Major Cybercrime Forum Takedown: XSS.is Administrator Arrested in Ukraine

International law enforcement operation dismantles one of the world's most notorious Russian-speaking cybercrime marketplaces after four-year investigation

In a significant blow to the global cybercrime ecosystem, Ukrainian authorities arrested the suspected administrator of XSS.is, one of the world's most influential Russian-speaking cybercrime forums, on July 22, 2025. The arrest, conducted in Kyiv with assistance from French police and Europol, marks the culmination of a four-year international investigation that has dealt a major setback to organized cybercrime operations.

Singapore Under Siege: UNC3886’s Advanced Campaign Against Critical Infrastructure

Breaking the Silence: Singapore’s Unprecedented Public Attribution In an extraordinary late-night address that shattered diplomatic convention, Singapore’s Coordinating Minister for National Security K. Shanmugam publicly named a sophisticated adversary targeting the nation’s most vital systems. In a rare and urgent late-night address, a senior Singapore official confirmed that the country

Breached CompanyBreached Company

The Target: A Cybercrime Empire

XSS.is emerged in 2013 as a notorious cybercrime hub that dealt in stolen data, malware distribution and access to compromised networks, amassing over 50,000 registered users and serving as a gateway for organized cybercrime, including ransomware and recruitment. The platform functioned as much more than a simple marketplace—it was a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit.

Active since 2013, XSS had more than 50,000 registered users and was one of the leading forums within the Russian-language cybercrime landscape for discussions around cyber-attacks and malware development. The forum's sophisticated infrastructure included an encrypted Jabber messaging server that let cybercriminals communicate anonymously, making it a preferred platform for coordinating international cyberattacks.

Cybercrime: A Multifaceted Threat to National Security

In today’s interconnected world, cybercrime has emerged as a significant and multifaceted threat to national security, demanding attention and resources on par with traditional state-sponsored espionage and military aggression. While state-backed hacking is rightly considered a severe risk, it should not be evaluated in isolation from financially motivated intrusions. Cybercrime,

Breached CompanyBreached Company

The Investigation: Four Years of Patient Police Work

The investigation began in July 2021 when the Paris Police Prefecture's Cybercrime Unit opened a four-year long investigation. French authorities obtained court orders to conduct surveillance on a critical piece of infrastructure: a Jabber server used by the administrator for instant messaging.

French police intercepted recordings on the Jabber thesecure.biz server which accompanied the XSS forum to facilitate anonymous exchanges between cybercriminals. These wiretaps proved crucial, as the intercepted messages "revealed numerous illicit activities related to cybercrime and ransomware," and allowed investigators to identify at least $7 million in proceeds from cybercrime.

The investigation's breakthrough came through sophisticated analysis combining multiple intelligence sources. Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years. The suspect was identified as part of a wiretap, with French investigators deployed to Ukraine in September 2024 to support the operational phase.

The Administrator: A Trusted Criminal Facilitator

The arrested individual allegedly played a central role far beyond mere technical administration. Acting as a trusted third party, he arbitrated disputes between criminals and guaranteed the security of transactions. This escrow service was crucial to the forum's operations, earning over €7 million in advertising and facilitation fees through a sophisticated trust-based system that enabled large-scale cybercriminal transactions.

Authorities also accuse the suspect of running thesecure.biz, a Jabber-powered private messaging service for cybercrime that remains online as of press time. This additional infrastructure demonstrates the comprehensive nature of the criminal enterprise, providing both marketplace and communication services to the global cybercrime community.

Hungarian Police Arrest DDoS Suspect Targeting Independent Media as Global Attacks Surge

Major Breakthrough in Media Freedom Case Hungarian police have made a significant arrest in their investigation of prolonged cyberattacks against independent media outlets, apprehending a 23-year-old Budapest resident suspected of orchestrating distributed denial-of-service (DDoS) attacks against news organizations both domestically and internationally. The arrest, announced on Monday, represents a crucial

Breached CompanyBreached Company

Forum Seizure and Impact

Following the arrest, law enforcement agencies moved quickly to dismantle the forum's infrastructure. Visitors to XSS.IS now see a seizure notice stating, "This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance from the SBU Cyber Department". The "SBU Cyber Department" refers to the Cyber Security Department of the Security Service of Ukraine, while La Brigade de Lutte Contre la Cybercriminalité (BL2C) is the French judicial police's cybercrime unit.

Insider Threats in the U.S. Government: The Arrest of a Pentagon Employee and Broader Implications

Introduction The recent arrest of Pentagon employee Gokhan Gun has highlighted the persistent and evolving threat posed by insider threats within the U.S. government and military. Gun, a U.S. citizen born in Turkey, was charged with possessing and transmitting classified national defense information. The case underscores the critical

Breached CompanyBreached Company

The forum's takedown represents a significant disruption to the cybercrime ecosystem. XSS.is, along with Exploit, has served as the backbone of the Russian-speaking cybercriminal ecosystem, with the threat actors on these forums primarily singling out non-Russian-speaking countries. Data shared by KELA shows that XSS currently has 48,750 registered users and more than 110,000 threads.

Historical Context and Previous Disruptions

XSS.is has a complex history marked by previous law enforcement actions. The forum originally launched in 2004 under the name DaMaGeLaB, a respected Russian-language hacking community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian national Sergey Yarets, known on the forum as "Ar3s," was arrested.

Major Breakthrough: Four Arrested in £440M Cyber Attacks on UK Retail Giants

NCA Makes Significant Progress in Investigation into Attacks on M&S, Co-op, and Harrods Bottom Line Up Front: Four young people, including a 17-year-old and three individuals aged 19-20, have been arrested by the UK’s National Crime Agency in connection with devastating cyber attacks that cost major retailers up to

Breached CompanyBreached Company

In late 2018, another prominent forum admin acquired a backup and relaunched it under the new name XSS, referencing the web-security vulnerability "cross-site scripting". This rebranding served dual purposes: distancing the forum from its law enforcement-linked past and adopting a more technical image that would appeal to its cybercriminal user base.

International Cooperation and Investigation Methodology

The successful operation demonstrates the power of sustained international cooperation in combating cybercrime. The cybercrime unit of the Paris public prosecutor's office opened an investigation into XSS.is in July 2021 and deployed French police investigators on the ground in Ukraine, with Europol's support, in September 2024.

The investigation employed sophisticated techniques including stylometric analysis, cryptocurrency transaction tracking, and cross-referencing multiple intelligence sources. Europol said the suspect ran xss.is, a major Russian-speaking platform with over 50,000 users that enabled trading of stolen data, hacking tools and illicit services.

Broader Context: Rising Enforcement Actions

This arrest is part of a broader trend of successful law enforcement operations against major cybercrime platforms. Recent police actions against cybercrime operations have included a takedown of Cracked and Nulled, PopeyeTools, Incognito, Nemesis, Bohemia and Kingdom Market. The XSS admin arrest comes shortly after the French police arrested five operators of BreachForum, another major cybercrime platform, which included the notorious hacker and data broker known as 'IntelBroker'.

Spanish Cyberterrorism: 19-Year-Old Student Arrested for Massive Political Data Leak Targeting Prime Minister Pedro Sánchez

How a computer science student from Gran Canaria orchestrated one of Spain’s most significant political data breaches from his parents’ home, exposing thousands of high-profile figures in what authorities are calling an act of cyberterrorism Breaking News: Unprecedented Political Data Leak Rocks Spain In a dramatic turn of events that

Breached CompanyBreached Company

Looking Forward: Ongoing Investigations

The seizure of XSS.is provides law enforcement with a treasure trove of intelligence for future operations. Authorities said data seized during the investigation will be analyzed to support ongoing investigations across Europe and elsewhere. According to Europol's press release, authorities have also seized user data, which is now being analysed and will be used to track cybercriminals and support ongoing operations against cybercrime.

The comprehensive nature of the data seizure suggests that additional arrests and disruptions may follow as investigators analyze the forum's extensive records of criminal transactions and communications.

Industrial Espionage and International Justice: The Arrest of Xu Zewei Exposes Ongoing Threats to Critical Research

Bottom Line Up Front: The arrest of Chinese national Xu Zewei in Italy for alleged COVID vaccine espionage highlights the persistent threat of state-sponsored industrial espionage targeting critical U.S. research, demonstrating both the international scope of these operations and the effectiveness of cross-border law enforcement cooperation. The arrest of

Breached CompanyBreached Company

Conclusion

The takedown of XSS.is and arrest of its alleged administrator represents a major victory for international law enforcement cooperation against cybercrime. Although cybercrime forums frequently appear and disappear, the seizure of XSS.IS marks a significant setback for the global cybercrime community.

The four-year investigation demonstrates that even the most sophisticated and long-running cybercrime operations are not beyond the reach of determined law enforcement efforts. As cybercriminals continue to evolve their tactics, this operation provides a blueprint for the sustained international cooperation necessary to combat the growing threat of organized cybercrime.

The arrest sends a clear message to cybercriminal operators worldwide: law enforcement agencies are developing increasingly sophisticated capabilities to track, identify, and prosecute those who facilitate cybercrime, regardless of how long their operations have been running or how sophisticated their security measures may be.

Cyber Retaliation Unleashed After Telegram Founder’s Arrest: French Organizations Under Siege

#France - Threat Actors Retaliate After Durov’s Arrest Pavel Durov, the founder of TelegramPavel Durov, the founder of Telegram, has recently been arrested in France as part of an investigation into alleged criminal activities on the Telegram platform and a lack of cooperation with law enforcement. Despite his arrest,

Breached CompanyBreached Company