On July 22, 2025, Ukrainian law enforcement, working with French prosecutors and Europol, arrested the suspected administrator of XSS.is. The operation took place in Kyiv, Ukraine, and targeted one of the most significant Russian‑language dark web cybercrime forums.
XSS.is has been online since around 2013, originally known as DaMaGeLaB. The forum had over 50,000 registered users and offered malware, stolen data, access to compromised systems, ransomware support, and hacker tools.
Investigation and Arrest
French authorities opened their inquiry in mid‑2021. Over years they monitored encrypted Jabber messages, mapped transactions, and traced communication back to the suspect living in Ukraine. Europol supported the effort with field and virtual command coordination.
The suspect allegedly ran thesecure.biz, an encrypted messaging service used by cybercriminals. Investigators say he earned over €7 million (around $8.2 million) through ad placements, dispute resolution services, and transaction guarantees on the forum.
Europol described the arrest target as far more than a technical operator, he acted as a trusted third party among criminals, securing deals and managing disputes.
Domain Seized, Forum Still Shows Life
French authorities seized the XSS.is clearnet domain. Visitors now see a seizure notice from France’s cybercrime unit and Ukraine’s SBU Cyber Department.
As of July 24, the forum’s dark web (.onion) and mirror domains still returned 504 Gateway Timeout errors. Despite that, activity resurfaced quickly. Hackread.com confirmed that both .onion and mirror domains came back online. A post from what claims to be another forum admin said the infrastructure was intact and undergoing replacement
XSS.is was considered one of the most trusted Russian‑language cybercrime forums. It ranked highly among underground sites and served ransomware gangs, exploit sellers, and identity‑theft operators.
Europol flagged stolen‑data marketplaces like XSS as key drivers of cybercrime — enabling fraud, ransom extortion, and identity theft across Europe and beyond.
Authorities have seized servers and are analyzing data for leads. This may result in more arrests and disruption to interconnected forums across Europe and Russia‑speaking networks.
Still, experts warn that many cybercriminals will migrate to other forums, private chat groups, or encrypted messaging services. The criminal ecosystem adapts quickly.
