CTI & OSINT

The XSS Cybercrime Forum and the Arrest of Its Administrator

by  • 

A Flagship Forum of Russophone Cybercrime

Here is a factual and neutral synthesis based on OSINT sources.

The XSS forum (accessible via the domain xss.is) has emerged as one of the world’s leading cybercrime hubs, particularly within the Russian-speaking community.

Originally launched in 2004 under the name DaMaGeLaB, this hacker forum has been active for nearly two decades on the dark web. After the 2017 arrest in Belarus of one of its founding administrators (known by the alias Ar3s, real name Sergey Yarets), the platform briefly shut down. It was relaunched in late 2018 under the name XSS—a reference to the cross-site scripting vulnerability—to signal a fresh start and project a more technical image while distancing itself from past legal troubles.

Over time, XSS gained a reputation as a major and selective underground marketplace. The forum claimed over 50,000 registered members, who had to pass a strict vetting process—sometimes requiring entrance fees to deter unwanted individuals. It served as a marketplace for the exchange of stolen data, malware, hacking tools, and exploits (including zero-day vulnerabilities), as well as for selling access to compromised systems.

Dedicated sections of the forum were used to publish or leak data resulting from high-profile cyberattacks. XSS also offered its community a Jabber/XMPP-based encrypted messaging service (thesecure.biz) to facilitate anonymous communications among cybercriminals.

This forum catered to the “upper tier” of cybercrime, hosting some of the most sophisticated actors. For example, up until 2021, XSS was a major recruitment hub for ransomware operations: numerous groups recruited affiliates and sold ransomware there—until the site’s administrators announced a ban on all ransomware-related ads in May 2021.

This decision followed intense media coverage of the Colonial Pipeline attack, and was intended to reduce law enforcement scrutiny. Historically, the apparent longevity and impunity of XSS even fueled speculation about possible links with Russian intelligence services (FSB, SVR, GRU), though no public evidence has confirmed such claims.

Regardless, XSS remained a pillar of the underground cybercrime ecosystem until recently, offering both a secure market and a social network for criminals, where anonymity and trust reigned.

Administrator’s Role and Illicit Profits

The success and longevity of XSS were largely due to the central role of its main administrator. Operating under the alias Toha, the individual was presented as a cybercrime veteran with nearly 20 years of experience.

According to Europol, this administrator was more than just a technical operator: he acted as an enabler of cybercrime by facilitating and securing illegal transactions. As a trusted third party, Toha would mediate disputes between criminals, ensure smooth exchanges (e.g., as an escrow agent for payments), and provide secure private messaging through thesecure.biz. His dual role as administrator and mediator granted him considerable influence within the community and allowed him to build ties with many prominent threat groups over the years.

In return for these services and hosting the forum, the administrator earned substantial illicit revenues. Authorities estimate that he made over €7 million, combining transaction fees (arbitration commissions) and advertising revenue from forum posts. These profits reflect the volume of criminal activity facilitated by XSS.

Investigators also suspect that the administrator directly participated in certain illegal operations, including cyberattacks and organized extortion schemes—hence, he is also being prosecuted for criminal conspiracy.

International Investigation and Suspect’s Arrest

The arrest of the XSS administrator is the culmination of a long-running, international investigation. In France, a preliminary inquiry was opened as early as July 2021 by the Cybercrime Unit (BL2C) of the Paris Police Prefecture, under the authority of the Paris public prosecutor.

In November 2021, a formal judicial investigation was launched for offenses including complicity in attacks on automated data processing systems, organized extortion, and criminal association. These charges reflect the severity of the alleged acts connected to XSS operations (intrusions, ransom schemes, etc.).

Given the transnational dimension of the case, France quickly sought cooperation from Ukrainian authorities. In September 2024, the investigation entered an operational phase in Ukraine, with the deployment of French investigators in Kyiv and the establishment of a virtual command center coordinated by Europol.

This close collaboration enabled real-time intelligence sharing and mapping of the forum’s technical infrastructure. French and Ukrainian authorities (including the Security Service of Ukraine – SBU) and Europol were thus able to plan a high-impact takedown operation against XSS.

On July 22, 2025, during a coordinated action, the main suspect was located and arrested in Kyiv by Ukrainian law enforcement, with French officers present. Europol supported the raid by deploying a mobile office to assist with the collection of digital evidence. While the suspect’s civil identity has not been disclosed, French authorities confirmed that he is indeed the administrator known as Toha, estimated to be in his 40s based on his long cybercriminal career.

During searches, computers and data were seized. Notably, the Jabber server (thesecure.biz) had been placed under judicial surveillance, allowing investigators to intercept communications between criminals. These messages provided direct evidence of a wide range of illicit activities—including ransomware-related discussions—and helped confirm the suspect’s specific role in those schemes, strengthening the case against him.

Immediately after the arrest, XSS infrastructure was neutralized. The main domain, xss.is, now displays a seizure notice bearing the logos of the French BL2C and the Ukrainian SBU cyber department. Other access points (such as the clearnet mirror and the .onion Tor address) are no longer responding, indicating an ongoing technical dismantling. Authorities are currently analyzing the seized databases and content to extract valuable intelligence. The massive data trove (user accounts, communication logs, transactions, etc.) will feed into ongoing investigations across Europe and beyond to identify other criminals tied to the platform.

A Coordinated Counter-Cybercrime Operation

The takedown of XSS.is represents a major victory for cybercrime enforcement agencies and a significant blow to the global online criminal ecosystem. As one analyst put it, the removal of such an influential platform is a substantial setback for the cybercriminal underground.

While illicit forums continue to proliferate—others constantly emerge or disappear—the closure of XSS deprives malicious actors of a long-established ecosystem where they had access to trust, anonymity, and premium criminal resources.

This case highlights the critical role of underground forums in today’s cybercrime economy. Europol’s IOCTA 2025 report (Internet Organised Crime Threat Assessment) underscores how black markets for stolen data and hacking services serve as the backbone of threats ranging from ransomware and fraud to identity theft and digital extortion. Platforms like XSS provide a space where criminals can build reputation and trust, essential for professionalizing and sustaining their operations.

The police action against XSS aligns closely with the strategic priorities identified by cybersecurity and intelligence communities: targeting key infrastructures that underpin the underground economy can have large-scale disruptive effects.

Strategically, the operation leading to Toha’s arrest exemplifies the growing strength of international cooperation in combating cybercrime. Coordinated by Europol’s European Cybercrime Centre (EC3), the effort is part of the EMPACT initiative (European Multidisciplinary Platform Against Criminal Threats), which unites EU member states in four-year cycles to address top-tier criminal threats.

In this case, real-time information exchange and Europol’s analytical support were decisive.

The joint operation involved entities such as the Paris Public Prosecutor’s Office (JUNALCO), France’s BL2C, Ukraine’s Office of the Prosecutor General, the SBU cyber unit, and Europol EC3. This synergy enabled a fast, focused response to dismantle XSS’s infrastructure and disrupt its illicit operations.

Finally, the arrest of the XSS administrator adds to a recent wave of takedowns targeting underground forums and black markets.

In recent months, several notorious platforms have been targeted by global authorities: for example, in June 2025, suspects linked to BreachForums (a major stolen data marketplace) were arrested, and smaller forums like Cracked and Nulled have also been seized. The dismantling of XSS—one of the oldest and most respected forums in the scene—sends a clear message to the cybercriminal sphere: no platform, however “untouchable” it may seem, is beyond the reach of international justice.

Enjoy!

Sources :