More details have emerged on the arrest of an alleged XSS.is administrator by Ukrainian cyber police. The seizure notice has now appeared on the .onion version of the forum, and threads have been totally removed. As of the time of this update, and while the forum could still be updated before the seizure notice replaced it all, forum moderators had not issued any statement or confirmation.
As seen on Europol:
A long-running investigation led by the French Police and Paris Prosecutor, in close cooperation with their Ukrainian counterpart and Europol, has led to the arrest of the suspected administrator of xss.is, one of the world’s most influential Russian-speaking cybercrime platforms.
The forum, which had more than 50 000 registered users, served as a key marketplace for stolen data, hacking tools and illicit services. It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit.
The arrest took place in Kyiv, Ukraine, on 22 July, as part of a series of coordinated enforcement actions aimed at gathering evidence and dismantling the criminal infrastructure.
Suspect made millions facilitating cybercrime
The forum’s administrator was not only a technical operator but is believed to have played a central role in enabling criminal activity. Acting as a trusted third party, he arbitrated disputes between criminals and guaranteed the security of transactions. He is also believed to have run thesecure.biz, a private messaging service tailored to the needs of the cybercriminal underground.
Through these services, the suspect is thought to have made over EUR 7 million in advertising and facilitation fees. Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years.
Operational phase
The investigation was initiated by the French Police in 2021. In September 2024, the case moved into the operational phase in Ukraine, where French police investigators were deployed on the ground, supported by Europol through the establishment of a virtual command post.
It was followed by another action this week, which saw the arrest of the main suspect in Kyiv, Ukraine.
Europol support
Europol provided essential operational and analytical support throughout the investigation, facilitating information exchange and coordination between the French Police and Ukrainian authorities.
Europol also assisted in mapping the cybercriminal infrastructure and linking the suspect to other major threat actors. This collaborative approach ensured a swift, targeted response to dismantle the criminal platform and disrupt the illicit activities facilitated through the forum.
During this week’s enforcement actions in Kyiv, a Europol mobile office was deployed to support French and Ukrainian teams with on-site coordination and evidence collection. The seized data will now be analysed to support ongoing investigations across Europe and beyond.
IOCTA 2025 report underscores the threat from stolen data marketplaces
This operation aligns closely with findings from Europol’s 2025 Internet Organised Crime Threat Assessment (IOCTA), which highlights the booming black market for stolen data as a critical driver of the cybercrime economy.
Platforms like xss.is enabled the trade and monetisation of compromised data, hacking tools, and illicit services that fuel a wide range of criminal activities – from ransomware and fraud to identity theft and extortion.
The IOCTA reveals how such marketplaces empower cybercriminals by providing access, anonymity and trust mechanisms that sustain their operation.
The following authorities took part in the investigation:
-
France: Paris Prosecutor (Parquet de Paris – JUNALCO), French Police – Paris Police Prefecture (Police française – Préfecture de Police de Paris – Brigade de lutte contre la cybercriminalité)
-
Ukraine: General Prosecutor’s Office of Ukraine (Офіс Генерального Прокурора України), Security Service of Ukraine – Cybercrime Department (Служба безпеки України – Кібердепартамент)