Major Cybercrime Blow: Arrest and Seizure of the XSS Crime Forum

By
Short Leap
4 Min Read

Major Cybercrime Blow: Arrest and Seizure of the XSS Crime Forum — Final Version

Contents
What Is XSS?The Arrest and Forum SeizureInvestigation HighlightsReaction from the Cybercrime CommunityWhy This MattersWhat’s Next?Summary TableOfficial Sources and Further Reading

In July 2025, international law enforcement agencies achieved a significant victory against cybercrime by arresting the suspected main administrator of XSS (formerly DaMaGeLab), one of the largest and most notorious Russian-speaking cybercrime forums. This operation was the culmination of a multi-year investigation led by the French Police and Paris Prosecutor’s Office, in close cooperation with Ukrainian law enforcement and Europol.

What Is XSS?

XSS is a massive underground cybercrime marketplace with nearly 50,000 registered users and more than 110,000 discussion threads. It was a central hub for trading stolen data, malware, ransomware services, hacking tools, and access to compromised computer systems. The forum operated an encrypted messaging service called thesecure.biz, allowing criminals to communicate anonymously and coordinate illicit activities.

The Arrest and Forum Seizure

Authorities arrested a 38-year-old man in Kyiv, Ukraine, suspected to be the key administrator known by the alias “Toha.” He reportedly managed XSS since 2018, after the previous administrator was arrested. His involvement in cybercrime spans almost two decades.

Investigators estimate that XSS facilitated cybercriminal activities generating over €7 million (approximately $8.2 million) in profits. The suspect is charged with organizing cyberattacks, running ransomware operations, criminal conspiracy, and managing encrypted communications on the forum.

Following the arrest on July 22, 2025, law enforcement seized the public domain of XSS and replaced it with an official seizure notice, effectively shutting down the forum’s accessible operations.

Investigation Highlights

  • The multi-year investigation began in July 2021 with court-approved surveillance of the encrypted Jabber server used by XSS.
  • French police investigators were deployed to Ukraine in September 2024, with support from Europol, establishing coordination hubs on-site for evidence collection.
  • Authorities intercepted communications proving the suspect acted as a trusted third party—to mediate disputes among criminals and ensure secure transactions.
  • The forum was linked to several notorious ransomware groups such as REvil, LockBit, Conti, and Qiliin.
  • The arrested individual had made significant illicit profits from advertisement and facilitation fees.

Reaction from the Cybercrime Community

According to KELA Cyber Intelligence Center analysis:

  • News of the arrest rapidly spread across underground forums, including Exploit and Dread, causing speculation and fear among cybercriminals.
  • Posts about the takedown were quickly removed from XSS, and users expressed uncertainty about the forum’s future.
  • Many users noticed the site resurfaced shortly after on the dark web with a new address, but trust remains low with the dismissal of old moderators and zeroed account balances.
  • Forums discussed possibilities of migration toward new platforms, echoing shifts seen after other major forum takedowns.
  • The seizure notice is visible in many regions, confirming official law enforcement control.

Why This Matters

XSS acted as a critical backbone of the Russian-speaking cybercrime ecosystem, enabling ransomware campaigns, data breaches, and illicit software sales worldwide. Its takedown represents a major disruption to organized cybercrime networks.

This operation highlights the strength of international cooperation in combating cybercrime and the importance of targeting key infrastructure and leadership within criminal organizations.

What’s Next?

  • Authorities are analyzing the seized data to identify more individuals and groups involved.
  • Further arrests and dismantling of linked cybercrime networks are anticipated.
  • Experts warn that while the forum is offline, cybercriminals may seek alternatives, requiring ongoing vigilance.

Summary Table

Key FactDetails
ForumXSS (formerly DaMaGeLab), Russian-speaking cybercrime hub
Registered UsersNearly 50,000 users, 110,000+ discussion threads
Arrest38-year-old “Toha” arrested in Kyiv, July 2025
ChargesCyberattack facilitation, ransomware, conspiracy, encrypted comms management
Investigation DurationStarted July 2021; arrest July 22, 2025
Law Enforcement PartnersFrench Police, Paris Prosecutor’s Office, Ukrainian police, Europol
ImpactMajor disruption of a leading cybercrime forum
Community ReactionSpeculation, distrust, forum moderation, fear of further consequences
Forum StatusDomain seized, replaced with law enforcement notice

Official Sources and Further Reading

Bottom Line:
The arrest of the suspected operator of XSS and the seizure of its forum mark a critical milestone in global efforts to combat cybercrime. While this delivers a significant blow against a major criminal platform, ongoing vigilance is necessary to counter emerging threats and ensure cybercriminals cannot easily regroup.

TAGGED:
Leave a review

Leave a Review

Your email address will not be published. Required fields are marked *

Previous Article How Hackers Exploited Google’s Gemini AI with a Poisoned Calendar Invite to Take Over a Smart Home
Next Article AI Schools Are Here — Are We, and Our Students, Ready?

Related Stories