In a high-stakes international operation, Ukrainian police yesterday arrested the alleged administrator of XSS.is—one of the most entrenched Russian-speaking cybercrime forums—marking a significant victory for global law enforcement. The arrest, executed at the request of France's Paris prosecutor's office with Europol's assistance, caps a meticulous investigation into a platform that has facilitated ransomware, malware sales, and data breaches since 2013.


alt="Article illustration 1"
loading="lazy">

The Rise and Reign of XSS.is

XSS.is emerged over a decade ago as a hub for cybercriminals, amassing more than 50,000 registered users. It operated as a digital black market where threat actors traded access to compromised systems, advertised ransomware-as-a-service (RaaS) kits, and orchestrated attacks. Despite publicly banning ransomware discussions in May 2021 to evade scrutiny, the forum continued to be a breeding ground for high-profit crimes. French authorities revealed that intercepted communications proved the platform enabled activities generating at least $7 million in illicit revenue, undermining the facade of compliance.

How the Investigation Unfolded

The breakthrough came through sophisticated cyber-forensics. French police, launching their probe in July 2021, infiltrated 'thesecure.biz'—a Jabber server using the XMPP protocol favored by hackers for encrypted messaging. Judicial wiretaps captured damning evidence of ransomware operations and extortion, leading to a formal investigation for 'complicity in attacks on data processing systems' by November 2021. As one French official stated in the announcement: "> The intercepted messages revealed numerous illicit activities... and established that they had generated at least 7 million dollars in profit." This digital surveillance pinpointed the forum’s administrator, culminating in a targeted operation in Ukraine.

The Takedown and Its Immediate Fallout

Yesterday’s arrest in Ukraine—attended by French officers—coincided with law enforcement seizing control of XSS.is. Forum members grew suspicious when they lost the ability to post, and the site soon displayed a seizure notice: "This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance of the SBU Cyber Department." With backend access and the admin in custody, authorities now possess extensive data on users, setting the stage for potential indictments. Europol confirmed the operation included forensic examination of seized hardware, as seen in images from the raid.


alt="Article illustration 3"
loading="lazy">

Broader Implications for Cybersecurity

This crackdown delivers a stark warning to cybercriminal communities. The disruption of XSS.is—just weeks after French arrests of BreachForum operators, including 'IntelBroker'—highlights a trend of coordinated, cross-border actions targeting infrastructure, not just individuals. For developers and security teams, it underscores the critical role of encrypted communication vulnerabilities in investigations. The forum's seizure may fragment its user base, but it also risks displacing threats to darker corners of the web. As law enforcement leverages advanced surveillance to dismantle these networks, the industry must remain vigilant against evolving ransomware tactics. Source: BleepingComputer