On July 22, 2025, Ukrainian authorities arrested a man suspected of operating XSS, one of the most prominent Russian-language cybercrime forums active on the dark web. The arrest was the culmination of a multi-year investigation led by the Paris Public Prosecutor’s Office, with support from French police, Europol, and Ukrainian law enforcement agencies. KELA’s Cyber Intelligence Center summarizes XSS history, its activity, and how its users are reacting to the arrest.

XSS.is: A Hub for Cybercriminal Activity

XSS, formerly DaMaGeLaB, is one of the oldest Russian-speaking underground communities, available both on clearweb and Tor. While it is managed by Russian speakers and most conversations on the forum are in Russian, English-speaking users are also active on the forum. Attacking organizations and individuals from CIS countries is strictly forbidden.

XSS currently has 48,750 registered users and more than 110,000 threads, and is dedicated to all sorts of hacking discussions, including leaks and sales of data, access, malware, and tools (excluding ransomware-as-a-service and other related advertisements, which were banned on the forum in 2021 following Colonial Pipeline attack). Here are just some recent offers:

• 587 GB “Exclusive Data” package from a US dialysis provider—featuring 25 years of Oracle and Exchange backups plus sensitive patient PHI, passports, licenses, SSNs, and other company files—for $200,000

• Zero-day RCE exploit for FortiOS SSL-VPN versions 7.4–7.6—offering two non-exclusive “hands” for 0.5 BTC or one exclusive “hand” for 1 BTC

• A VPN-based corporate access with  domain admin privileges to a US firm (more than $25 million revenue, 800 clients) for $1,000 

To facilitate illicit transactions, the forum has a built-in reputation system. Members can use a forum-appointed escrow service to ensure that deals are completed without scams, as well as add a deposit, contributing to their reputation.



The forum has been quite active, with hundreds of posts daily, and was managed by an administrator and moderators.

Count of posts comparison on XSS and Exploit, another known Russian-speaking forum, since 2018 (rebranding from DaMaGeLab to XSS)



The Investigation and Arrest

The investigation began in July 2021 when French authorities initiated surveillance on the "thesecure.biz" Jabber server, owned by XSS. Intercepted communications revealed extensive illicit activities, including ransomware campaigns that generated at least €7 million in profits. In November 2021, French prosecutors opened a judicial investigation into charges of unauthorized access to automated data processing systems, organized extortion, and criminal conspiracy.

The suspect, whose identity has not been publicly disclosed, was arrested in Kyiv on July 22, 2025. He is believed to have played a central role in enabling criminal activity on the forum, acting as a trusted intermediary to arbitrate disputes and ensure the security of transactions.

Who is XSS’s administrator

XSS owner and administrator, using the handle ‘admin’, has been quite active on the forum, mostly participating in the forum’s “court” as a judge, participating in general discussions and the ones dedicated to forum improvements, and so on. 

Interestingly, while the arrested individual was based in Ukraine, the admin mentioned the country just a handful of times in his posts. When speaking about Ukraine in 2021 and clarifying that Ukraine-related data is forbidden on the forum, the admin referred to Ukraine as if he were based in Russia: “Due to shitty politics, Ukraine has faded into the background, so to speak, and has become not very friendly towards us. To be honest, I don't even know if it is a member of the CIS now.” 

Therefore, it is not clear if it was an OPSEC trick, or the individual arrested in Ukraine is not the person behind the ‘admin’ handle.

In general, political discussions on XSS were not welcomed.

XSS admin’s statement shortly after Russia attacked Ukraine (auto-translated by KELA platform)



Cybercrime users' reaction to the arrest

Per KELA's observations, the alleged arrest of the administrator has sparked a wave of rumors and speculation across various underground platforms such as Exploit, Dread, and XSS itself. 

Users noted that a thread about the incident was removed from XSS within five minutes of posting, drawing comparisons to previous takedowns like WWH. Some users suspect a connection between the arrest and recently frozen arbitration funds in Tether, allegedly involving Ukrainian parties. Others claim that the XSS domains were seized and that in some geolocations, visitors to the forum’s clearweb domain now see a Europol takedown notice (corroborated by KELA when visiting from a France-based IP). Additional chatter indicates that the suspected administrator has not been online since July 22, further fueling speculation. 

Clearweb domain of XSS displays a seizure notice





Implications and Ongoing Investigations

The arrest marks a significant milestone in international efforts to combat cybercrime. The operation underscores the growing importance of cross-border cooperation in addressing cybercriminal activities that transcend national boundaries.

As investigations continue, law enforcement agencies are likely working to identify other individuals involved in the forum's operations and to prevent the emergence of similar platforms. The case serves as a reminder of the persistent and evolving nature of cyber threats and the need for sustained vigilance and collaboration among international partners.



Additionally, the closure of XSS may disrupt certain cybercriminal activities, and it's unclear whether this will lead to the emergence of new forums or if existing ones will absorb its user base. As we saw recently, when the BreachForums' administrators were arrested in April 2025, the gap was quickly filled by DarkForums. 

KELA will continue to closely monitor the broader impact of this latest arrest, and keep customers informed through the KELA Platform. If interested in a deep dive into specific threat actors or underground forums, please reach out to KELA.