CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

FBI Seizes RAMP Cybercrime Forum

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

The FBI has seized the RAMP cybercrime forum, a platform known for facilitating ransomware operations and other cybercriminal activities. The seizure includes both the forum's Tor site and its clearnet domain, ramp4u[.]io, which now display a seizure notice. The forum was a hub for ransomware gangs to advertise their operations and recruit affiliates. The seizure provides law enforcement with access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, and private messages. This could lead to the identification and potential arrest of threat actors who failed to follow proper operational security (opsec). RAMP was created in 2021 by individuals linked to the now-defunct Babuk ransomware group and was administered by key operators such as Mikhail Matveev (also known as Orange, Wazawaka, and BorisElcin) and Stallman. The forum was a prime hub for various ransomware groups, including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, Nova, Radiant, and RansomHub. Following the seizure, Stallman confirmed there were no plans to rebuild the forum, indicating a significant disruption to the cybercriminal ecosystem. Additionally, the FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals to buy and sell hacking tools and stolen data. The forum had over 142,000 members and more than 215,000 messages between members as of December 2025. The seizure is part of an international joint operation coordinated by Europol, known as 'Operation Leak,' involving law enforcement agencies in 14 countries. The operation included the shutdown of LeakBase's domains, posting seizure banners, and warning members of the seizure. Law enforcement executed search warrants, made arrests, and conducted interviews in multiple countries. The seizure banner notes that the forum's database and all its contents, including IP logs and private messages, will be used for evidentiary purposes in future investigations. The domain nameservers have been switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The operation involved around 100 enforcement actions worldwide, including measures against 37 of the most active users of the platforms. LeakBase was active since 2021 and had over 142,000 members, offering access to databases, a market for selling leaks, exploits, and other cybercrime services, and an escrow payment system.

Timeline

  1. 04.03.2026 19:44 3 articles · 1d ago

    FBI Seizes LeakBase Cybercrime Forum

    The FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals to buy and sell hacking tools and stolen data. The forum had over 142,000 members and more than 215,000 messages between members as of December 2025. The seizure is part of an international joint operation coordinated by Europol, known as 'Operation Leak,' involving law enforcement agencies in 14 countries. The operation included the shutdown of LeakBase's domains, posting seizure banners, and warning members of the seizure. Law enforcement executed search warrants, made arrests, and conducted interviews in multiple countries. The seizure banner notes that the forum's database and all its contents, including IP logs and private messages, will be used for evidentiary purposes in future investigations. The domain nameservers have been switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The operation involved around 100 enforcement actions worldwide, including measures against 37 of the most active users of the platforms. LeakBase was active since 2021 and had over 142,000 members, offering access to databases, a market for selling leaks, exploits, and other cybercrime services, and an escrow payment system. LeakBase facilitated an illegal trade in stolen data, including stealer logs - archives of stolen credentials harvested through infostealer malware. LeakBase had around 32,000 posts and over 215,000 private messages sent by its users as of December 2025. Coordinated action on March 3 led to arrests, house searches, and 'knock-and-talk' interviews by police in the US, Australia, Belgium, Poland, Portugal, Romania, Spain, and the UK. Europol claimed 37 of the most active users of the platforms were targeted by police, as well as dozens more. Europol has vowed to continue tracing and unmasking offenders that used the site. Edvardas Šileris, head of Europol’s European Cybercrime Centre, stated that this operation shows that no corner of the internet is beyond the reach of international law enforcement.

    Show sources
    Open in new tab
  2. 29.01.2026 15:05 1 articles · 1mo ago

    RAMP Administrator Confirms No Plans to Rebuild

    Stallman, the administrator of RAMP, issued an official comment regarding the RAMP seizure on January 28, confirming there were no plans to rebuild the forum. This decision is likely linked to concerns about his own freedom and the heightened scrutiny from law enforcement.

    Show sources
    Open in new tab
  3. 29.01.2026 15:05 1 articles · 1mo ago

    Impact of RAMP Takedown on Cybercriminal Ecosystem

    The RAMP takedown represents a meaningful disruption to a core piece of criminal infrastructure. It is expected to mostly impact low-tier actors, disrupt distribution and sales for underground sellers, have minimal impact on top-tier groups, and reduce Russian security services' visibility into ransomware processes and sellers.

    Show sources
    Open in new tab
  4. 28.01.2026 19:38 2 articles · 1mo ago

    FBI Seizes RAMP Cybercrime Forum

    The FBI has seized the RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, including ransomware operations. The seizure includes both the forum's Tor site and its clearnet domain, ramp4u[.]io, which now display a seizure notice. The forum was launched in July 2021 by a threat actor known as Orange, who was later identified as Russian national Mikhail Matveev. The seizure notice displays a taunting message using RAMP's own slogan and an image of Masha, a Russian cartoon character, winking. The domains linked to RAMP now redirect to seizure notices with FBI and DoJ seals and the nameservers have been updated to ns1.fbi.seized.gov and ns2.fbi.seized.gov.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Global Law Enforcement Disrupts 'The Com' Cybercrime Collective

A coordinated international operation, Project Compass, has arrested 30 members of 'The Com,' a cybercrime group linked to ransomware attacks, extortion, violent activities, and the production of child sexual exploitation material (CSAM). The group, primarily composed of young individuals, has targeted high-profile entities and engaged in phishing, vishing, and SIM swapping. Project Compass, led by Europol's European Counter Terrorism Centre, involves multiple countries and aims to disrupt the group's operations and safeguard victims. The Com has been connected to Russian cybercriminal gangs and has expanded its activities to include physical violence, extremist links, and the exploitation of minors. The group operates with a decentralized structure, making it particularly difficult to disrupt. Europol splits The Com into three distinct groups of activity: cyber activity, offline activity, and extortion/sextortion activity.

Open in new tab

AI-Assisted Hacker Breaches 600 FortiGate Firewalls in 5 Weeks

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile.

Open in new tab

JokerOTP MFA phishing-as-a-service dismantled, third suspect arrested

The Netherlands Police arrested a 21-year-old man from Dordrecht for selling access to the JokerOTP phishing automation tool, which intercepts one-time passwords (OTPs) to hijack accounts. The arrest is part of a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025. The service caused at least $10 million in financial losses across 28,000 attacks in 13 countries. The seller advertised access via Telegram, allowing cybercriminals to automate calls to victims and capture sensitive data. The tool targeted users of PayPal, Venmo, Coinbase, Amazon, and Apple. The investigation is ongoing, with dozens of buyers identified for prosecution.

Open in new tab

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

US Seizes E-Note Crypto Exchange for Ransomware Laundering

The U.S. Department of Justice, led by the FBI and collaborating with international partners, has seized the E-Note cryptocurrency exchange for allegedly laundering over $70 million in ransomware and account takeover proceeds. The operation involved confiscating domains, servers, and customer databases, with an indictment unsealed against the Russian national Mykhalio Petrovich Chudnovets, believed to be the operator of E-Note. Chudnovets targeted US healthcare and critical infrastructure sectors through his money laundering services, which he began offering in 2010. This action may lead to further identification of cybercriminals involved in the laundering scheme.

Open in new tab