In a recent law enforcement operation, the Federal Bureau of Investigation (FBI) dismantled the notorious cyber-criminal forum known as the Russian Anonymous Marketplace (RAMP), a platform favored by ransomware actors and initial access brokers. This takedown represents a significant disruption in the cybercrime landscape, particularly for Russian-speaking cybercriminals. The news of RAMP's disarray emerged in late January 2026, when several cyber threat intelligence (CTI) analysts observed that a law enforcement notification reading had replaced both its clear web and Dark Web sites: “This site has been seized.”[1]
The operation resulted from collaboration between the FBI, the US Attorney’s Office for the Southern District of Florida, and the US Department of Justice’s (DoJ) Computer Crime and Intellectual Property Section (CCIPS).
Initially established on the Tor network in 2012, RAMP gained prominence in 2021 when affiliates of the now-defunct Babuk ransomware group operated it. This forum served as a haven for Ransomware-as-a-Service (RaaS) disbursement, capitalizing on the decision by other sites, such as XSS, Exploit, and the English-speaking BreachForums, to ban such discussions.
The FBI’s seizure banner made a pointed remark regarding RAMP being a unique marketplace for ransomware discussions. One prominent figure behind RAMP was Mikhail Matveev, a Russian national known by the aliases "Orange," "Wazawaka," and "BorisElcin." Matveev was arrested in Russia in 2024. Another key operator, identified as "Stallman," was the administrator at the time of the forum's shutdown.
In a LinkedIn post, Yelisey Bohuslavskiy, co-founder of intelligence firm Red Sense, commented on RAMP's origins, suggesting it was created by individuals with ties to Russian security services as a countermeasure to the rampant growth of RaaS. Before 2020, Russian, Belarusian, and Ukrainian agencies had substantial insight into highly organized cybercriminal groups such as Ryuk, Conti, REvil, Maze, LockBit, ALPHV/BlackCat, DragonForce, Qilin, Nova, Radiant, and RansomHub, which were all known to have used RAMP.
Following the closure on 28 January 2026, the forum administrator, known as Stallman, issued a statement, widely circulated across clandestine forums. Stallman expressed an intention to refrain from re-establishing RAMP, likely due to concerns about threats to personal security. In a LinkedIn post, Yelisey Bohuslavskiy welcomed the dismantling of infrastructure that facilitated ransomware operations but provided a nuanced perspective on its implications:
- Impact on Low-Tier Actors: The RAMP shutdown primarily affects lower-tier actors, who lose market access and channels for announcing and launching operations.
- Disruption in Distribution: The takedown disrupts distribution for underground sellers. However, platforms like Telegram may absorb some of this impact.
- Minimal Effect on Top-Tier Groups: Leading cybercriminal groups, wary of RAMP's ransomware associations, largely avoided the platform, minimizing its effect on them.
- Loss of Insight for Russian Security Services: The absence of RAMP diminishes the visibility Russian security services had over ransomware activities.
Although the short-term effects are expected to cause considerable disruption, especially for lower-level offenders, larger entities have the strategic resilience to adapt. The seizure signals a proactive step against cybercrime but reflects the ongoing battle between law enforcement and sophisticated cybercriminal networks.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/fbi-dismantles-notorious-ramp-cybercrime-marketplace-9084.html
Comments