FBI Seizure of RAMP Cybercrime Forum Used by Ransomware Gangs
US law enforcement seized the RAMP (Russian Anonymous Marketplace) cybercrime forum’s infrastructure, taking over both its Tor and clearnet presence and replacing them with a “This Site Has Been Seized” banner attributed to the FBI, coordinated with the US Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section (CCIPS). RAMP was a key marketplace for ransomware-as-a-service (RaaS) promotion and related criminal services, including activity by extortionists and initial access brokers; the seizure banner also taunted operators with the forum’s slogan, “THE ONLY PLACE RANSOMWARE ALLOWED!,” alongside an image of Masha from the Russian children’s cartoon.
While authorities had not publicly detailed the operation at the time of reporting, technical indicators supported the takeover, including DNS changes consistent with prior FBI seizures (e.g., nameservers set to ns1.fbi.seized.gov / ns2.fbi.seized.gov). Reporting also cited an alleged operator (“Stallman”) acknowledging law enforcement control, and noted the seizure could expose forum user data (e.g., email addresses, IP addresses, and private messages), increasing identification and arrest risk for actors with poor OPSEC. Background context indicates RAMP emerged after other Russian-language forums restricted ransomware promotion under increased law-enforcement pressure.
Sources
1 more from sources like ahnlab asec blog
Related Stories
FBI Seizure of the RAMP Cybercrime Forum
U.S. law enforcement has **seized the RAMP cybercrime forum**, a long-running hub used to advertise and facilitate ransomware operations, malware distribution, and other illicit services. Both the forum’s Tor presence and clearnet domain (reported as `ramp4u[.]io`) were replaced with an FBI seizure banner indicating coordination with the U.S. Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section; the forum’s administrator reportedly acknowledged the takedown publicly on the XSS forum. Reporting notes RAMP emerged as a dedicated venue for ransomware promotion after other major forums restricted such activity, and that criminal communities are already attempting to migrate to alternative platforms. Separate reporting also highlighted other cybercrime enforcement actions (including indictments tied to **Ploutus**-based ATM jackpotting and other marketplace disruptions), but those are distinct from the RAMP seizure. A different, unrelated incident involved a **supply-chain compromise of eScan antivirus** update infrastructure in which attackers briefly pushed a backdoor via a trojanized `Reload.exe` that altered update settings, established persistence via a scheduled task, and contacted a C2 to retrieve additional payloads; this event is not connected to the RAMP takedown and should be tracked independently as a vendor update-channel compromise affecting customer environments.
1 months ago
Law enforcement actions against darknet marketplaces and cybercrime forums
US and international law enforcement continued disrupting illicit online marketplaces and forums used to trade **ransomware services, malware, stolen data, and drugs**. The FBI seized the dark web and clear web domains for **RAMP**, a long-running, predominantly Russian-language cybercrime forum that marketed itself as the “only place ransomware allowed,” and which hosted vetted users, tutorials, and a marketplace for malware and criminal services; the seizure was coordinated with the US Attorney’s Office for the Southern District of Florida and DOJ’s Computer Crime and Intellectual Property Section. Separately, US prosecutors announced guilty pleas tied to major darknet markets that also sold **cybercrime tools and stolen information** alongside narcotics. A Virginia man, **Raheim Hamilton** (aka `Sydney`/`ZeroAngel`), co-creator of **Empire Market**, pleaded guilty to federal drug conspiracy charges related to facilitating roughly **$430M** in transactions (2018–2020) and designing the market to evade law enforcement using cryptocurrency. A Slovakian national, **Alan Bill** (aka `Vend0r`/`KingdomOfficial`), pleaded guilty for helping operate **Kingdom Market** (2021–2023), which authorities previously seized in December 2023; investigators linked him to the operation after his arrest with devices and a crypto hardware wallet allegedly containing evidence tying him to the marketplace.
1 months ago
International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the **FBI**, **Europol**, and authorities across **14 countries** seized infrastructure used by **LeakBase**, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts. Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the **Tycoon2FA** phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the **Phobos** ransomware operation, a newly documented China-linked espionage cluster (**CL-UNK-1068**) targeting critical sectors in Asia, an unverified **ShinyHunters** extortion claim against *Woflow*, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from **Sicarii** to **BQTLock**. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
1 weeks ago