Administrator of Russian-Speaking XSS Cybercrime Forum Arrested in Ukraine

• What happened: The alleged admin of the notorious Russian-speaking crime forum XSS was arrested in Europe.
• Accusations: The suspect reportedly hosted and personally administered the platform, as well as operated a hackers’ messaging service.
• Illicit revenue: Advertising and arbitration fees alone generated an estimated amount of over €7 million for the individual.

The suspected administrator of the XSS.is hacker forum was arrested on July 22, 2025, by European authorities in Kyiv, Ukraine. The platform is one of the world’s most influential illicit trading platforms, a notorious Russian-speaking cybercrime marketplace for illegal services and stolen data.

The operation was spearheaded by the French Police and the Paris Prosecutor’s Office, supported by Europol’s cybercrime division.  

The XSS Role in Cybercrime  

The XSS.is forum, with a membership exceeding 50,000 registered users, has been a notorious hub for the stolen data marketplace, trafficking compromised credentials, hacking tools, and illegal services. 

The arrested administrator hosted the forum and personally facilitated transactions, resolved disputes among forum members, and operated “thesecure.biz,” a messaging service that catered to cybercriminals.  

The Russian-speaking platform had solidified its role as a central meeting point for some of the most notorious and active cybercriminal networks worldwide, facilitating cybercrime operations including ransomware attacks, identity theft, and financial fraud.  

Investigators estimate that the suspect earned over €7 million from advertising and arbitration fees alone, with some of the gains also stemming from ransomware-linked activities. 

Implications for Cybercrime  

This landmark Europol cybercrime operation is emblematic of law enforcement’s growing ability to dismantle illicit online infrastructures. The investigation, initiated by France in 2021, intensified in 2024 with targeted actions in Ukraine, culminating in this week’s arrest. 

Europol coordinated data collection, analysis, and international collaboration through a virtual command post and on-site mobile offices.  

The operation supports findings in Europol’s 2025 Internet Organised Crime Threat Assessment (IOCTA), which tackles how such marketplaces empower cybercriminals by providing access, anonymity, and trust mechanisms that sustain their operation, underscoring the escalating threat posed by stolen data platforms.

By dismantling this facilitator of criminal enterprises, agencies have disrupted operations pivotal to the global cybercrime ecosystem. In June, French Police disrupted the Breach Forums as the British cyber kingpin 'IntelBroker' was indicted, and the BlackDB cybercrime forum admin was arrested in Kosovo one month prior.