Law enforcement actions against darknet marketplaces and cybercrime forums
US and international law enforcement continued disrupting illicit online marketplaces and forums used to trade ransomware services, malware, stolen data, and drugs. The FBI seized the dark web and clear web domains for RAMP, a long-running, predominantly Russian-language cybercrime forum that marketed itself as the “only place ransomware allowed,” and which hosted vetted users, tutorials, and a marketplace for malware and criminal services; the seizure was coordinated with the US Attorney’s Office for the Southern District of Florida and DOJ’s Computer Crime and Intellectual Property Section.
Separately, US prosecutors announced guilty pleas tied to major darknet markets that also sold cybercrime tools and stolen information alongside narcotics. A Virginia man, Raheim Hamilton (aka Sydney/ZeroAngel), co-creator of Empire Market, pleaded guilty to federal drug conspiracy charges related to facilitating roughly $430M in transactions (2018–2020) and designing the market to evade law enforcement using cryptocurrency. A Slovakian national, Alan Bill (aka Vend0r/KingdomOfficial), pleaded guilty for helping operate Kingdom Market (2021–2023), which authorities previously seized in December 2023; investigators linked him to the operation after his arrest with devices and a crypto hardware wallet allegedly containing evidence tying him to the marketplace.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Alan Bill sentencing is scheduled
Bill is scheduled to be sentenced on May 5 and faces significant prison time and financial penalties in the Kingdom Market case.
FBI seizes RAMP cybercrime forum domains
The FBI seized both the dark web and clear web domains of RAMP, with seizure banners citing coordination with the U.S. Attorney's Office for the Southern District of Florida and DOJ's Computer Crime and Intellectual Property Section.
Raheim Hamilton pleads guilty in Empire Market case
Virginia man Raheim Hamilton pleaded guilty to federal drug conspiracy charges tied to co-creating and operating Empire Market, and agreed to forfeit cryptocurrency and properties.
Alan Bill pleads guilty in Kingdom Market case
Alan Bill pleaded guilty to helping operate Kingdom Market and to conspiracy to distribute controlled substances, while agreeing to surrender two domains and forfeit cryptocurrency.
Thomas Pavey pleads guilty in Empire Market case
Co-defendant Thomas Pavey previously pleaded guilty in the Empire Market investigation and faces the same mandatory minimum 10-year federal prison sentence as Raheim Hamilton.
RAMP administrator claims forum earns $250,000 annually
In 2024, the administrator of RAMP claimed the cybercrime forum generated about $250,000 per year.
Alan Bill is arrested at Newark airport
On December 15, 2023, Slovakian national Alan Bill was arrested at Newark Liberty International Airport after investigators linked devices and a hardware wallet to Kingdom Market.
German authorities seize Kingdom Market infrastructure
In December 2023, Germany's BKA seized Kingdom Market's domains and infrastructure, reporting about 42,000 items for sale along with large seller and customer bases.
Undercover investigators make purchases on Kingdom Market
Around July 2022, U.S. federal undercover investigators purchased methamphetamine, fentanyl, and a fraudulent U.S. passport through Kingdom Market, advancing the investigation.
Kingdom Market starts operating
Kingdom Market began operating in March 2021 as a darknet marketplace selling narcotics, cybercrime tools and services, fake IDs, and stolen personal information for cryptocurrency.
RAMP rebrands and continues cybercrime operations
RAMP rebranded in 2021 and continued operating as a prominent forum for ransomware and other cybercrime services, eventually amassing more than 14,000 users.
Empire Market ceases operations after major illegal trade run
Empire Market's operation period ended in 2020 after facilitating roughly $430 million in illegal transactions between thousands of vendors and hundreds of thousands of buyers.
Empire Market begins operating on Tor
Empire Market launched in 2018 as a Tor hidden service promoted as an AlphaBay clone, facilitating illegal sales with drugs as the dominant category.
RAMP cybercrime forum is founded
According to Rapid7, the Russian-language cybercrime forum RAMP was founded and later grew into a major venue for ransomware-related products, tutorials, and services.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Darknet marketplace operator pleads guilty to drug trafficking conspiracy | SC Media
scworld.com
Open sourceSite catering to online criminals has been seized by the FBI - Ars Technica
arstechnica.com
Open sourceEmpire cybercrime market owner pleads guilty to drug conspiracy
bleepingcomputer.com
Open sourceSlovakian man pleads guilty to operating darknet marketplace
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Empire Market Co-Founder Pleads Guilty to Federal Drug Conspiracy Charges
**Empire Market** co-creator **Raheim Hamilton** (aka “Sydney”/“Zero Angel”) pleaded guilty in U.S. federal court in Chicago to a **drug conspiracy** charge tied to operating the dark web marketplace from 2018–2020. Prosecutors said the Tor-hidden service facilitated **over 4 million transactions** totaling **more than $430 million**, primarily **illegal drug sales (~$375 million)**, and also enabled sales of **stolen credentials, personal data, counterfeit currency, and hacking tools**; Hamilton admitted the platform was designed to evade law enforcement and launder proceeds via **cryptocurrency-only** payments. Hamilton and co-defendant **Thomas Pavey** (aka “Dopenugget”) were previously charged for running the market and allegedly had earlier involvement selling counterfeit currency on **AlphaBay** before launching Empire Market. Reporting indicates law enforcement conducted **undercover purchases** (including heroin and methamphetamine), and the investigation resulted in significant cryptocurrency seizures (reported at **~$75 million**) and forfeiture commitments including **Bitcoin, Ether, and property**; Hamilton faces a **mandatory minimum of 10 years** and up to **life** in prison, with sentencing scheduled for **June 17, 2026**.
Mar 21, 2026
Sentencing in Darknet Drug Trafficking and Marketplace Operations
US federal courts issued prison sentences tied to **darknet-enabled drug trafficking**. In Los Angeles, **Davit Avalyan** received a **57-month** sentence after pleading guilty to conspiracy to distribute narcotics as part of a multi-year operation that used numerous darknet vendor accounts/storefronts (e.g., *JoyInc*, *PlanetHollywood*, *LaFarmacia*) to sell cocaine, methamphetamine, MDMA, and ketamine nationwide, taking payment in cryptocurrency including **Bitcoin** and **Monero**, and shipping parcels via **USPS**. Separately, reporting on the **Incognito** darknet market case describes sentencing filings alleging that an **FBI-controlled informant/asset** helped administer the marketplace while opioid and fentanyl-tainted products were sold, including claims the informant ignored internal alerts and user complaints about suspected fentanyl-laced pills. A third item—about a Ukrainian national sentenced for facilitating **North Korean remote IT worker infiltration** using stolen identities and US-based “laptop farms”—is a different national-security/cyber-enabled fraud matter and not part of the darknet drug-market sentencing story.
Mar 21, 2026
US Law Enforcement Actions Targeting Crypto-Enabled Crime and Illicit Marketplaces
US authorities reported multiple enforcement actions tied to **crypto-enabled crime**. In the Empire Market case, prosecutors said co-creators **Raheim Hamilton** and **Thomas Pavey** designed the dark web marketplace to help users evade law enforcement and launder proceeds; the market allegedly facilitated about **$430M** in transactions (drugs, stolen payment data, counterfeit currency) before disappearing in 2020 in what investigators described as an exit scam that stole an estimated **$30M** in bitcoin. Hamilton pleaded guilty to federal drug conspiracy charges and agreed to forfeit roughly **1,230 BTC** plus **24.4 ETH** and real estate; Pavey previously pleaded guilty and agreed to forfeit about **1,584 BTC** and other assets. Separately, reporting highlighted alleged misuse and laundering of digital assets in other contexts. On-chain investigator **ZachXBT** traced movements from wallets associated with **US-seized crypto** (held under U.S. Marshals Service custodianship) to wallets allegedly linked to **John Daghita**, the son of a federal contractor executive, with claims of roughly **$23M** in diverted cryptocurrency and another wallet holding about **$36M** in Ethereum; ZachXBT said he alerted the **U.S. Marshals Service**. In another DOJ case, **Jingliang Su** (a Chinese national) was sentenced to **46 months** for laundering proceeds from a cryptocurrency investment fraud that authorities said victimized **174** people for **$36.9M**, using social engineering via social media/dating platforms and counterfeit trading sites, with **$26.9M** restitution ordered and multiple US agencies involved in tracing funds and dismantling the network.
Mar 21, 2026