The Federal Bureau of Investigation has seized RAMP (Russian Anonymous Marketplace), a dark web cybercrime forum that served as one of the last platforms where ransomware-as-a-service operations were openly promoted. The takedown represents a significant blow to the ransomware ecosystem’s infrastructure.
Seizure details
| Attribute | Details |
|---|
| Date | January 28, 2026 |
| Lead agency | FBI |
| Coordinating agencies | US Attorney’s Office (S.D. Florida), DOJ CCIPS |
| Domains seized | Tor hidden service, ramp4u[.]io (clearnet) |
| Platform users | 14,000+ |
| Registration fee | $500 or 2 months activity on other forums |
| Facilitated damages | Hundreds of millions (estimated) |
The seizure notice
Both the forum’s Tor site and clearnet domain now display FBI seizure banners. In characteristic trolling, the FBI included RAMP’s own slogan—“THE ONLY PLACE RANSOMWARE ALLOWED!”—alongside an image of Masha from the Russian children’s cartoon “Masha and the Bear,” winking.
| Element | Significance |
|---|
| RAMP slogan included | Deliberate mockery |
| Masha cartoon character | Russian cultural reference |
| Multi-agency logos | International coordination |
| Seizure timestamp | Evidence of access |
The reference is pointed: Masha is a mischievous young girl who creates chaos, suggesting the FBI views the forum operators similarly.
Why RAMP mattered
Origin story
RAMP launched in July 2021 following a pivotal moment in ransomware history. After the DarkSide attack on Colonial Pipeline caused gas shortages across the US East Coast, major Russian-speaking forums Exploit and XSS banned ransomware promotion to reduce law enforcement heat.
| Date | Event |
|---|
| May 2021 | Colonial Pipeline attack causes US gas shortages |
| May 2021 | Exploit and XSS forums ban ransomware content |
| July 2021 | RAMP launches to fill the void |
| 2021-2026 | RAMP becomes primary ransomware marketplace |
RAMP filled the void, becoming the only major forum explicitly permitting ransomware-as-a-service activity.
Forum statistics
| Metric | Value |
|---|
| Total users | 14,000+ |
| Entry requirement | $500 fee OR 2 months activity elsewhere |
| Primary language | Russian |
| Operational period | July 2021 – January 2026 |
| Status | Seized |
Services offered
| Category | Examples |
|---|
| RaaS recruitment | Affiliate programs for major ransomware gangs |
| Initial access | Compromised VPN credentials, RDP access, corporate network footholds |
| Malware | Infostealers, loaders, custom tooling |
| Data trading | Stolen databases, exfiltrated corporate data |
| Money laundering | Cryptocurrency mixing, cash-out services |
| Exploit sales | Zero-days and n-days |
Notable ransomware operations on RAMP
| Group | Status | Notable attacks |
|---|
| LockBit | Disrupted Feb 2024, rebuilding | Thousands of victims globally |
| ALPHV/BlackCat | Exit scammed Dec 2023 | Change Healthcare ($22M ransom) |
| Conti | Disbanded 2022 | Costa Rica government |
| Qilin | Active | Healthcare, critical infrastructure |
| DragonForce | Active | Various sectors |
| RansomHub | Active | Enterprise targets |
Operator background
Mikhail Matveev (“Wazawaka”)
One of RAMP’s operators was identified as Mikhail Matveev, a Russian national known by aliases including:
| Alias | Context |
|---|
| Orange | Forum administrator handle |
| Wazawaka | Hacking community identity |
| BorisElcin | Alternative handle |
| Status | Details |
|---|
| FBI Most Wanted | Added 2023 |
| Arrest | Russia, 2024 |
| Charges | Ransomware conspiracy, computer fraud |
| Extradition | Unlikely given Russia’s stance |
Matveev was added to the FBI Most Wanted list and subsequently arrested in Russia in 2024. His identification marked the beginning of RAMP’s troubles.
”Stallman” responds
Following the seizure, an individual using the handle “Stallman” (another alleged RAMP operator) acknowledged the takedown on the XSS hacking forum:
“Law enforcement has gained control of RAMP. I will not create a new forum, but my core business remains unchanged. This event destroyed years of my work to create the most free forum in the world.”
The statement suggests the operator intends to continue criminal activity through other channels, likely private Telegram groups or invite-only forums.
Database leak
Shortly after the seizure announcement, screenshots from a suspected RAMP database leak appeared in a Telegram channel.
| Data type | Significance |
|---|
| User email addresses | Potential identification of criminals |
| Private messages | Intelligence on criminal coordination |
| Transaction records | Evidence for prosecution |
| Registration data | Identity correlation |
| LockBit operator email | Allegedly used for forum registration |
The LockBit email is particularly significant—if authentic, it could provide investigators with additional leads on one of the most prolific ransomware operations.
Intelligence value
| Application | Benefit |
|---|
| Identity correlation | Link pseudonyms to real identities |
| Criminal network mapping | Understand relationships |
| Prosecution evidence | Support indictments |
| Future investigations | Lead generation |
| Victim notification | Alert compromised organizations |
Ecosystem adaptation
With RAMP gone, ransomware operators have fewer centralized platforms. Observed and expected adaptations:
| Adaptation | Status |
|---|
| Private Telegram channels | Already in use |
| Rehub forum | Nova, DragonForce reportedly migrating |
| Invite-only forums | Higher barrier, harder to infiltrate |
| Direct recruitment | Leveraging existing networks |
| Decentralized markets | Blockchain-based alternatives emerging |
Migration patterns
| Group | Reported destination |
|---|
| Nova | Rehub forum |
| DragonForce | Rehub forum |
| Others | Private Telegram channels |
Impact assessment
| Effect | Status |
|---|
| RAMP marketplace offline | Confirmed |
| Criminal operations disrupted | Temporary |
| User/transaction data seized | Intelligence windfall |
| Affiliate recruitment interrupted | Short-term |
Long-term implications
| Effect | Likelihood | Timeline |
|---|
| Arrests from seized data | High | 6 months |
| Prosecution of affiliates | Moderate-high | 12-18 months |
| Ecosystem fragmentation | High | Ongoing |
| New forums emerging | Certain | Already occurring |
| Increased OPSEC among criminals | Certain | Immediate |
Pattern of enforcement
The RAMP seizure continues an aggressive law enforcement campaign against ransomware infrastructure:
| Date | Action | Target |
|---|
| February 2024 | Operation Cronos | LockBit infrastructure |
| December 2023 | Exit scam pressure | ALPHV/BlackCat |
| 2023-2024 | Multiple arrests | Conti affiliates |
| January 2026 | Seizure | RAMP forum |
Each action forces criminals to rebuild infrastructure, recruit new affiliates, and establish new trust relationships—all of which create friction and intelligence opportunities.
Recommendations
For organizations
The RAMP seizure may lead to short-term behavioral changes:
| Risk | Preparation |
|---|
| Increased attacks | Criminals may accelerate before potential arrest |
| New extortion tactics | Adaptation to infrastructure loss |
| Affiliate movement | Operators joining different RaaS programs |
| Desperation attacks | Less discriminate targeting |
Defensive measures
| Control | Purpose |
|---|
| Current, tested backups | Survive ransomware encryption |
| Incident response plans | Ready for activation |
| Initial access monitoring | Detect compromised credentials |
| Dark web monitoring | Track exposure and targeting |
| Employee awareness | Phishing and social engineering |
For threat intelligence teams
| Action | Purpose |
|---|
| Monitor Telegram | Track RAMP successor channels |
| Track forum discussions | Ecosystem adaptation intelligence |
| Analyze leaked database | Identity correlation (if public) |
| Update IOC feeds | Revealed infrastructure |
| Map affiliate migration | Understand new relationships |
Context
RAMP’s seizure demonstrates that even forums operating exclusively on Tor can be taken down. The combination of OPSEC failures (Matveev identification), coordinated international pressure, and persistent investigation eventually compromises criminal infrastructure.
| Factor | Outcome |
|---|
| OPSEC failure | Operator identified |
| International cooperation | Multi-agency action |
| Persistent investigation | Years of intelligence gathering |
| Legal tools | Effective seizure mechanisms |
However, the ransomware ecosystem is resilient. New forums will emerge, recruitment will shift to more distributed channels, and criminal operations will continue. The value of takedowns lies in:
| Benefit | Explanation |
|---|
| Intelligence gathered | Database enables future investigations |
| Friction created | Criminals must rebuild |
| Occasional prosecution | Some operators face consequences |
| Deterrence | Increased operational risk |
The leaked database may prove more valuable than the seizure itself. If it contains authentic operator information, expect arrests and indictments in the coming months. The alleged LockBit operator email, if verified, could provide a significant break in one of the most impactful ransomware investigations.
