Kyiv, Ukraine – 22 July 2025: A high-profile administrator behind one of the most influential Russian-speaking cybercrime forums, xss.is, was arrested in a coordinated law enforcement action in Ukraine. The arrest marks a significant disruption in the global cybercrime ecosystem and highlights increased international efforts to dismantle transnational criminal infrastructure.
On 22 July 2025, Ukrainian law enforcement, with on-the-ground support from French police and Europol, apprehended the suspected administrator of xss.is in Kyiv. The forum had more than 50,000 registered users and served as a major underground marketplace for stolen data, hacking tools, and illicit services.
The suspect is believed to have:
- Arbitrated transactions between cybercriminals,
- Operated thesecure.biz, an encrypted messaging service for underground actors,
- Earned over €7 million in facilitation and advertising fees.
Europol stated the suspect was “deeply embedded” in criminal networks for nearly two decades, playing a central role in maintaining trust and operational security among illicit actors.
Two Decades in the Dark Web Shadows
The investigation into the forum began in 2021 under the initiative of the French Police (Brigade de lutte contre la cybercriminalité) and the Paris Prosecutor (JUNALCO). In September 2024, the operation entered its tactical phase in Ukraine.
French police deployed investigators on the ground, and Europol established a virtual command post to streamline intelligence sharing and coordination.
Europol’s Role
Europol provided:
- Operational support including a mobile office in Kyiv during raids,
- Analytical tools to map and link criminal infrastructure,
- Intelligence liaison between French and Ukrainian forces.
During the arrest, law enforcement seized substantial digital evidence, which Europol says will “fuel ongoing investigations” across Europe and beyond.
Cybercrime Infrastructure Disrupted
According to Europol’s 2025 Internet Organised Crime Threat Assessment (IOCTA) report (published May 2025), forums like xss.is serve as “critical enablers” of criminal activity. These platforms:
- Facilitate the monetisation of stolen data,
- Serve as launchpads for ransomware, phishing, and identity theft,
- Provide anonymity and dispute resolution mechanisms that make cybercrime scalable.
“This is a milestone takedown. xss.is was more than just a forum—it was infrastructure,” said a Europol spokesperson on 24 July 2025.
“The administrator’s arrest is a major blow to Russian-speaking cybercriminal circles. It sends a strong signal that nowhere is safe,” added a senior analyst at France’s Police Nationale.
Actionable Takeaways for Security Leaders
- Update threat intelligence feeds to monitor fallout from the xss.is takedown.
- Reevaluate controls around dark web data monitoring and incident response readiness.
- Track emerging forums attempting to fill the void left by xss.is.
- Conduct internal audits of systems that may have sourced tools or data from forums like xss.is.
- Enhance training and awareness programs for SOC teams on cybercrime-enabled TTPs.
- Monitor regional indicators of cybercriminal displacement following the Ukraine arrests.
- Ensure GDPR/CCPA compliance in case customer data is found on seized platforms.
- Collaborate with global partners for cross-border incident investigation and response.
Conclusion
The arrest of the xss.is administrator marks a turning point in the fight against Russian-speaking cybercriminal syndicates. Backed by years of intelligence work and operational coordination between France, Ukraine, and Europol, this enforcement action underscores the growing reach and efficiency of international cybercrime crackdowns. While new forums may soon emerge, the dismantling of xss.is shows law enforcement’s increasing ability to pierce the veil of darknet anonymity.
