XSS Forum Takedown Results in Cybercriminal Migration to DamageLib, Study Says
Published
- XSS takedown: Studies suggest threat actors are taking interest in new dark web forum DamageLib following the XSS admin arrest.
- Migration: Forum users were suspicious of the appointment of new, low-reputation moderators and sought alternatives.
- DamageLib popularity: Right from the start, the forum attracted approximately 66% of the XSS user base.
The recent XSS forum takedown and arrest of its alleged administrator have created a significant power vacuum within the Russian-language cybercrime ecosystem, leading to a mass cybercriminal migration to a new platform known as DamageLib, the latest Kela report says.
XSS Admin Arrest and Forum Instability
On July 22, 2025, Ukrainian authorities, supported by Europol, arrested a 38-year-old individual believed to be "Toha," the long-standing administrator of the XSS forum. This action immediately sowed widespread distrust among the forum's nearly 51,000 members.Â
The research says that while the onion version of XSS remained online, speculation mounted that it had become a law enforcement honeypot, a fear compounded by the appointment of new, low-reputation moderators.
The subsequent confusion and fear drove a significant portion of the user base to seek alternatives, Kela says, adding that the new administration's handling of nearly $6 million in contested user deposits further eroded trust, prompting former XSS moderators to launch a new competing platform.
The Emergence of DamageLib Cybercrime Forum
In the wake of the turmoil, the DamageLib cybercrime forum quickly emerged as the primary successor, according to the analysis. Created by former XSS moderators, DamageLib has reportedly positioned itself as a more secure alternative, operating exclusively on the Tor network.Â
Kela highlights that within its first month, the forum attracted over 33,000 users, representing approximately 66% of the XSS user base.
Despite this rapid user influx, engagement on DamageLib remains low compared to XSS's peak activity. Researchers say this suggests that while users are registering on the new platform, a sense of caution persists throughout the underground community.Â
The report concludes that events surrounding the XSS seizure and the rise of DamageLib demonstrate the fluid nature of dark web forums, where trust is paramount and allegiances can shift overnight in response to perceived law enforcement threats.
In June, French authorities disrupted the Breach Forums, while the BlackDB cybercrime forum admin was arrested in Kosovo in May.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular