Despite the increased use of messaging platforms such as Telegram as venues to buy and sell cybercrime-related services, centralized forums remain a feature of the cybercriminal underground. The most popular of these forums offer access to a significant pool of users, a wide range of goods and services and trust-building mechanisms such as escrow services and user ratings. Operators of these forums may offer both a clear web version, which can be accessed through a regular web browser, and a Tor service, which offers greater privacy and can obscure the IP range where the site is actually hosted. However, these forums have increasingly been a focus for law enforcement keen to disrupt underground economies, uncover the real-world IDs of threat actors and undermine confidence in online venues dedicated to cybercrime.
Predominantly English-language forums have been targeted by law enforcement over the last several years, including Raid Forums, BreachForums , Nulled and Cracked. These interventions and other wild-card events, such as back-end data leaks containing registration data, private messages, cryptocurrency addresses and IP addresses, have made the centralized forum model increasingly risky. Forums predominantly used by Russian-speaking Eastern European cybercriminals have been less affected until recently when a coalition of international partners took aim at one of the most prominent Russian-language forums, XSS. XSS provided a central marketplace for stolen data, hacking tools and illicit services.
The banner notice on xss.is, one of the clear web domains for the XSS cybercrime forum, which was disrupted by law enforcement in July 2025.
XSS has traditionally been well respected in cybercriminal circles due to its lengthy history, resiliency to law enforcement action and the fact it was operated by a long-standing former Exploit forum administrator who went by the moniker admin aka toha. The forum played a pivotal role in enabling some of the most active and notorious cybercriminal syndicates to advertise products, coordinate operations and recruit members. The forum had nearly 50,000 registered members, more than 110,000 threads and about 850,000 posts. In July 2025, French, Ukrainian and European Union Agency for Law Enforcement Cooperation (Europol) authorities said they arrested XSS’s administrator, seized control of related forum domains and revealed they’d had access to a Jabber server containing threat actor communications. The disruption has caused upheaval, and trust in this cybercriminal watering hole has been indisputably undermined. In this blog, we will detail the background of XSS, the impact of the action and if the forum will remain viable.
XSS was launched in 2018 and followed the DaMaGeLaB forum, which was founded in 2004. DaMaGeLaB’s administrator, the actor Ar3s, was arrested in late 2017. The DaMaGeLaB forum changed hands one more time before ceasing operation around March 2018. After Ar3s was released from prison in Belarus, DaMaGeLaB’s database was purchased by admin aka toha. In an example of the small circles of Eastern European cybercrime, toha (other monikers linked to toha include member0, muss and yuppieszzz) was formerly an administrator of the Exploit cybercrime forum, which still exists. Upon launching the XSS forum Sept. 21, 2018, admin posted this not-so-humble launch message:
Greetings! Welcome to XSS.is, the reincarnation of an old forum. We are the successors of Damagelab.org, a legendary forum, one of the very first underground forums that appeared on Runet in the 2000s, an equal of CarderPlanet, web-hack, Antichat, Exploit, and Mazafaka. Those forums nurtured a generation of first-rate experts, sometimes even geniuses, who went off to different areas of life and business. Some of us drive brand-new Ferraris, others shape the fate of the world, while yet others decided to go white hat and dedicated their lives to high-profile IT projects working at companies from the top 100 list. There are also those who now live behind bars or have left this world altogether (for example, Great). It’s an entire generation, a lifestyle, an era.
XSS was well curated by a team of moderators. Actors on the forum primarily communicated in Russian and occasionally English. Registration was required to view the forum's content.
On July 23, 2025, French prosecutors announced the arrest of XSS’s administrator one day prior in Kyiv, Ukraine. The arrest and investigation were done in cooperation with Ukrainian prosecutors, the Security Service of Ukraine aka SBU and Europol (press release here following an investigation French investigators started July 2, 2021.
Computer security reporter Brian Krebs published a report Aug. 6, 2025, suggesting that the real-world identity of the administrator may be 37-year-old Anton Gannadievich Medvedovskiy. However, Ukrainian authorities have not identified the person they arrested, which is customary for Ukrainian law enforcement.
Europol released a photo showing the alleged administrator of the XSS cybercrime forum. His name was not released.
Investigators gained access to thesecure.biz, an encrypted Jabber server, that contained messages associated with XSS forum participants. Authorities allege the administrator profited at least 7 million euros (about US $8.2 million) from advertising and facilitation fees, as he arbitrated disputes between forum users and “guaranteed the security of transactions” as part of his forum-running duties, according to Europol. Shortly after the initial news started to circulate about the arrest, two of the forum's clear web domains, xss.as and xss.is, displayed law enforcement seizure notices. WHOIS records indicate the xss.is domain was transferred to the Iceland National Commissioner of Police.
There are questions around cryptocurrency funds held by XSS. An analysis of cryptocurrency wallets done by the new admin after the arrest of the XSS administrator indicated that only a small portion of more than 55 bitcoins (about US $6.32 million) remains — specifically, 1.7 bitcoins (about US $195,450). The remaining funds reportedly were stored in cold wallets, access to which is likely lost or under the control of the SBU.
The alleged administrator of the XSS cybercrime forum in a photo released by Ukrainian police. (Source: Npu.gov.ua)
In the days following the operation, XSS forum staff made a few notable announcements. The admin persona — which was controlled by toha prior to the operation — claimed the forum’s infrastructure was “burnt” but its back end and backups remained intact. The admin persona announced they were working to restore the escrow and deposit system and that the forum was moving to a new Tor-based address. Also, admin’s old Telegram username and Jabber ID were removed from the forum, raising concerns the accounts may have been compromised. Two new clear web domains were observed, xss.place and xss.pro, with admin only confirming the latter was legitimate. Then, an alternative solution was proposed. One of XSS’s moderators, gliderexpert, announced the launch of a new forum-affiliated Jabber server to replace the one infiltrated by law enforcement. The plan was for the forum to be reconstituted under new domain names, and forum moderators allegedly would remain in their positions.
Despite the plan by admin to restart XSS, multiple XSS forum moderators expressed concern over who actually controlled the admin handle, suggesting it could be law enforcement, specifically the SBU, which participated in the disruption. On Aug. 2, 2025, the moderators 174region174, DildoFagins, gliderexpert, ordinaria1, Quake3, Rehub, varwar and weaver expressed their distrust of the administrator, stating that law enforcement’s objective was to “collect even more evidence on users and to carry out even more arrests.”
The moderators then collectively decided to launch an alternative forum called DamageLib that would use the content from XSS up to Aug. 1, 2025. DamageLib’s new administrator — someone also using the moniker admin — wrote that DamageLib would run as a secure, noncommercial alternative to XSS and not track users. Previous XSS moderators would be banned but DamageLib would provide an email address if they wanted to get in touch.
XSS’s online presence has been in flux, as it was purportedly subject to distributed denial-of-service (DDoS) attacks around Aug. 9, 2025. Since Aug. 11, 2025, the site has remained available. However, the ongoing conflict between the new administrator of the XSS cybercrime forum and its former moderation team highlights the profound consequences of inadequate transparency — particularly when compounded by missing funds, ambiguous leadership authority and sustained law enforcement scrutiny.
Control of the forum remains unclear with former staff alleging that operatives from the SBU now are overseeing its infrastructure. The actor admin’s refusal to confirm or deny these claims only deepened board members’ anxiety. It is highly likely that the moderators’ abrupt departure came as an unanticipated development for the current administrator, prompting the declaration of a “maintenance” break — likely intended to recalibrate strategy amid internal disruption. The forum’s data rollback, the unexplained depletion of cryptocurrency reserves and the blanket banning of former moderators have further eroded its credibility. As such, monetization alone is unlikely to repair the substantial reputational damage already incurred.
The community now appears to be splintering between two rival platforms: the legacy XSS forum operating under opaque and contested leadership, and the newly launched DamageLib forum led by the ousted moderators. We assess that despite significant trust issues, XSS could partially restore its reputation in the medium term if it continues to reimburse lost deposits and resolve stalled escrow transactions, and succeeds in regaining a portion of its user base. The primary and most apparent shortcoming of DamageLib compared to XSS is the lack of a commercial section, which is an essential driver for the operation of “profit-first” forums that rely on revenue.
These developments point to a broader structural shift already underway in the Russian-language cybercrime underground. Centralized forums — once dominant pillars of the ecosystem — are proving increasingly vulnerable to takedown, infiltration or internal collapse. In response, threat actors are gravitating toward midsize, council-governed marketplaces or migrating to invite-only, peer-to-peer networks where escrow and identity risks are managed on a case-by-case basis. The long-term viability of any major forum will hinge on its ability to demonstrate verifiable integrity, resilient infrastructure and credible leadership — three attributes now conspicuously absent from the XSS forum.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
Pro-Russian hacktivism campaigns continued to be directed at countries and entities supporting Ukraine. Here's a briefing about new hacktivist groups and the risks the groups pose.
The leader of the Black Basta ransomware group employed a trusted, experienced cybercrime actor nicknamed Tinker who he relied on for phishing content, call center management and negotiation skills.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.