransomware venue, forcing migrations to encrypted Telegram channels or smaller groups, per ad-hoc-news.de analysis. These lack RAMP’s scale and trust, hindering new entrants. Flare’s Tammy Harper called it “a meaningful disruption to core criminal infrastructure,” noting chaotic transitions expose actors to risks like reputation loss and infiltration. “Groups such as Nova and DragonForce are reportedly shifting activity toward Rehub,” she told The Register.

Yet experts caution it’s no panacea. Harper emphasized seizures offer “rare opportunities” for defenders to glean affiliate networks and opsec failures. Ransomware persists via resilient ecosystems; 2025 saw attacks surge 47% despite takedowns, with groups fragmenting and rebranding. Emsisoft reported over 6,000 incidents, driven by phishing and stolen credentials over exploits. RAMP’s data haul could fuel arrests, echoing BreachForums seizures. The Register on 2025 trends.

X posts reflect industry buzz: Arnav Sharma hailed it a “critical blow,” while others shared reports, underscoring rapid awareness without underground panic signals.

Criminal Migration and Law Enforcement Momentum

Crooks scatter to Telegram or nascent forums like DamageLib, post-XSS takedown successor. KELA noted Stallman’s DamageLib presence under “Stallman2,” claiming XSS police control amid deposit fights. RAMP’s loss echoes prior hits—BreachForums multiple seizures, Cracked.io/Nulled.to in Operation Talent—yet gangs adapt, per Cyble’s 2025 report on 57 new ransomware variants.

FBI’s quiet precision mirrors ALPHV/BlackCat disruptions, where decryption tools saved victims $99 million. Matveev’s $10 million State Department bounty underscores targeting leaders. Treasury sanctions and indictments pressure the ecosystem, but 2026 forecasts predict non-Russian actors outpacing Russians, per Recorded Future.

The seizure banner’s wit signals psychological ops: turning criminals’ bravado against them. As Harper noted, such intel windfalls disrupt collaborations long-term. Industry insiders watch for arrests from exposed data, potential XSS ripples, and whether RAMP clones emerge—betting on migration chaos over outright collapse. KELA Cyber.