In the first two months of 2026, authorities seize RAMP, the Russian-language ransomware recruitment forum, a massive BreachForums database resurfaces online, and the encrypted messaging platform Telegram comes under renewed geopolitical pressure.

This installment of Ransomware Roundup examines cracks forming in the global underground ecosystem threat actors rely on to operate – and why they matter.

RAMP seizure shakes underground recruitment pipelines

The year has barely started, and the cyber underground is already scrambling to recalibrate.

In late January, US authorities seized the infrastructure behind RAMP, the long-running Russian-language cybercrime forum widely used by ransomware affiliates to recruit partners, advertise ransomware-as-a-service (RaaS), and trade initial access.

The FBI takedown sent shockwaves through underground communities, leaving ransomware actors scrambling for alternate avenues to buy, sell, and trade hacking tools, access, and stolen data.

As part of the bust, the FBI replaced Ramp’s clear-net and Tor domains with a seizure notice mocking the site’s longtime slogan, “THE ONLY PLACE RANSOMWARE ALLOWED.”

Launched in 2021, RAMP served as a key marketplace for about 14,000 members to freely engage in:

• Affiliate recruitment
• Initial access sales
• Tool exchanges
• Reputation building

Why it matters: Online cybercrime forums such as RAMP serve as trading venues for ransomware affiliates, malware authors, and initial-access brokers. Their disappearance – even temporarily – can complicate criminal operations and intelligence sharing.

When a hacker forum is abruptly seized by authorities, users often remain in the dark, left paranoid that personal data, such as private messages and stored credentials, is also in the hands of law enforcement, exposing their identities.

Users will typically scatter to smaller, invite-only channels, likely forming tighter, more insular alliances.

In a statement posted acknowledging the seizure (and translated by Dark Web Informer), Ramp’s former owner “Stallman” told members that although “years of work creating the most free forum in the world had been destroyed,” they could still hit him up via DMs to “buy accesses.” What a guy.

BreachForums leak fuels underground paranoia

Adding to the instability, data from BreachForums (BF) – one of the most notorious English-language hacking forums – resurfaced in early 2026, reportedly exposing hundreds of thousands of user records.

The alleged leak included email addresses, usernames, hashed passwords, IP addresses, and other site metadata for 323,986 member accounts, and even forum administrators.

The researchers noted the data likely came from the forum’s archives prior to its 2025 shutdown, when it was under the control of the notorious Shiny Hunters gang.

What’s more, the entire cache was published by an anonymous actor using the alias “James,” on a newly created website named after the notorious Shiny Hunters, according to Resecurity, including a rambling missive from the illicit orchestrator, posted in its entirety on the threat intel blog.

Described by Dark Reading as a “lengthy, and often theatrical, 23-part manifesto,” the outlet said the leaker further identified himself as “an ageless and legendary hacker, operating for decades and a mentor to multiple cybercrime groups, including ShinyHunters and Anonymous.”

The leaked database itself began with a who’s who of BF-affiliated administrators, including its original founder pompompurin, aka Conor Brian Fitzpatrick, arrested in March 2023 and now serving time in federal prision, his second in command Blaphomet, also rumored to have been arrested months later after rebooting the site.

Even Omnipotent, founder of RaidForums – the protoypre for BF – before it was busted by the FBI in 2022, is on the list.

Why it matters: The BF leak has fueled accusations of honeypots and insider betrayal, reinforcing a growing distrust of underground platforms and triggering rivalry between threat actors publicly playing out on Telegram and other channels.

The “2026 Forum Wars” have led to a notable undercurrent in the underground ecosystem, including:

• Rival forums accusing each other of being law-enforcement honeypots
• Users trading rumors about “rats,” leaks, and compromised handles
• Opportunists trying to fill the power vacuum by launching new boards.

Telegram faces renewed geopolitical pressure

Telegram — a platform widely used by ransomware groups to publish leak-site updates, coordinate affiliates, and trade access — is also facing mounting government scrutiny.

In early 2026, Russian authorities opened a criminal case against Telegram founder Pavel Durov, accusing him of “aiding terrorism.” The Kremlin has further limited access to the app used by over 60% of the population there.

In a response posted on his own platform, the Russian-born Durov wrote, “💣 “Russia has opened a criminal case against me for ‘aiding terrorism.’ Each day, the authorities fabricate new pretexts to restrict Russians’ access to Telegram as they seek to suppress the right to privacy and free speech. A sad spectacle of a state afraid of its own people.”

The pressure follows a 2024 arrest in France, where Durov spent four days in prison over allegations he knowingly allowed rampant cybercriminal activity to take place on the encrypted app.

Calling the arrest “unprecedented” and “absurd” at the time, Durov has since said he’s still “curious about what it actually means.”

Released on €5 million bail, Durov was remanded to remain in France for nearly seven months before French authorities lifted his travel ban last March, and still faces 10 years in prison if convicted over the alleged complicity.

While Telegram itself was never shut down, the platform remains business as usual, allowing illicit transactions and fraud, crypto money-laundering services, ransomware leak announcements, forum disputes, and affiliate recruitment.

The 2024 pressure additionally led Telegram to update its policies, agreeing to provide authorities with user data if legally requested.

Researchers have also documented how cybercriminal communities rapidly migrate across Telegram channels and alternate platforms when forums are disrupted.

Why it matters: As traditional hacker forums face takedowns and database leaks, encrypted platforms like Telegram increasingly function as fallback infrastructure. But as global scrutiny escalates, even those channels are no longer immune from government pressure.

Gangs are consistently observed creating new channels to communicate with their fan base, only to now have them taken down by Telegram administration, some barely 24 hours later.

Case in point, Scattered Lapsus$ Hunters had at least seven Telegram channel iterations taken down, one after the other, before finally making at least one stick.

In fact, just last week, the hacker collective used its latest Telegram channel to post a recruitment notice seeking women to assist with its signature voice phishing attacks, known as vishing.

In fact, just last week, the hacker collective put out a want-ad on its latest Telegram channel seeking to hire women to assist with its signature voice phishing attacks, also known as vishing.

Repeated Telegram channel takedowns have only narrowed the stable spaces threat actors can operate from – whether to boast about hacking conquests, taunt victims, recruit affiliates, or promote themselves freely to fellow ransomware actors.

---

Unlock more exclusive Cybernews content on YouTube.