Police arrested the alleged admin of XSS.is, a major cybercrime forum whose trusted escrow service helped power the underground economy.
On 22 July 2025, French and Ukrainian police arrested a 38-year-old man in Kyiv and shut down XSS.is, the most influential Russian-language cybercrime forum of the past decade. Europol, which coordinated the operation under the name Ratatouille, said the forum had over 50,000 members and that the suspect had earned more than EUR 7 million acting as a trusted middleman for criminal deals. That last part matters more than it sounds.
XSS wasn’t just a message board. It was the wholesale layer of the intrusion economy, where malware authors, exploit sellers, spammers, and ransomware affiliates met to trade. The forum ran its own escrow and arbitration service, so two criminals who’d never met could complete a transaction without either getting cheated. That trust function, not any single product on offer, is what made XSS structurally important to the whole operation.
The lineage is long. DaMaGeLaB ran from 2004 to 2017, when its administrator was arrested. In 2018, a partial backup was relaunched as xss.is by an operator using the handle “Toha,” who’d been active in the Russian underground since at least 2005. The earliest registration timestamps in the leaked database trace back to November 2004. Europol assessed that the arrested suspect had spent nearly 20 years in cybercrime.
Europol didn’t name the suspect, citing the live investigation, but open-source researchers and the cybercrime community converged on Toha. KrebsOnSecurity pivoted through domain registration records linked to his historic email address and surfaced a Kyiv resident named Anton Medvedovskiy, born December 1987, whose age matches the arrested suspect. A separate claim from 2022, later amplified by LockBitSupp, pointed to a Russian named Anton Avdeev. That trail may have been deliberate misdirection.
The Ransomnews Research Team analyzed a leaked copy of the XSS XenForo database: 14,509 threads, 123,241 public messages, 7,706 registered accounts, and a private layer of 6,168 conversations. The language signal is clear. Across all message text, 62.2% of alphabetic characters are Cyrillic, and 53.6% of accounts registered with an email on a CIS-region domain. Russian webmail providers collectively outnumber Gmail. A minority used ProtonMail, which is routine operational security in this community.
“Mapping the 51 sections by message volume shows what the forum was actually for. Beyond the inevitable off-topic lounge and administration boards, the busiest trading sections are web-application vulnerabilities, malware, exploit kits and crypting, network and Wi-Fi vulnerabilities, and a dedicated access board (“shells, FTP, roots, databases, SQL injection, RDPs”).” reads the report published by the Ransomnews Research Team. “One administrative thread title preserved in the dump, a complaint about spam from “thesecure.biz,” is itself an artefact: thesecure.biz is the encrypted Jabber server Europol later said the arrested administrator operated.”

The busiest trading sections, by message volume, were web-application vulnerabilities, malware, exploit kits, crypting services, and a dedicated access board for shells, FTP roots, databases, and RDPs. Reducing the messages to keyword frequency tells the same story: stealer logs, FUD (fully undetectable) crypting, credit-card data, network access, exploits, and web shells. As the report puts it, “this is the raw material of ransomware intrusions, traded one layer upstream of the attack itself” .
Posting time is hard to fake, because it reflects when people are actually awake and working. The XSS data shows a textbook salaried-workday pattern. Activity climbs sharply from 06:00 UTC and peaks between 09:00 and 13:00 UTC, which is the middle of the working day in Moscow. Weekdays dominate, with Monday and Tuesday the busiest and a clear dip on weekends. This matches the same rhythm the same research team found when timing 16,699 ransomware leak-site posts.
The access-log telemetry covers 19,192 events across 7,061 unique IP addresses in 79 countries. Russia is the largest single source of distinct accounts at 564, far ahead of any other country. The US and the Netherlands rank high by raw IP count, but those totals are dominated by VPN endpoints, hosting providers, and Tor exit relays.
“Russia is the largest single source of distinct accounts (564), far ahead of any other country. The United States and the Netherlands rank high by raw IP count, but those totals are dominated by VPN endpoints, hosting providers and Tor exit relays rather than residents.” continues the report. “Geolocating a security-conscious crime forum measures where members route traffic, not where they sleep; combined with the 62% Cyrillic text and Moscow working hours, the centre of gravity is clearly the Russian-speaking world.”
XSS sat at the very start of the attack chain, in what MITRE ATT&CK calls Resource Development and the supply side of Initial Access. Members didn’t run the ransomware. They sold the door in. Initial access brokers listed footholds into corporate networks as structured auctions, with a starting price, a bid increment, and a buy-it-now option. One documented listing had a USD 25,000 start and a USD 40,000 buy-it-now for access to a US manufacturer with USD 800 million in revenue. An affiliate buys that listing, runs the intrusion, and the broker never touches the ransomware.

Intel 471 recorded 4,878 access and credential sale listings from initial access brokers between June 2024 and May 2025, correlated 70 to victims later named on ransomware leak sites, and measured a median of roughly 19 days between an access listing and the victim appearing on a leak blog. That gap is the most operationally useful number in the whole report. It’s a detection window.
On 13 May 2021, days after the DarkSide attack on Colonial Pipeline, the XSS administrator banned all ransomware activity and deleted existing ransomware threads. Exploit and RaidForums followed within hours. This was widely read as forums cleaning up their act.
The data tells a different story.
“Within hours Exploit and RaidForums followed. The move is often described as forums “turning against” ransomware. The data-aware reading is narrower: the ban removed the loud, branded affiliate-recruitment threads that attracted Western law enforcement, while the quieter and more valuable access trade that actually feeds ransomware carried on.” states the report. “It was reputation management, not a change of business.”
Operation Ratatouille was led by French Police and JUNALCO, working with Ukraine’s National Police and SBU. The investigation opened in July 2021 and ran four years before the arrest. Officers seized the thesecure.biz Jabber server in addition to the forum itself. That’s the part the underground feared most.
XSS reappeared on a new Tor address within days, but with all moderators dismissed, member balances zeroed, and returning users asked to pay a fresh deposit. Few trusted it. KELA tracked a splinter called “DamageLib” emerging from the disruption. Intel 471 framed the aftermath as a loss of trust rather than a loss of infrastructure, with access-broker activity shifting toward RAMP and DarkForums.
The forensic exposure is the lasting problem. One Exploit forum member summed it up in a thread about the arrest: investigators now hold two years of Jabber server logs, a full backup and the forum database, material that can link nicknames, emails, password hashes, Jabber IDs, IP addresses, and writing style into ready-made dossiers. For a marketplace whose entire value was a trusted middleman holding everyone’s secrets, that’s the more durable damage.
What defenders can do with 19 days
The takedown removes a hub, not the economy. Access brokering and exploit sales migrate faster than any single arrest can suppress. The practical response is early and intelligence-led: monitor initial-access-broker chatter for your sector and named assets, watch for your organization’s credentials surfacing in stealer logs, and track leak-site activity on a live victim feed. Close exposed RDP and VPN, enforce phishing-resistant MFA, and rotate credentials that appear in breach data. The seizure of XSS is a real win. The market it served is still open.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, XSS.is)

