FBI Seizes RAMP Forum Used by Ransomware Gangs

The FBI appears to have seized RAMP, a cybercrime forum used by ransomware actors, and people trying to visit it reported getting an FBI seizure splash page instead of the usual login. BleepingComputer reported the splash page was visible to visitors, which is a very different signal than a routine outage or a site admin pulling the plug.

There is one key nuance worth keeping in your head: not every outlet is calling it a fully confirmed seizure with full official details. The Record reported the forum was “apparently seized,” pointing to DNS and redirect behavior consistent with infrastructure the FBI has used in past takedowns, while noting the limited public confirmation so far.

What happened to RAMP (and what users are seeing)

Across Jan. 28 and Jan. 29, 2026 coverage, the core story is consistent: RAMP stopped behaving like a live forum, and visitors were met with a seizure notice associated with the FBI. That matters because seizure pages typically indicate the domain or hosting, sometimes both, is under law enforcement control, not just offline.

Importantly, the disruption was not limited to one doorway. Reporting says the action affected both the forum’s Tor presence and its clearnet domains, which suggests a broader domain and infrastructure takedown, not just a single server going dark. The Register reported U.S. law enforcement seized RAMP’s dark web and clearnet domains, and also said the FBI declined to comment.

The “declined to comment” detail is not throwaway. When the front door is wearing an FBI seizure banner but there is no big public press release attached, it often means the most consequential parts of the operation, like evidence exploitation, mapping user networks, or lining up parallel actions, are still in progress or simply not ready to be discussed.

Why RAMP mattered to ransomware actors

RAMP was widely described as a Russian-language underground forum tied to ransomware and malware activity. These forums are not just chat rooms, they are the connective tissue that helps criminals find partners, swap tooling, buy and sell access, and pressure-test tactics without having to reinvent the wheel every time.

If you have ever wondered why a ransomware wave can feel coordinated, forums like this are part of the reason. Even when different groups run different “brands,” they often share overlapping vendors, affiliates, and know-how. So a forum takedown can create real friction, fewer introductions, slower deal-making, and more paranoia about who is watching.

That is also why this specific target matters. Ars Technica reported RAMP was one of the remaining venues for ransomware-related discussions. In practical terms, taking out a “remaining venue” is more disruptive than taking out a forum in a crowded market, because there are fewer trusted alternatives with the same reputation and user base.

What the lack of details could mean next (and what’s unknown)

Right now, public reporting leaves a lot unanswered. There is no clearly cited operation name, no confirmed list of partner agencies, and no public confirmation of arrests, indictments, or seizures beyond the domains and what visitors saw when trying to access the site. Also unknown, and this is the big one, is whether law enforcement captured any backend data as part of the seizure.

Why you should care about that difference: a seizure that only redirects domains is disruptive, but a seizure that also grabs servers, logs, or admin panels can become an intelligence bonanza. It can help investigators identify operators, correlate aliases across services, or understand how ransomware crews recruit and pay. None of that is confirmed here yet, and you should treat any claims about message dumps or user identification as speculation until there is an official statement or court documents.

Still, the “apparently seized” framing based on DNS and redirect indicators is a useful caution, not a dismissal. It is simply the difference between what can be observed from the outside versus what is formally announced. The splash page and multi-domain disruption are strong signals of control, even if the government is not ready to say more.

The next likely phase, at a high level, is not mysterious. Expect to see criminals migrate to alternative forums or spin up replacements, and expect defenders to watch that migration for new chatter, fresh phishing kits, new loaders, and changes in targeting. If the FBI did get meaningful access to RAMP’s infrastructure, follow-on actions could arrive later as indictments, arrests, sanctions, or victim notifications. Those outcomes take time, and they often land weeks or months after the seizure page appears.

The practical takeaway is simple: treat this disruption as real, but incomplete. For IT admins and security teams, the risk does not vanish because a forum went dark. What changes is the near-term coordination layer criminals rely on, which can briefly slow operations and increase mistakes. Watch for official updates, court filings, and shifts in ransomware chatter, because the most actionable signals usually show up after the splash page.