Administrator of Notorious XSS Cybercrime Forum Arrested in Ukraine

French and Ukrainian authorities have arrested the alleged administrator of XSS, one of the most notorious Russian-language cybercrime forums, marking a significant blow to the cybercriminal ecosystem that has thrived in Eastern Europe for over a decade.

According to a statement by the Paris prosecutor’s office, the suspect was apprehended on July 22 in Ukraine during a coordinated law enforcement operation involving the Ukrainian Cyber Police, the Security Service of Ukraine (SBU), and the General Prosecutor’s Office of Ukraine. The operation was conducted in the presence of French cybercrime police from the Paris Prefecture and coordinated by Europol.

Launched in 2013, XSS (also known as XSS.is) operated as a key marketplace for cybercriminal services and tools. The forum facilitated the trade of malware, stolen data, ransomware services, and unauthorized access to compromised systems. A parallel encrypted messaging service, Jabber server hosted at thesecure.biz, was used by forum members to coordinate attacks and transactions anonymously.

The investigation was initiated on July 2, 2021, by the Paris Public Prosecutor’s Office’s Cybercrime Section, with the Brigade de Lutte contre la Cybercriminalité (BL2C) leading the operational side. French authorities secured judicial interception warrants that allowed them to monitor communications on the Jabber server. The intercepted messages exposed extensive illicit activity tied to ransomware operations and other forms of cybercrime, generating estimated profits of at least $7 million.

On November 9, 2021, a formal judicial investigation was opened under serious charges, including complicity in unauthorized access to automated data processing systems, organized extortion, and criminal association.

XSS played a central role in the proliferation of several high-profile malware families, including Poseidon Stealer, DarkGate, and Raccoon Stealer. These malware variants have been used in global data theft and credential harvesting campaigns. Additionally, XSS served as a leak site for data from major breaches, affecting well-known organizations such as Valve, a leading video game developer and distributor, and Gravy Analytics, a U.S.-based data brokerage firm.

The dismantling of XSS follows a similar law enforcement action carried out by French authorities just a month prior. In late June, the BL2C arrested five alleged administrators of BreachForums, an English-language successor to RaidForums. Among those detained were figures known online as “ShinyHunters” and “IntelBroker,” individuals linked to multiple high-profile breaches involving French companies and government entities.