The alleged administrator of the Russian-speaking hack forum XSS[.]is was arrested by Ukrainian authorities at the request of the Paris Prosecutor’s Office. Shortly thereafter, the site was shut down by law enforcement agencies.
XSS — a Russian-speaking hacker forum that has been operational since 2013, boasting around 50,000 registered users and considered one of the main hubs for cybercriminal activities. Law enforcement officers report that XSS was used to sell and advertise malicious software, access to hacked systems, promote RaaS platforms, and more.
French authorities announced that the investigation into the activities of XSS began about four years ago and uncovered activities related to extortion and other cybercrimes that generated multi-million profits for the perpetrators.
It is worth noting that in May 2021, a ban was introduced on any topics related to ransomware on XSS.
“The investigation, initiated on July 2, 2021, by the Paris Public Prosecutor’s Office’s Cybercrime Unit and assigned to the Cybercrime Department of the Judicial Police of the Paris Prefecture, led to a court-authorized interception of messages from the Jabber server thesecure[.]biz,” stated the French authorities. “The intercepted messages revealed numerous instances of illegal activities related to cybercrime and extortion. It was determined that these actions generated a profit of no less than 7 million USD for the criminals.”
Law enforcement officials clarified that they managed to compromise the server thesecure[.]biz to be able to monitor the users’ communications.
Intercepted messages led to the initiation of an investigation that began on November 9, 2021, on the facts of complicity in attacks on information systems, extortion, and participation in a criminal conspiracy.
During the second phase of message interception, the identity of the alleged forum administrator was established. As a result, this week the suspect, whose name has not been disclosed, was apprehended by Ukrainian authorities in the presence of French police and with the assistance of Europol.
“The administrator of the forum was not only its technical operator. It is also assumed that he played a central role in facilitating criminal activities,” states the Europol announcement. “Acting as a trusted third party, he resolved disputes between criminals and ensured the security of transactions. Additionally, he is suspected of managing thesecure[.]biz, a private messaging service tailored to the needs of the cybercriminal underground. The investigation believes that he has been active in the cybercriminal ecosystem for nearly 20 years and maintained close ties with several major figures in the cybercriminal community.”
On July 23, 2025, members of the XSS forum suspected that the site might have been seized by law enforcement authorities. Shortly thereafter, the resource was indeed taken offline, and a notice appeared on the site informing visitors about the domain’s confiscation.
Considering that law enforcement officials may have gained access to the forum’s backend and arrested its alleged administrator, it is quite likely that they now have evidence against other participants of XSS, which could lead to further arrests in the future.