Europol on Monday announced the arrest of the suspected administrator of XSS.is (formerly DaMaGeLaB), a notorious Russian-speaking cybercrime platform.
The arrest, which took place in Kyiv, Ukraine, on July 222, 2025, was led by the French Police and Paris Prosecutor, in collaboration with Ukrainian authorities and Europol. The action is the result of an investigation that was launched by the French Police in July 2021.
Coupled with the arrest, law enforcement has also taken control of the clearnet domain of XSS.is, greeting visitors with a seizure notice, “This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance of the SBU Cyber Department.”
“The forum, which had more than 50,000 registered users, served as a key marketplace for stolen data, hacking tools and illicit services,” the law enforcement agency said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit.”
The forum’s administrator, besides engaging in the technical operations of the service, is said to have enabled criminal activity by acting as a trusted third-party to arbitrate disputes between criminals and guarantee the security of transactions.
The unnamed individual is also believed to have run thesecure.biz, a private messaging platform specially built to cater to the needs of cybercriminals. Through these illicit ventures, the suspect is estimated to have made €7 million ($8.24 million) in profits from advertising and facilitation fees.
“Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years,” Europol added.
According to the Paris Prosecutor, XSS.is has been active since 2013, acting as a hub for all this cybercrime, ranging from access to compromised systems and ransomware-related services. It also offered an encrypted Jabber messaging server that let cybercriminals communicate anonymously.
XSS.is, along with Exploit, has served as the backbone of the Russian-speaking cybercriminal ecosystem, with the threat actors on these forums primarily singling out non-Russian-speaking countries. Data shared by KELA shows that XSS currently has 48,750 registered users and more than 110,000 threads.
“To facilitate illicit transactions, the forum has a built-in reputation system,” KELA said. “Members can use a forum-appointed escrow service to ensure that deals are completed without scams, as well as add a deposit, contributing to their reputation.”
The development comes a week after a Europol-led operation disrupted the online infrastructure associated with a pro-Russian hacktivist group known as NoName057(16) and the arrest of two people for conducting distributed denial-of-service (DDoS) attacks against Ukraine and its allies using a volunteer-driven Go-based tool called DDoSia.
Recorded Future’s Insikt Group, in a report published this week, said the group targeted 3,776 unique hosts between July 1, 2024, and July 14, 2025, primarily government, public-sector, transportation, technology, media, and financial entities in European nations opposing Russia’s invasion of Ukraine.
Ukrainian organizations accounted for the largest share of targets (29.47%), followed by France (6.09%), Italy (5.39%), Sweden (5.29%), Germany (4.60%), Israel (4.50%), Czechia (4%), Poland (4%), and the United Kingdom (3.30%). The United States is a notable exclusion, despite its support for Ukraine.
An extensive analysis of NoName057(16)’s infrastructure has laid bare a resilient, multi-tiered architecture consisting of rapidly rotated Tier 1 command-and-control (C2) servers and Tier 2 servers protected by access control lists (ACLs) to limit upstream access and maintain reliable C2 functionality. As many as 275 unique Tier 1 have been identified during the time period.
“The threat group maintains a high operational tempo, averaging 50 unique targets daily, with intense bursts of activity correlating to geopolitical and military developments in Ukraine,” the Mastercard-owned cybersecurity company said.
“NoName057(16) uses a mixture of network and application-layer DDoS attacks, selecting methods designed to overwhelm server resources and disrupt availability. The threat group’s attack methodology is straightforward yet effective, prioritizing high-volume floods and resource exhaustion techniques.”
