Find out what’s new on ST website and app.

PARIS – A person suspected of being the administrator for the Russian language cybercriminal forum XSS.is was arrested in Ukraine this week, the French public prosecutor’s office and the pan-European police body Europol said on Wednesday.

Europol said the suspect – whose name has not been given – was thought to have earned more than 7 million euros ($8.20 million) via the forum.

“The forum’s administrator was not only a technical operator but is believed to have played a central role in enabling criminal activity,” a Europol statement said.

“Acting as a trusted third party, he arbitrated disputes between criminals and guaranteed the security of transactions. He is also believed to have run thesecure.biz, a private messaging service tailored to the needs of the cybercriminal underground,” it added.

Europol said the cybercrime forum had more than 50,000 registered users and served as a key marketplace for stolen data, hacking tools and other illegal services.

The suspect was arrested in Kyiv on Tuesday in a police operation involving Ukrainian authorities, according to French police and Europol. REUTERS

Ukrainian authorities Tuesday arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office.

Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.

The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.

Officials accuse the forum’s administrator of running technical operations and playing a central role in enabling cybercrime. Messages intercepted by authorities during the investigation revealed the suspect made more than $8.2 million in advertising and facilitation fees.

Advertisement

“Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years,” Europol said in the new release about the arrest and takedown operation. Authorities also accuse the suspect of running thesecure.biz, a Jabber-powered private messaging service for cybercrime that remains online as of press time.

The cybercrime unit of the Paris public prosecutor’s office opened an investigation into XSS.is in July 2021 and deployed French police investigators on the ground in Ukraine, with Europol’s support, in September 2024.

The arrest in Kyiv, Ukraine, followed a series of coordinated law enforcement actions, including evidence gathering and the dismantling of the cybercrime forum’s infrastructure. Authorities said data seized during the investigation will be analyzed to support ongoing investigations across Europe and elsewhere.

The Paris public prosecutor’s office said the alleged administrator of XSS.is was identified as part of a wiretap.

Find out what’s new on ST website and app.

PARIS – A person suspected of being the administrator for the Russian language cybercriminal forum XSS.is was arrested in Ukraine this week, the French public prosecutor’s office and the pan-European police body Europol said on Wednesday.

Europol said the suspect – whose name has not been given – was thought to have earned more than 7 million euros ($8.20 million) via the forum.

“The forum’s administrator was not only a technical operator but is believed to have played a central role in enabling criminal activity,” a Europol statement said.

“Acting as a trusted third party, he arbitrated disputes between criminals and guaranteed the security of transactions. He is also believed to have run thesecure.biz, a private messaging service tailored to the needs of the cybercriminal underground,” it added.

Europol said the cybercrime forum had more than 50,000 registered users and served as a key marketplace for stolen data, hacking tools and other illegal services.

The suspect was arrested in Kyiv on Tuesday in a police operation involving Ukrainian authorities, according to French police and Europol. REUTERS

Ukrainian authorities, with help from French police and Europol, have arrested a person suspected of running one of the largest Russian-language cybercrime hubs out there, XSS.is.

It all started with a long-running investigation that began in mid‑2021 in France. Prosecutors gradually traced encrypted logs and hacker chatter back to an individual living in Ukraine, culminating in their arrest on July 22, 2025.

Press release of the XSS.IS’ suspect admin arrest from the Paris Public Prosecutor’s Office on LinkedIn

XSS.is has been quietly operating since around 2013. The forum became notorious as a central marketplace for hijacked system access, malware, stolen credentials, ransomware kits and an encrypted Jabber channel hackers used to coordinate deals.

You might wonder how the biggest-ever Russian-language cybercrime board ended up with an admin based in Ukraine. The truth is, cybercriminals aren’t bound by borders. Ukraine’s large tech-savvy population and lax oversight may have created ideal conditions for operators like this to manage illicit activities without raising suspicion for years.

Inside XSS.is, users could browse and buy everything from data dumps and remote access trojans to ransomware deployment tools. Its encrypted Jabber server lets members communicate anonymously, making it a go-to platform for organising global cyberattacks.

As of July 2025, XSS.is had been online for over 12 years. That kind of longevity is rare in cybercrime. This arrest highlights how even entrenched networks can be infiltrated with sustained international cooperation.

Current homepage of the XSS.IS forum

Ex-DaMaGeLaB

This is not the first time the forum has had its administrator arrested. The forum originally launched in 2004 under the name DaMaGeLaB, a respected Russian-language hacking community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian national Sergey Yarets, known on the forum as “Ar3s,” was arrested.

In late 2018, another prominent forum admin acquired a backup and relaunched it under the new name XSS, referencing the web‑security vulnerability “cross-site scripting.” Switching to the name XSS had two main purposes. First, it distanced the forum from its law‑enforcement-linked past tied to the DaMaGeLaB name. Second, it adopted a tech‑savvy rebrand by invoking a specific vulnerability known to its audience.

Reboot message from XSS.IS’s admin (Image via: ReliaQuest)

For now, XSS.is’s future looks uncertain. With its alleged administrator in custody, authorities in France and Ukraine have a chance to unravel the forum’s infrastructure and financial trail. Europol’s involvement adds weight to the operation and shows a growing international resolve to tackle cybercriminal networks.

Stay tuned, this article will be updated with more information.

A man suspected of administering the Russian-language cybercrime forum XSS was arrested in Ukraine on July 22.

In an official statement on July 23, Laure Beccuau, a French State Prosecutor, said that the individual was taken into custody by the Ukrainian authorities, with the collaboration of the French police and Europol.

This arrest is the result of a four-year long investigation, which began on July 2, 2021, by the Paris Police Prefecture’s Cybercrime Unit.

As part of the investigation, French police intercepted recordings on the Jabber thesecure.biz server which accompanied the XSS forum to facilitate anonymous exchanges between cybercriminals.

These interceptions revealed that the arrested individual was allegedly linked to numerous illicit cybercrime and ransomware activities and established that they had generated at least $7m in profit.

A judicial investigation was opened on November 9, 2021, on charges of complicity in attacks on an automated data processing system, extortion in an organized gang and criminal association.

In September 2024, the case moved into the operational phase in Ukraine, where French police investigators were deployed on the ground, supported by Europol through the establishment of a virtual command post. It was followed by another action that started on July 21, 2025, which saw the arrest of the main suspect in Kyiv.