CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

FBI Seizes RAMP Cybercrime Forum

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The FBI has seized the RAMP cybercrime forum, a platform known for facilitating ransomware operations and other cybercriminal activities. The seizure includes both the forum's Tor site and its clearnet domain, ramp4u[.]io, which now display a seizure notice. The forum was a hub for ransomware gangs to advertise their operations and recruit affiliates. The seizure provides law enforcement with access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, and private messages. This could lead to the identification and potential arrest of threat actors who failed to follow proper operational security (opsec). RAMP was created in 2021 by individuals linked to the now-defunct Babuk ransomware group and was administered by key operators such as Mikhail Matveev (also known as Orange, Wazawaka, and BorisElcin) and Stallman. The forum was a prime hub for various ransomware groups, including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, Nova, Radiant, and RansomHub. Following the seizure, Stallman confirmed there were no plans to rebuild the forum, indicating a significant disruption to the cybercriminal ecosystem.

Timeline

  1. 29.01.2026 15:05 1 articles · 23h ago

    RAMP Administrator Confirms No Plans to Rebuild

    Stallman, the administrator of RAMP, issued an official comment regarding the RAMP seizure on January 28, confirming there were no plans to rebuild the forum. This decision is likely linked to concerns about his own freedom and the heightened scrutiny from law enforcement.

    Show sources
    Open in new tab
  2. 29.01.2026 15:05 1 articles · 23h ago

    Impact of RAMP Takedown on Cybercriminal Ecosystem

    The RAMP takedown represents a meaningful disruption to a core piece of criminal infrastructure. It is expected to mostly impact low-tier actors, disrupt distribution and sales for underground sellers, have minimal impact on top-tier groups, and reduce Russian security services' visibility into ransomware processes and sellers.

    Show sources
    Open in new tab
  3. 28.01.2026 19:38 2 articles · 1d ago

    FBI Seizes RAMP Cybercrime Forum

    The FBI has seized the RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, including ransomware operations. The seizure includes both the forum's Tor site and its clearnet domain, ramp4u[.]io, which now display a seizure notice. The forum was launched in July 2021 by a threat actor known as Orange, who was later identified as Russian national Mikhail Matveev. The seizure notice displays a taunting message using RAMP's own slogan and an image of Masha, a Russian cartoon character, winking. The domains linked to RAMP now redirect to seizure notices with FBI and DoJ seals and the nameservers have been updated to ns1.fbi.seized.gov and ns2.fbi.seized.gov.

    Show sources
    Open in new tab

Information Snippets

  • The FBI seized the RAMP cybercrime forum, including its Tor site and clearnet domain.

    First reported: 28.01.2026 19:38
    2 sources, 2 articles
    Show sources

  • The seizure notice displays a taunting message using RAMP's own slogan.

    First reported: 28.01.2026 19:38
    2 sources, 2 articles
    Show sources

  • The forum was launched in July 2021 by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin.

    First reported: 28.01.2026 19:38
    2 sources, 2 articles
    Show sources

  • Orange was previously the administrator of the Babuk ransomware operation.

    First reported: 28.01.2026 19:38
    2 sources, 2 articles
    Show sources

  • The individual behind the Orange and Wazawaka aliases was identified as Russian national Mikhail Matveev.

    First reported: 28.01.2026 19:38
    2 sources, 2 articles
    Show sources

  • Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive.

    First reported: 28.01.2026 19:38
    2 sources, 2 articles
    Show sources

  • The seizure notice displays a taunting message using RAMP's own slogan and an image of Masha, a Russian cartoon character, winking.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • The domains linked to RAMP now redirect to seizure notices with FBI and DoJ seals and the nameservers have been updated to ns1.fbi.seized.gov and ns2.fbi.seized.gov.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • RAMP was created in 2021 by individuals linked to the now-defunct Babuk ransomware group.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • Another key operator, known as 'Stallman,' was still the forum’s administrator when the takedown occurred.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • Stallman played a central role in maintaining trust, enforcing rules, and managing the platform’s technical operations.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • RAMP was created by individuals closely affiliated with the Russian security services as a response to the ransomware-as-a-service (RaaS) sprawl.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • RAMP was a prime hub for new and low-to-mid-tier ransomware groups to promote themselves, offer services, and be as visible as possible.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • Many notorious ransomware groups, including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, Nova, Radiant, and RansomHub, operated on this forum at various points.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • Stallman issued an official comment regarding the RAMP seizure on January 28, confirming there were no plans to rebuild.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • The RAMP takedown represents a meaningful disruption to a core piece of criminal infrastructure.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

  • The RAMP takedown will mostly impact low-tier actors, disrupt distribution and sales for underground sellers, have minimal impact on top-tier groups, and reduce Russian security services' visibility into ransomware processes and sellers.

    First reported: 29.01.2026 15:05
    1 source, 1 article
    Show sources

Similar Happenings

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

Conti Ransomware Member Extradited from Ireland to US

Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States and appeared in a Tennessee court on charges related to the Conti ransomware operation. He is accused of conspiring to deploy Conti ransomware, extorting over $500,000 in cryptocurrency from victims in the Middle District of Tennessee, and publishing stolen information. The Conti ransomware operation has been linked to over 1,000 victims worldwide, with ransom payments exceeding $150 million as of January 2022. Lytvynenko faces charges that could lead to 25 years in prison, including 20 years for wire fraud conspiracy and 5 years for computer fraud conspiracy. He was arrested in July 2023 by Irish authorities and detained until his extradition. The Conti group, initially a ransomware operation, evolved into a larger cybercrime syndicate, controlling multiple malware operations. After shutting down, its members have infiltrated other cybercrime groups. The FBI estimates Conti's malware was used in more critical infrastructure attacks than any other ransomware variant.

Open in new tab

Volodymyr Tymoshchuk Charged for LockerGoga, MegaCortex, Nefilim Ransomware Operations

Ukrainian national Volodymyr Viktorovich Tymoshchuk has been charged for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk is accused of orchestrating attacks on hundreds of companies, leading to millions of dollars in damages. He is also linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Tymoshchuk faces multiple charges related to computer fraud, unauthorized access, and threatening to disclose confidential information. The U.S. Department of State is offering a reward of up to $11 million for information leading to his arrest. Additionally, Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across the United States and other countries. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. He admitted to computer fraud conspiracy charges and faces up to 10 years in prison, with sentencing scheduled for May 6, 2026. Stryzhak obtained access to the Nefilim ransomware code in June 2021 and targeted large corporations, using custom-tailored malware and threatening to leak stolen data unless ransom demands were met. Stryzhak asked a co-conspirator whether he should choose a different username to avoid detection by authorities. Nefilim ransomware has been rebranded as Fusion, Milihpen, Gangbang, Nemty, and Karma.

Open in new tab

LockBit 4.0 Leak Exposes Disorganized Ransomware Ecosystem

LockBit 4.0's affiliate panel was compromised in May 2025, revealing a chaotic and disorganized ransomware ecosystem. The leak exposed thousands of chat messages, ransomware builds, and internal data, showing that affiliates operate with little oversight and vary widely in professionalism. The leak highlights the unpredictability and fragmentation of the ransomware-as-a-service (RaaS) landscape, making it harder for defenders to prepare and respond to attacks. The leak occurred on May 7, 2025, and included over 4,000 chat messages, thousands of ransomware builds, internal user tags, and cryptowallet data. The exposed communications revealed that affiliates often ignore victims, deliver broken decryption tools, and dodge payments to the LockBit platform. Some affiliates even targeted prohibited entities, including Russian state organizations. The leak underscores the difficulty in defending against such fragmented and unpredictable threats.

Open in new tab

BlackSuit Ransomware Infrastructure Disrupted in International Law Enforcement Operation

On July 24, 2025, an international law enforcement operation led by the U.S. Department of Homeland Security's Homeland Security Investigations (HSI) targeted the BlackSuit ransomware gang. The operation resulted in the takedown of four servers and nine domains, as well as the seizure of over $1 million in cryptocurrency. BlackSuit, also known as Royal, has been active since 2022 and has targeted over 450 victims in the U.S., including critical infrastructure sectors such as education, healthcare, energy, and government entities. The operation involved multiple U.S. agencies and international partners from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania. The goal is to disrupt the ransomware ecosystem and hold cybercriminals accountable.

Open in new tab