In a significant blow to the global cybercrime ecosystem, Ukrainian authorities have arrested the suspected administrator of XSS.IS, one of the world’s most notorious and sophisticated cybercrime platforms, resulting in the forum’s complete seizure by international law enforcement.
The arrest took place on July 22, 2025, with assistance from Europol and French cybercrime investigators, marking the end of a four-year investigation that began in July 2021. The operation targeted one of the oldest and most influential Russian-speaking cybercrime forums on the dark web.
A Criminal Empire Worth Millions
XSS.IS served as a thriving marketplace for cybercriminals worldwide, hosting over 50,000 registered users who traded in malware, stolen credentials, hijacked system access, and ransomware kits. The platform generated millions of dollars through advertising and facilitation fees, while also operating an encrypted Jabber messaging server that allowed cybercriminals to communicate anonymously.
According to French prosecutors, court-ordered surveillance of the forum’s Jabber server revealed extensive criminal activity, including ransomware attacks that brought in at least €7 million ($8.2 million) in illegal profits. The intercepted communications exposed the scale and sophistication of operations coordinated through the platform.
More Than Just a Marketplace
Europol revealed that the arrested suspect wasn’t merely a technical operator but played an active role in facilitating criminal activity. The administrator helped cybercriminals settle disputes, ensured illegal deals proceeded smoothly, and was suspected of directly participating in cyberattacks, organized extortion, and broader criminal conspiracies.
From DaMaGeLaB to XSS.IS: A Criminal Evolution
The forum’s history dates back to 2004 when it was originally launched as DaMaGeLaB, a well-regarded Russian-language hacking community. The platform faced a temporary shutdown in December 2017 after one of its administrators, Belarusian national Sergey Yarets (known as “Ar3s”), was arrested.
In late 2018, a prominent forum administrator acquired a backup of the site and relaunched it under the new name XSS—a reference to the cross-site scripting web vulnerability. This rebranding served dual purposes: distancing the forum from its previous law enforcement associations and giving it a more technical, modern image.
The transformation proved successful, with XSS.IS becoming one of the most prominent and exclusive cybercrime forums on the dark web. Membership was granted only after thorough vetting, and in some cases, users were required to pay fees to create accounts, preventing spam and maintaining the forum’s elite status.
International Law Enforcement Collaboration
The seizure notice on XSS.IS now displays a message stating the domain has been seized by “la Brigade de Lutte Contre la Cybercriminalité with assistance from the SBU Cyber Department.” The Brigade de Lutte Contre la Cybercriminalité (BL2C) is a specialized branch of the French judicial police focused on combating cybercrime, while the SBU Cyber Department refers to the Cyber Security Department of Ukraine’s Security Service.
This international cooperation demonstrates the growing effectiveness of cross-border law enforcement efforts against cybercrime. The operation involved multiple European agencies working together to dismantle one of the internet’s most dangerous criminal platforms. This approach echoes previous successful operations, such as when Netherlands police posted warnings directly on hacker forums to disrupt criminal activities.
Ukrainian Context: Cybercrime in Wartime
The arrest in Ukraine carries particular significance given the country’s ongoing war with Russia. While authorities have long suspected that XSS.IS was operated or supported by Russian intelligence agencies—including the Foreign Intelligence Service (SVR), Federal Security Service (FSB), and Main Intelligence Directorate (GRU)—the administrator was found to be located in Ukraine.
This development highlights the complex nature of cybercrime operations, which often transcend national boundaries and political conflicts. It remains unclear whether the suspect is Ukrainian or Russian national, demonstrating how cybercriminal networks can operate across geopolitical divides.
The successful operation also showcases Ukraine’s commitment to international cybersecurity cooperation despite the ongoing conflict, with Ukrainian authorities working alongside French and European partners to combat global cybercrime.
Current Status and Ongoing Investigation
As of the seizure, visitors to the main XSS.IS domain now see an official law enforcement seizure notice. However, the forum’s dark web (.onion) domain and clearnet mirror (XSS.AS) currently display “504 Gateway Timeout” errors, suggesting these infrastructure components may still be under investigation or in the process of being dismantled.
Notably, the Telegram channel associated with the XSS.IS administrator remains active and shows no signs of seizure, with the account marked as “recently seen.” It remains unclear whether authorities have gained access to these communication channels or control over the forum’s associated social media accounts.
According to Europol, authorities have seized significant amounts of user data, which is now being analyzed to identify and track cybercriminals worldwide. This information will likely support ongoing operations against cybercrime networks both in Europe and globally.
Part of a Broader Enforcement Trend
The XSS.IS takedown represents the latest in a series of successful operations against major cybercrime platforms. Recent law enforcement actions have targeted numerous dark web marketplaces and criminal forums, including BreachForums and other major platforms:
- BreachForums – Several suspected operators arrested by French authorities in June
- Cracked and Nulled – Takedown operation targeting software piracy forums
- PopeyeTools – Criminal marketplace shutdown
- Incognito Market – Dark web marketplace seizure
- Nemesis Market – Underground trading platform dismantled
- Bohemia and Kingdom Market – Additional dark web marketplace closures
- Pygmalion – German police seized this dark web shop, accessing customer data from over 7,000 orders
These coordinated efforts demonstrate law enforcement’s increasing sophistication in combating online criminal networks and their willingness to pursue long-term investigations to achieve meaningful results.
Impact on the Cybercrime Ecosystem
While cybercrime forums frequently appear and disappear, the seizure of XSS.IS represents a particularly significant blow to the global cybercrime community. The forum’s reputation, extensive user base, and role in facilitating high-value criminal transactions made it a cornerstone of the Russian-speaking cybercrime ecosystem.
The loss of such an established platform will likely force cybercriminals to seek alternative venues for their operations, potentially disrupting established relationships and communication channels. However, the cybersecurity community expects that new platforms will eventually emerge to fill the void, as criminal networks adapt to law enforcement pressure.
What This Means for Cybersecurity
For organizations and security professionals, the XSS.IS seizure provides several important insights:
- Long-term investigations work – The four-year investigation demonstrates that patience and international cooperation can yield significant results
- Communication monitoring is crucial – Court-ordered surveillance of the Jabber server provided key evidence of criminal activity
- User data provides ongoing value – The seized information will support future investigations and help identify additional threats
- International cooperation is essential – The success required coordination between Ukrainian, French, and European authorities
Organizations should remain vigilant as displaced cybercriminals may attempt to accelerate operations or seek new platforms, potentially leading to increased attack activity in the short term.
The Road Ahead
French authorities have not disclosed the identity of the arrested suspect or specified whether extradition proceedings will follow. Ukrainian authorities have also not publicly commented on the arrest beyond their participation in the operation.
The investigation continues as authorities analyze the substantial amount of seized data, which will likely lead to additional arrests and help map the broader cybercrime network that utilized XSS.IS. This information could prove invaluable in understanding and disrupting other criminal operations worldwide.
As Europol noted in their statement, the message to cybercriminals is clear: regardless of how sophisticated or well-established criminal platforms may be, law enforcement will eventually catch up. The XSS.IS takedown serves as a reminder that even the most notorious cybercrime forums are not beyond the reach of determined international law enforcement efforts.
For users and organizations, this development underscores the importance of maintaining robust cybersecurity measures, as the criminal networks that relied on XSS.IS may attempt to accelerate their operations or establish new platforms in response to this disruption.
