Alleged Administrator of XSS Cybercrime Forum Arrested in Ukraine

In a major development in the fight against cybercrime, French authorities have confirmed the arrest of an alleged administrator of XSS.is, a long-running Russian-language cybercrime forum notorious for trafficking in ransomware, malware, and stolen data.

The arrest occurred on July 22, 2025, in Ukraine, and was carried out in collaboration with Ukrainian law enforcement, French police, and Europol. While the suspect’s identity has not been publicly disclosed, the arrest follows a four-year investigation by the French Public Prosecutor’s Office in Paris.

A Deep-Rooted Cybercrime Ecosystem

According to Europol, the arrested individual is believed to have played a central role in enabling large-scale cybercriminal activity. He operated not only as a forum administrator but also as a trusted intermediary, resolving disputes between cybercriminals and ensuring the security of illegal transactions.

Authorities also believe he ran thesecure.biz, a private Jabber messaging server used by members of the XSS forum to communicate anonymously and coordinate illicit activity.

Key points revealed by investigators:

• The administrator generated at least €7 million ($8.4 million) in profits from advertising and facilitation fees
• He is believed to have been active in the cybercrime community for nearly 20 years
• He allegedly maintained close relationships with prominent threat actors over the years

What is XSS?

XSS.is is one of the most well-known underground forums catering to Russian-speaking cybercriminals. It has been a hub for:

• Buying and selling ransomware, malware, and exploit kits
• Offering access to compromised systems
• Trading in stolen data, login credentials, and zero-day vulnerabilities
• Leaking data stolen in high-profile hacks

The forum, which evolved from an earlier platform known as DaMaGeLaB, is estimated to have hosted around 50,000 members.

On July 25, 2025, visitors to the XSS website were greeted with a message stating that the domain had been seized, further suggesting the dismantling of the forum’s infrastructure is underway.

Questions Remain

While the arrest is a major victory for law enforcement, some uncertainty remains. Cyber threat intelligence firm KELA notes that it is unclear whether the arrested individual is the same person behind the online handle ‘admin’, widely believed to be the owner and operator of XSS.

Forum users also noticed that the ‘admin’ account had not logged in since July 22, the date of the arrest—fueling speculation that the key figure behind the platform has indeed been apprehended.

A Broader Crackdown on Cybercrime

This arrest follows a series of international actions targeting key figures in the cybercrime world. Earlier this year, French authorities also arrested a 25-year-old British national believed to be the hacker known as IntelBroker, who is currently facing extradition to the United States.

Why It Matters

The takedown of XSS.is represents a significant disruption to a platform that served as a marketplace, communication hub, and coordination point for global cybercrime. It underscores the effectiveness of international collaboration and highlights the ongoing evolution of threat actor ecosystems.

For organisations, this serves as a reminder to stay vigilant and continue investing in cybersecurity best practices, including:

• Proactive threat intelligence monitoring
• Endpoint and network intrusion detection
• Employee phishing awareness training
• Zero Trust access models and identity protection strategies

At Cyber Safe Business, we help clients detect and respond to cyber threats, monitor dark web activity, and fortify their defences against actors who use platforms like XSS to plan and launch attacks.