
The alleged administrator of the Russian-speaking hack forum XSS[.]is was arrested by Ukrainian authorities at the request of the Paris Prosecutor’s Office. Shortly thereafter, the site was shut down by law enforcement agencies.
XSS — a Russian-speaking hacker forum that has been operational since 2013, boasting around 50,000 registered users and considered one of the main hubs for cybercriminal activities. Law enforcement officers report that XSS was used to sell and advertise malicious software, access to hacked systems, promote RaaS platforms, and more.
French authorities announced that the investigation into the activities of XSS began about four years ago and uncovered activities related to extortion and other cybercrimes that generated multi-million profits for the perpetrators.
It is worth noting that in May 2021, a ban was introduced on any topics related to ransomware on XSS.
“The investigation, initiated on July 2, 2021, by the Paris Public Prosecutor’s Office’s Cybercrime Unit and assigned to the Cybercrime Department of the Judicial Police of the Paris Prefecture, led to a court-authorized interception of messages from the Jabber server thesecure[.]biz,” stated the French authorities. “The intercepted messages revealed numerous instances of illegal activities related to cybercrime and extortion. It was determined that these actions generated a profit of no less than 7 million USD for the criminals.”
Law enforcement officials clarified that they managed to compromise the server thesecure[.]biz to be able to monitor the users’ communications.
Intercepted messages led to the initiation of an investigation that began on November 9, 2021, on the facts of complicity in attacks on information systems, extortion, and participation in a criminal conspiracy.
During the second phase of message interception, the identity of the alleged forum administrator was established. As a result, this week the suspect, whose name has not been disclosed, was apprehended by Ukrainian authorities in the presence of French police and with the assistance of Europol.
“The administrator of the forum was not only its technical operator. It is also assumed that he played a central role in facilitating criminal activities,” states the Europol announcement. “Acting as a trusted third party, he resolved disputes between criminals and ensured the security of transactions. Additionally, he is suspected of managing thesecure[.]biz, a private messaging service tailored to the needs of the cybercriminal underground. The investigation believes that he has been active in the cybercriminal ecosystem for nearly 20 years and maintained close ties with several major figures in the cybercriminal community.”
On July 23, 2025, members of the XSS forum suspected that the site might have been seized by law enforcement authorities. Shortly thereafter, the resource was indeed taken offline, and a notice appeared on the site informing visitors about the domain’s confiscation.
Considering that law enforcement officials may have gained access to the forum’s backend and arrested its alleged administrator, it is quite likely that they now have evidence against other participants of XSS, which could lead to further arrests in the future.

2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →