Flash Report: FBI Seizes Dark Web Forum RAMP

Key Findings

• On January 28, 2026, the Federal Bureau of Investigation (FBI) seized the dark web forum RAMP in a coordinated action with the U.S. Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the U.S. Department of Justice (DoJ). 
• The RAMP forum’s primary purpose was to advertise ransomware-as-a-service (RaaS) activities, and it was the only known dark web forum where such activity was explicitly permitted.
• Following news of the seizure, screenshots from a suspected leaked RAMP database appeared in a Telegram channel—including an email address allegedly used by well-known RaaS operator “LockBit” to register on RAMP. 
• The seizure of RAMP is likely to have a significant impact on the cybercriminal community in the short term. As RAMP was the only known dark web forum to explicitly allow RaaS operations on its platform, it is an environment that will not be easy to replace quickly. It is also highly likely that arrests derived from the seizure of the RAMP forum will be made within the next six months.

Detail

On January 28, 2026, the FBI seized dark web forum RAMP in a coordinated action with the U.S. Attorney’s Office for the Southern District of Florida and the DoJ. 

• RAMP had been active since 2021, and numerous ransomware groups (including Qilin, LockBit, DragonForce, RansomHub, and ALPHV/BlackCat) promoted their RaaS operations there, making it one of the most popular forums among RaaS collectives.
• The RAMP forum was the only known dark web forum where RaaS activities were explicitly permitted.
• While there has been no confirmation from U.S. law enforcement, RAMP’s domain name servers have been changed to those typically used by the FBI when seizing domains.¹ The FBI likely has access to personal details associated with RAMP users—including RaaS operators that failed to practice strong operational security measures.

The seizure was subsequently confirmed by RAMP’s administrator, “Stallman”, who posted about it on the dark web forum XSS and stated that he would not create a successor forum. However, Stallman indicated that he would continue purchasing initial network access to large organizations for ransomware and other illicit activities.

Shortly after news of the seizure broke, screenshots from a suspected leaked RAMP database appeared in a Telegram channel. The screenshots show partially blurred user email addresses, including an email address allegedly used during forum registration by well-known RaaS operator LockBit. The screenshots also contain private messages exchanged between forum users.

• The source of the Telegram leak remains unconfirmed; however, if the leaked information is verified, it would likely lead to further deanonymization of multiple threat actor groups. That being said, it is highly likely that law enforcement already has control over the forum’s database and infrastructure.

The seizure of RAMP is likely to have a significant impact on the cybercriminal landscape. Before the takedown, RAMP was the only known dark web forum to allow RaaS operations on the platform; this is an environment that will not be easy to replace quickly. While other Russian-language forums will almost certainly see more traffic, until a new dark web forum that explicitly allows RaaS comes online, a slight downturn in ransomware attacks in the short term is expected.

The FBI and other Western law enforcement agencies will almost certainly develop new leads from the data seized from RAMP and will likely exploit identities, IP addresses, and other information gathered to conduct investigations and make arrests of RAMP operators located in the West. It is highly likely that arrests derived from the seizure of the RAMP forum will be made within the next six months.

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 7:00 AM (EST) on January 29, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

1. hXXps://www.bleepingcomputer[.]com/news/security/fbi-seizes-ramp-cybercrime-forum-used-by-ransomware-gangs/