FBI Seizure of the RAMP Cybercrime Forum
U.S. law enforcement has seized the RAMP cybercrime forum, a long-running hub used to advertise and facilitate ransomware operations, malware distribution, and other illicit services. Both the forum’s Tor presence and clearnet domain (reported as ramp4u[.]io) were replaced with an FBI seizure banner indicating coordination with the U.S. Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section; the forum’s administrator reportedly acknowledged the takedown publicly on the XSS forum. Reporting notes RAMP emerged as a dedicated venue for ransomware promotion after other major forums restricted such activity, and that criminal communities are already attempting to migrate to alternative platforms.
Separate reporting also highlighted other cybercrime enforcement actions (including indictments tied to Ploutus-based ATM jackpotting and other marketplace disruptions), but those are distinct from the RAMP seizure. A different, unrelated incident involved a supply-chain compromise of eScan antivirus update infrastructure in which attackers briefly pushed a backdoor via a trojanized Reload.exe that altered update settings, established persistence via a scheduled task, and contacted a C2 to retrieve additional payloads; this event is not connected to the RAMP takedown and should be tracked independently as a vendor update-channel compromise affecting customer environments.
Timeline
Jan 30, 2026
Researchers report 175,000 exposed self-hosted AI systems worldwide
SentinelLABS and Censys reported that about 175,000 self-hosted or open-source AI systems across 130 countries were exposed without basic security controls. They warned the exposed systems could be abused for spam, phishing, disinformation, and other malicious activity.
Jan 29, 2026
CISA adds CVE-2026-21509 to KEV with February patch deadline
CISA added the actively exploited Office flaw CVE-2026-21509 to its Known Exploited Vulnerabilities catalog and set a federal remediation deadline of 2026-02-16. The move signaled urgent government concern over ongoing exploitation.
Jan 29, 2026
Microsoft issues emergency fixes for exploited Office zero-day
Microsoft released out-of-band updates for CVE-2026-21509, an actively exploited Office security feature bypass involving COM/OLE controls that affects multiple Office versions and Microsoft 365 Apps for Enterprise. The company also provided a registry-based mitigation for defenders unable to patch immediately.
Jan 29, 2026
Alleged Kingdom Market operator pleads guilty
The alleged operator of the darknet marketplace Kingdom Market entered a guilty plea, according to reporting summarized in the weekly roundups. The plea added to a series of recent enforcement actions targeting darknet market operators.
Jan 29, 2026
FBI seizes the RAMP cybercrime forum
Law enforcement seized the RAMP cybercrime forum as part of a broader crackdown on cybercrime infrastructure. Multiple references highlighted the takedown as a significant disruption of a known criminal platform.
Jan 29, 2026
Authorities indict 31 suspects in Ploutus ATM jackpotting case
U.S. authorities announced charges against 31 defendants allegedly involved in an ATM jackpotting scheme using Ploutus malware and linked to Venezuela’s Tren de Aragua. The action marked a major law-enforcement move against a cross-border cash-out operation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
FBI Seizure of RAMP Cybercrime Forum Used by Ransomware Gangs
US law enforcement seized the **RAMP (Russian Anonymous Marketplace)** cybercrime forum’s infrastructure, taking over both its Tor and clearnet presence and replacing them with a “This Site Has Been Seized” banner attributed to the **FBI**, coordinated with the **US Attorney’s Office for the Southern District of Florida** and the DOJ’s **Computer Crime and Intellectual Property Section (CCIPS)**. RAMP was a key marketplace for **ransomware-as-a-service (RaaS)** promotion and related criminal services, including activity by extortionists and **initial access brokers**; the seizure banner also taunted operators with the forum’s slogan, “**THE ONLY PLACE RANSOMWARE ALLOWED!**,” alongside an image of *Masha* from the Russian children’s cartoon. While authorities had not publicly detailed the operation at the time of reporting, technical indicators supported the takeover, including DNS changes consistent with prior FBI seizures (e.g., nameservers set to `ns1.fbi.seized.gov` / `ns2.fbi.seized.gov`). Reporting also cited an alleged operator (“**Stallman**”) acknowledging law enforcement control, and noted the seizure could expose forum user data (e.g., email addresses, IP addresses, and private messages), increasing identification and arrest risk for actors with poor OPSEC. Background context indicates RAMP emerged after other Russian-language forums restricted ransomware promotion under increased law-enforcement pressure.
1 months ago
Law enforcement actions against darknet marketplaces and cybercrime forums
US and international law enforcement continued disrupting illicit online marketplaces and forums used to trade **ransomware services, malware, stolen data, and drugs**. The FBI seized the dark web and clear web domains for **RAMP**, a long-running, predominantly Russian-language cybercrime forum that marketed itself as the “only place ransomware allowed,” and which hosted vetted users, tutorials, and a marketplace for malware and criminal services; the seizure was coordinated with the US Attorney’s Office for the Southern District of Florida and DOJ’s Computer Crime and Intellectual Property Section. Separately, US prosecutors announced guilty pleas tied to major darknet markets that also sold **cybercrime tools and stolen information** alongside narcotics. A Virginia man, **Raheim Hamilton** (aka `Sydney`/`ZeroAngel`), co-creator of **Empire Market**, pleaded guilty to federal drug conspiracy charges related to facilitating roughly **$430M** in transactions (2018–2020) and designing the market to evade law enforcement using cryptocurrency. A Slovakian national, **Alan Bill** (aka `Vend0r`/`KingdomOfficial`), pleaded guilty for helping operate **Kingdom Market** (2021–2023), which authorities previously seized in December 2023; investigators linked him to the operation after his arrest with devices and a crypto hardware wallet allegedly containing evidence tying him to the marketplace.
1 months ago
International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the **FBI**, **Europol**, and authorities across **14 countries** seized infrastructure used by **LeakBase**, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts. Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the **Tycoon2FA** phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the **Phobos** ransomware operation, a newly documented China-linked espionage cluster (**CL-UNK-1068**) targeting critical sectors in Asia, an unverified **ShinyHunters** extortion claim against *Woflow*, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from **Sicarii** to **BQTLock**. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
1 months ago