- Trending
- Comments
- Latest
The FBI has seized the domains of RAMP, a prominent Russian-language hacking forum used by ransomware groups including LockBit, Qilin, and ALPHV/BlackCat to recruit affiliates and coordinate attacks.
The takedown, executed in coordination with the US Attorney’s Office for the Southern District of Florida, marks one of the most significant law enforcement actions against cybercrime infrastructure this year. Visitors to RAMP’s web addresses now see FBI seizure banners indicating the platform has been taken over by federal authorities.
RAMP, short for Russian Anonymous Marketplace, operated primarily as a Russian-language underground hacking forum catering to a wide range of cybercriminal actors. These included ransomware-as-a-service (RaaS) affiliates, initial access brokers, and malware operators seeking to buy, sell, or advertise illicit services.
Security researchers have long regarded RAMP as a central meeting place where criminals could access the full attack lifecycle, from purchasing stolen credentials to negotiating ransomware deployments.
The underground hacking forum also provided discussion boards where users shared tutorials, tools, and operational advice.
The seizure was publicly acknowledged by a user known as “Stallman,” widely believed to be one of RAMP’s administrators. In a post translated from Russian and shared on X via the XSS hacking forum, Stallman confirmed that law enforcement agencies had gained control of the underground hacking forum.
“With regret, I inform you that law enforcement agencies have gained control over the Ramp forum,” the post said. “This event destroyed years of my work to create the freest forum in the world.”
Stallman added that while he would no longer control the platform, he did not plan to launch a replacement forum. He acknowledged that the seizure was always a risk inherent in running an underground hacking forum, even one operating largely outside Western jurisdictions.
RAMP was widely used by some of the most notorious ransomware groups active in recent years. These included LockBit, Qilin, RansomHub, ALPHV/BlackCat, and DragonForce, all of which used the underground hacking forum to recruit affiliates, promote services, and share operational updates.
The platform also enabled initial access brokers to sell entry points into compromised networks, a key supply chain for ransomware campaigns. According to analysts, this made the underground hacking forum particularly valuable to threat actors seeking efficiency and scale.
Ben Clarke, SOC manager at cybersecurity firm CybaVerse, said RAMP’s influence stemmed from its ability to provide attackers with end-to-end services.
“The success of the platform came from providing the entire attacker chain,” Clarke said. “From stolen credentials to malware promotion and ransomware services, everything was accessible in one underground hacking forum.”
Clarke added that removing such a centralized marketplace would cause immediate disruption, but warned against overstating the long-term impact.
According to Clarke, law enforcement seizures can temporarily slow cybercriminal operations, but they rarely eliminate them entirely.
“Anything that disrupts this activity is a positive step,” he said. “But it would be naive to believe this will have a lasting impact on cybercrime. New platforms will emerge to replace the underground hacking forum that was taken down.”
History supports that assessment. Previous takedowns have often been followed by rapid re-emergence, sometimes under new branding or infrastructure.
Law enforcement has achieved mixed results in past cybercrime operations. The 2022 takedown of the Emotet botnet initially appeared successful, but the malware later resurfaced with renewed activity.
Still, experts argue that dismantling an underground hacking forum remains one of the most effective tools available to authorities.
Daniel Wilcock, a threat analyst at Talion, said such seizures provide invaluable intelligence even if arrests are limited.
“This doesn’t signal the end of ransomware,” Wilcock said. “But law enforcement gains access to emails, IP addresses, and financial transaction data linked to the underground hacking forum.”
Wilcock noted that while many RAMP users are believed to be based in Russia or neighboring regions—making extraditions unlikely—the data obtained from the seizure could enable future investigations and sanctions.
“Even if we don’t see mass arrests, the intelligence gathered can support further law enforcement action,” he said.
By removing infrastructure and collecting operational data, authorities can raise costs and risks for criminals relying on underground hacking forum ecosystems.
The seizure of RAMP follows a familiar pattern in cybercrime enforcement: temporary disruption, intelligence collection, and eventual adaptation by threat actors. Still, each takedown chips away at trust and stability within underground hacking forum communities.
For defenders, the RAMP operation represents another reminder that while cybercrime persists, law enforcement pressure continues to mount—even in the darkest corners of the internet.
