Ukraine arrests suspected admin of XSS Russian hacking forum

The suspected administrator of the Russian-speaking hacking forum XSS.is was arrested by the Ukrainian authorities yesterday at the request of the Paris public prosecutor's office.

XSS.is is a Russian-speaking cybercrime forum that has been active since 2013 and is widely regarded as one of the major online hubs for cybercriminal activity, with over 50,000 registered users.

The platform was used to sell malware, access to compromised systems, advertise ransomware-as-a-service (RaaS) platforms, and discuss illegal activities.

The French authorities state that the investigation was opened roughly four years ago, uncovering activities related to ransomware and other cybercrimes, which yielded multi-million-dollar profits.

This was despite the forum publicly banning all ransomware topics on the platform in May 2021.

"The investigation, opened on July 2, 2021, by the cybercrime division of the Paris prosecutor's office and assigned to the Cybercrime Brigade of the judicial police of the Paris police prefecture, led to the implementation of judicial wiretaps on the Jabber server thesecure.biz," reads the announcement.

"The intercepted messages revealed numerous illicit activities related to cybercrime and ransomware, and established that they had generated at least 7 million dollars in profit."

Jabber is an encrypted messaging platform that utilizes the XMPP protocol and is popular among threat actors as a means of communication. According to the French police, they were able to breach the 'thesecure.biz' server to spy on communications between users on the platform.

These surveilled communications led to the opening of a judicial investigation on November 9, 2021, for complicity in attacks on data processing systems, extortion, and criminal conspiracy.

A second later interception identified the forum's alleged administrator, leading to on-site deployment of agents in September 2024. The suspect was arrested yesterday by Ukrainian police, in the presence of French officers and with the assistance of Europol.

XSS forum members posted concerns this morning that the site was taken over by law enforcement after being unable to reply to existing threads about it.

Soon after, the site was officially taken offline by law enforcement, displaying a message stating, "This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance of the SBU Cyber Department."

With potential access to the forum backend and the arrest of the suspected administrator of XSS, it is likely that the authorities now hold incriminating evidence against other members of the forum, which may lead to more actions in the future.

In any case, this development is likely to have a chilling effect on the activity at XSS, as users fearing exposure to law enforcement will turn to other sites.

The XSS admin arrest comes shortly after the French police arrested five operators of BreachForum, another major cybercrime platform, which included the notorious hacker and data broker known as 'IntelBroker.'

Update 7/23/25: Article updated to reflect that XSS has now been seized by law enforcement.