Suspected admin of major dark web cybercrime forum arrested in Ukraine

Ukrainian authorities have arrested a person suspected of running XSS.is, one of the most prominent Russian-speaking cybercrime forums on the dark web, France’s prosecutor’s office said on Wednesday.

The arrest took place earlier in July in Ukraine, with the participation of French cybercrime investigators and Europol, the French statement said.

XSS.is has been around since at least 2013, allowing hackers to buy and sell malware, stolen data, access to hacked systems, and ransomware services. It also ran an encrypted Jabber messaging server that let cybercriminals communicate anonymously, authorities said.

French authorities said the investigation began in July 2021 and included court-ordered surveillance of a Jabber server. The intercepted messages exposed extensive criminal activity, including ransomware attacks that prosecutors said brought in at least €7 million ($8.2 million) in illegal profits.

Europol said the suspected administrator wasn’t just a technical operator — he also played a key role in supporting criminal activity, helping cybercriminals settle disputes and making sure their illegal deals went smoothly. He’s also suspected of helping carry out cyberattacks, taking part in organized extortion and being involved in a broader criminal conspiracy.

XSS.is, previously known as DaMaGeLab before rebranding in 2018, is one of the oldest forums on the dark web and is especially popular among Russian-speaking cybercriminals. The forum had more than 50,000 registered users, according to Europol.

French authorities did not name the suspect or specify whether extradition would follow. Ukrainian authorities have not publicly commented on the arrest.

This is one of the latest arrests targeting administrators and operators of cybercrime forums. In June, French authorities reportedly arrested several individuals suspected of running BreachForums, one of the world’s largest online marketplaces for stolen data.

Recent police actions against cybercrime operations have included a takedown of Cracked and Nulled, PopeyeTools, Incognito, Nemesis, Bohemia and Kingdom Market.