bleepingcomputer.com
By Lawrence Abrams
January 28, 2026

The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations.

Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP."

"This action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice," the notice reads.

The seizure banner also appears to taunt the forum's operators by displaying RAMP's own slogan: "THE ONLY PLACE RANSOMWARE ALLOWED!," followed by a winking Masha from the popular Russian "Masha and the Bear" kid's cartoon.

While there has been no official announcement by law enforcement regarding this seizure, the domain name servers have now been switched to those used by the FBI when seizing domains:

Name Server: ns1.fbi.seized.gov
Name Server: ns2.fbi.seized.gov
If so, law enforcement now has access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information.

For threat actors who failed to follow proper operational security (opsec), this could lead to identification and arrests.

In a forum post to the XSS hacking forum, one of the alleged former RAMP operators known as "Stallman" confirmed the seizure.

"I regret to inform you that law enforcement has seized control of the Ramp forum," reads the translated forum post.

"This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It's a risk we all take.

BleepingComputer contacted the FBI with question regarding the seizure but they declined to comment.

The RAMP cybercrime forum
The RAMP cybercrime forum launched in July 2021, following the banning of the promotion of ransomware operations by popular Russian-speaking Exploit and XSS hacking forums.

This ban was due to heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline.

Exploit banning ransomware promotion
Exploit banning ransomware promotion
In July 2021, a new Russian-speaking forum called RAMP launched, promoting itself as one of the last remaining places where ransomware could be openly promoted. This led to multiple ransomware gangs using the forum to promote their operations, recruit affiliates, and buy and sell access to networks.

RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin.

Orange was previously the administrator of the Babuk ransomware operation, which shut down after its ransomware attack on the D.C. Metropolitan Police Department.

Internal disputes allegedly erupted within the group over whether stolen law enforcement data should be publicly leaked, and after the data was leaked, the group splintered.

Following the split, Orange launched the RAMP forum on a Tor onion domain that Babuk had previously used.

Soon after its launch, RAMP experienced distributed denial-of-service (DDoS) attacks that disrupted its availability. Orange publicly blamed former Babuk partners for the attacks, though the previous members denied responsibility to BleepingComputer, stating they had no interest in the forum.

The individual behind the Orange and Wazawaka aliases was later publicly identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev.

In an interview with Recorded Future's Dmitry Smilyanets, Matveev confirmed that he previously operated under the alias Orange and that he created RAMP using the former Babuk onion domain.

Matveev explained that the forum was initially created to repurpose Babuk's existing infrastructure and traffic. He claimed that RAMP ultimately generated no profit and was subjected to constant DDoS attacks, which led him to step away from managing it after it gained popularity.

In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and other critical infrastructure.

He was also sanctioned by the U.S. Treasury's Office of Foreign Assets Control and placed on the FBI's most-wanted list, with the U.S. State Department offering a reward of up to $10 million for information leading to his arrest or conviction.

bleepingcomputer.com By Bill Toulas
October 10, 2025

The FBI has seized last night all domains for the BreachForums hacking forum operated by the ShinyHunters group mostly as a portal for leaking corporate data stolen in attacks from ransomware and extortion gangs.

The FBI seized a BreachForums domain used by the ShinyHunters group as a data leak extortion site for the widespread Salesforce attacks, with the threat actor stating that law enforcement also stole database backups for the notorious hacking forum.

The domain, Breachforums.hn, was previously used to relaunch the hacking forum this summer, but the site was soon taken offline again after some of its alleged operators were arresteds.

In October, the domain was converted into a Salesforce data leak site by Scattered Lapsus$ Hunters, a gang claiming to consist of members linked to the Shiny Hunters, Scattered Spider, and Lapsus$ extortion groups, to extort companies impacted by the Salesforce data theft attacks.

On Tuesday, both the clearnet breachforums.hn data leak site and its Tor counterpart went offline. While the Tor site was quickly restored, the breachforums domain remained inaccessible, with its domains switched to Cloudflare nameservers previously used for domains seized by the U.S. government.

Last night, the FBI completed the action, adding a seizure banner to the site and switching the domain's name servers to ns1.fbi.seized.gov and ns2.fbi.seized.gov.

According to the seizure message, law enforcement authorities in the U.S. and France collaborated to take control of the BreachForums web infrastructure before the Scattered Lapsus$ Hunters hacker began leaking data from Salesforce breaches.

However, with the Tor dark web site still accessible, the threat actors claim they will begin leaking Salesforce data tonight at 11:59 PM EST for companies that do not pay a ransom.

Backups since 2023 under FBI control
In addition to taking down the data leak site, ShinyHunters confirmed that law enforcement gained access to archived databases for previous incarnations of the BreachForums hacking forum.

In a Telegram message confirmed by BleepingComputer to be signed with ShinyHunters' PGP key, the threat actor said the seizure was inevitable and added that "the era of forums is over."

From the analysis conducted after law enforcement's action, ShinyHunters concluded that all BreachForums database backups since 2023 have been compromised, along with all escrow databases since the latest reboot.

The gang also said that the backend servers have been seized. However, the gang's data leak site on the dark web is still online.

The ShinyHunters team stated that no one in the core admin team has been arrested, but they will not launch another BreachForums, noting that such sites should be viewed as honeypots from now on.

According to the threat actor's message, after RaidForum's takedown, the same core team planned multiple forum reboots, using admins like pompompurin as fronts.

The cybercriminals emphasized that the seizure does not affect their Salesforce campaign, and the data leak is still scheduled for today at 11:59 PM EST.

The gang's data leak site on the dark web shows a long list of companies affected by the Salesforce campaing, among them FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.

According to the hackers, they stole more than one billion records containing customer information.

The most recent relaunch of the BreachForums in its classic form was announced by ShinyHunters in July 2025, a few days after law enforcement authorities in France arrested four administrators of previous reboots, including the individuals with the usernames ShinyHunters, Hollow, Noct, and Depressed.

At the same time, U.S. authorities announced charges against Kai West, a.k.a. 'IntelBroker,' a high-profile member of the BreachForums cybercrime ecosystem.

In mid-August, BreachForums went offline, and ShinyHunters published a PGP-signed message stating that the forum's infrastructure had been seized by France's BL2C unit and the FBI, warning that there would be no further reboots.

Update 10/10/25: Updated story with more details.

The German police have seized infrastructure for the darknet Nemesis Market cybercrime marketplace in Germany and Lithuania, disrupting the site's operation.

German police have confiscated 50,000 bitcoin worth $2.17 billion in the country's 'most extensive' cryptocurrency seizure ever, it said in a statement on Tuesday.
"This is the most extensive seizure of bitcoins by law enforcement authorities in the Federal Republic of Germany to date," police in the city of Dresden said.
The investigation was supported by the Federal Criminal Police Office (BKA), the FBI and a Munich-based forensic IT expert company, it said.

The FBI says it has released a decryption tool allowing hundreds of ALPHV/BlackCat victims to restore their scrambled files.

The Ragnar Locker ransomware operation's Tor negotiation and data leak sites were seized Thursday morning as part of an international law enforcement operation.

The Justice Department, IRS and FBI seized and shut down a popular marketplace used by cybercriminals to buy stolen Social Security numbers and other sensitive personal information.

The SSNDOB Marketplace – which the DOJ said generated more than $19 million in sales revenue – was shut down in coordination with law enforcement agencies in Cyprus and Latvia.

Seizure orders were executed against several domains associated with SSNDOB including ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz.