In a decisive strike against global cybercrime, international law enforcement agencies have apprehended the suspected administrator of one of the most influential Russian-speaking cybercrime forums, xss.is, in a meticulously coordinated operation. The arrest, which took place on July 22, 2025, in Kyiv, Ukraine, marks a significant disruption to a criminal network that has thrived in the shadows for nearly two decades.
The investigation, which began in 2021 under the leadership of French police and the Paris Prosecutor’s Office, was bolstered by the collaborative efforts of Ukrainian authorities and Europol. This multinational task force worked tirelessly for years, culminating in the arrest of the individual believed to have operated under the pseudonym "toha," who is alleged to have been the central figure managing the xss.is forum.
With over 50,000 registered users, xss.is was far more than a simple marketplace. It was a sophisticated criminal ecosystem, serving as a critical hub where some of the most dangerous cybercriminal networks coordinated operations, advertised hacking tools and services, and recruited new members. The forum facilitated a wide range of illicit activities, including ransomware attacks, fraud, identity theft, and the trade of stolen data and malware.
Europol described the platform as "one of the main hubs for global cybercrime," emphasizing its role in enabling cybercriminals to operate with relative impunity. The arrested administrator was not merely a technical operator but a key enabler within this ecosystem. Acting as a trusted intermediary, he arbitrated disputes between criminals, guaranteed the security of illegal transactions, and maintained the trust necessary for the marketplace to function.
Moreover, the suspect is believed to have operated thesecure.biz, an encrypted private messaging service designed specifically for cybercriminal communications. This service allowed criminals to communicate anonymously and securely, further entrenching the forum’s influence. Authorities estimate that through advertising and facilitation fees, the suspect generated over €7 million (approximately $8.2 million) from these illicit enterprises.
Investigations reveal that the individual’s involvement in cybercrime spans nearly twenty years, during which time he cultivated close relationships with several major threat actors within the underground economy. The forum itself has roots dating back to 2004, originally known as "DaMaGeLaB," before rebranding to xss.is in 2013. Over the years, it evolved into a professional platform with well-defined sections covering hacking, corporate access, database leaks, and even competitive intelligence. It also served as a recruitment and public relations tool for Ransomware-as-a-Service providers, although such content was often banned to avoid attracting law enforcement attention.
Interestingly, in 2023, the forum trialed an "XSSBot," suspected to be powered by ChatGPT technology, which provided users with information about malware strains and coding techniques. This innovation highlights the forum’s adaptability and its operators’ attempts to stay ahead of cybersecurity defenses.
The investigation’s operational phase intensified in September 2024, with French investigators deployed to Ukraine and supported by Europol through a virtual command post. During the enforcement actions in Kyiv, Europol deployed a mobile office to assist with on-site coordination and evidence collection. The seized data is now undergoing comprehensive analysis, which is expected to support ongoing investigations across Europe and beyond, potentially leading to further arrests and the dismantling of related criminal networks.
Despite the seizure of the main xss.is domain, backup domains such as xss.as, the associated .onion site, and the thesecure.biz Jabber service reportedly remain operational. The cybercriminal community has been actively discussing the recent developments, with moderators reportedly deleting content related to the arrested administrator, known by the alias "LARVA-27," in an attempt to suppress the narrative and "troll" Western observers.
This arrest is part of a broader crackdown on cybercrime ecosystems in Europe. Just last month, French authorities apprehended the alleged administrator of BreachForums, another prolific underground marketplace, along with several accomplices. These coordinated efforts underscore the growing commitment of international law enforcement to dismantle the infrastructure enabling cybercrime.
According to Europol’s 2025 Internet Organised Crime Threat Assessment (IOCTA), stolen data marketplaces like xss.is are critical drivers of the cybercrime economy. They provide cybercriminals with access to compromised data, hacking tools, and illicit services essential for executing ransomware attacks, fraud schemes, identity theft, and extortion operations. The takedown of xss.is sends a strong message that such platforms will face relentless pressure and scrutiny.
French police first zeroed in on the encrypted Jabber messaging server thesecure.biz in July 2021, which was heavily used for anonymous communication among forum users. Wiretaps and intercepted messages revealed extensive illicit cybercrime activities, including ransomware operations that generated at least $7 million in profit. This intelligence was pivotal in identifying the suspect and building the case that ultimately led to his arrest.
While the arrest represents a landmark victory, experts caution that the cybercriminal ecosystem is resilient and constantly evolving. The continued operation of backup domains and encrypted communication services suggests that some elements of the network remain active. Nevertheless, the disruption of a central figure and platform such as xss.is significantly hampers cybercriminal coordination and capacity.
As investigations continue, law enforcement agencies worldwide remain vigilant, leveraging enhanced cooperation and advanced technologies to combat the ever-growing threat of cybercrime. The arrest in Kyiv is a testament to the power of international collaboration and the determination to uphold digital security in an increasingly interconnected world.
