The FBI swooped in on January 28, 2026, seizing RAMP’s clearnet and Tor domains in a major blow to the cybercriminal underworld. The seizure banner, which now greets visitors to the former ransomware hub, mockingly displays RAMP’s own slogan: “THE ONLY PLACE RANSOMWARE ALLOWED!” Guess that didn’t work out so well for them.
This takedown, coordinated with the US Attorney’s Office for Southern District of Florida and DOJ Computer Crime Section, follows the recent XSS.IS shutdown and administrator arrest in Ukraine. The feds had apparently been circling since mid-July 2025. They’re on a roll.
RAMP emerged in July 2021, filling a void after other Russian forums banned ransomware discussions following the Colonial Pipeline attack. Launched by Mikhail Matveev, aka “Orange,” the forum repurposed old Babuk ransomware infrastructure to attract traffic fast. Smart move, terrible ethics.
RAMP filled the ransomware void with recycled Babuk infrastructure—a clever strategy from Matveev with zero moral compass.
Matveev, who used aliases including Wazawaka and BorisElcin, didn’t hide his connection to RAMP. He bragged about creating it during a Recorded Future interview before walking away due to DDoS attacks and poor profits. He was eventually arrested in Russia in 2024, despite having a $10 million US bounty on his head. Some say he had Russian security services connections. Shocking, right?
The forum had grown to 14,000 members by its demise. It offered everything a cybercriminal could want: leaked data auctions, custom exploits, network access sales, and of course, Ransomware-as-a-Service programs. The FBI’s technical approach included updating nameservers to domains they controlled. Entry wasn’t easy — either two months of activity on other forums or a $500 fee.
Following the seizure, a user named Stallman confirmed the feds had total control, calling RAMP “the most free forum.” The FBI likely now has access to user data including email addresses and possibly IP information of forum participants. No plans for a revival. Game over.
This shutdown dismantles what analysts call the last open ransomware market, following successful disruptions of ALPHV/BlackCat operations that saved victims $99 million. For Russian cybercriminals, the playground just got a lot smaller.
