Notorious Russia-based RAMP cybercrime forum apparently seized by FBI
Summary
Websites for the RAMP cybercrime forum — a long-standing Russian marketplace used by ransomware groups and initial access brokers — have been replaced by a splash page claiming an FBI seizure. The U.S. Department of Justice has not publicly confirmed the action, and some observers have questioned the authenticity of the takedown, given past elaborate exit scams in the ransomware space.
DNS records reportedly showed the clearnet site redirecting to an FBI domain typically used in takedowns. The public notice names the United States Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section but lacks the logos of international law enforcement partners often seen in coordinated operations.
RAMP served Russian, Chinese and English-speaking cybercriminals, especially ransomware affiliates. Administrators have included Mikhail Matveev; ownership was said to have been transferred to a hacker known as Stallman. Stallman posted on XSS acknowledging law enforcement control of RAMP and said they would not rebuild the forum, though they intend to continue criminal activity by buying access to victim networks.
Security experts note that seizure operations are part of a broader strategy to fragment the ransomware ecosystem and prevent market dominance by any single group.
Key Points
- RAMP’s websites show a splash page claiming they were seized by the FBI.
- The U.S. Department of Justice has not issued a public statement; the authenticity of the seizure is being questioned.
- DNS records reportedly redirected RAMP’s clearnet site to an FBI domain commonly used for takedowns.
- The seizure notice references the Southern District of Florida and DOJ CCIPS but omits international agency logos typical of coordinated takedowns.
- RAMP catered to ransomware groups and initial access brokers across multiple language communities.
- Administrator Stallman acknowledged law enforcement control and said they would not start a new forum, but would continue criminal activity via purchased access.
- Experts say frequent disruption operations aim to keep the ransomware ecosystem decentralised and hinder dominant groups from emerging.
Content summary
The article reports that the RAMP cybercrime forum has been replaced with an FBI seizure notice, while the DOJ has yet to confirm the action publicly. It highlights technical signs (DNS redirects) and unusual aspects of the notice (lack of international logos). The piece recalls prior cases where alleged takedowns were later questioned and includes commentary on the strategic role of seizures in disrupting ransomware markets.
Context and relevance
This matters because RAMP was a central market for affiliates and initial access brokers who fuel ransomware campaigns. A legitimate seizure would be a notable disruption to criminal infrastructure, but uncertainty around the takedown underscores how murky attribution and deception can be in the cybercrime world (see prior AlphV/BlackCat exit-scam confusion). For defenders and incident responders, the event — confirmed or not — affects short-term threat actor behaviours, resale of access, and the broader arms race between law enforcement and organised cybercrime.
Author style
Punchy: this is concise, no-nonsense reporting. If the seizure is genuine, it’s a significant disruption; if not, it’s another reminder that the cybercrime ecosystem is noisy and deceptive. Either way, the detail is worth scanning for practitioners who track ransomware infrastructure and threat actor economics.
Why should I read this?
Because it’s the kind of development that can shake up who’s able to mount ransomware attacks next month. Whether the FBI really did it or someone’s playing tricks, this story tells you about gaps and tactics in both criminal markets and law enforcement — and that’s the stuff defenders need to know fast.
Source
Source: https://therecord.media/notorious-russia-based-ramp-forum-seized