The FBI has seized control of the notorious RAMP cybercrime forum — a long-running online platform that ransomware gangs, initial access brokers, and malware operators used to advertise services, recruit affiliates, and trade illicit tools and access credentials.

Both RAMP’s clearnet domain (ramp4u[.]io) and its Tor site are now displaying federal seizure banners indicating that the forum has been taken offline by U.S. law enforcement.

This action, coordinated with the United States Attorney’s Office for the Southern District of Florida and the Department of Justice’s Computer Crime and Intellectual Property Section, represents a major disruption to one of the few cybercrime hubs that openly tolerated ransomware-related activity.

What Happened?

On January 28, 2026, the FBI executed a seizure operation that took over RAMP’s infrastructure, including its public domain and hidden Tor services. Both now display official seizure notices indicating that the FBI has assumed control.

Domain name servers for the forum were switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov, signaling full domain control and giving law enforcement potential access to server data such as user email addresses, IP addresses, private messages, and other records.

An alleged former forum operator known as “Stallman” publicly confirmed the seizure on an underground forum, acknowledging that law enforcement had taken control of the site’s infrastructure.

The FBI has not yet issued a formal public statement or press release regarding the operation.

What Was RAMP?

RAMP (originally launched in July 2021) was created following the banning of ransomware discussions by other major Russian-speaking hacking forums like Exploit and XSS, which came under pressure from law enforcement after high-profile incidents such as the Colonial Pipeline attack.

Positioning itself as “one of the last places ransomware was allowed,” RAMP quickly became a central hub for ransomware-as-a-service (RaaS) operators, initial access brokers, and other cybercriminal communities seeking to buy/sell malware, access, stolen data, and exploit services.

The forum was tied to threat actors including the operator “Orange” (also known as Wazawaka/BorisElcin) — who was previously linked to the Babuk ransomware group.

Why This Matters

Law Enforcement Gains Insight

The seizure gives U.S. authorities potential access to vast troves of forum data, including user identities and communications — which may lead to future arrests and indictments of threat actors who operated with poor operational security.

Disruption of Cybercrime Ecosystem

RAMP’s removal disrupts an important channel for ransomware recruitment, collaboration, and commerce. With fewer centralized forums that openly tolerate ransomware activity, threat actors may be forced to adopt more clandestine and fragmented communications — complicating their operations but also potentially making them harder to track.

Shifts in Tactics

Criminals displaced by RAMP’s seizure are likely to shift to alternative platforms, encrypted messaging channels, or emerging underground markets — requiring defenders to adjust threat monitoring approaches accordingly.

Threat Impact Table

Key: Confirmed / Unconfirmed

What Should Security Teams Do?

1. Monitor Emerging Channels
With RAMP gone, threat actors will likely migrate to new forums or encrypted platforms. SOC and threat intel teams should broaden monitoring scopes.

2. Analyze Potential Indicators
Data seized from RAMP may yield indicators of compromise (IOCs) over time. Staying updated via threat feeds and law enforcement disclosures will be critical.

3. Review Ransomware Defenses
Reinforce ransomware protections such as endpoint detection, network segmentation, and incident response readiness. Proactive defenses limit opportunities for attackers even as they evolve.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.