4-Yrs Long Investigation Leads To Arrest Of XSS Forum Admin

After a four-year long manhunt for the operators of one of the most popular and longest running Russian-speaking cybercrime forum – XSS, authorities finally broke through this Tuesday, with an arrest of one of its alleged administrators in Ukraine. The forum was popular among cybercriminals for the sale of various malware codes, access to compromised systems, stolen data, and ransomware-related services.

The investigation into the forum’s operations began in July 2021 when one of the encrypted Jabber messaging server – thesecure[.]biz – first came under the French law enforcement’s scanner. This jabber server was used by XSS forum for anonymous messaging between users registered on its platform.
“The intercepted messages revealed numerous illicit cybercrime and ransomware activities, and established that they had generated at least $7 million in profit,” the Public Prosecutor’s Office in Paris said.

Along with the XSS forum, the suspect is also believed to have run thesecure[.]biz jabber server service.

Europol coordinated the operation between the French and Ukrainian authorities and revealed that the arrested individual was not only a technical administrator but also acted as a trusted third-party arbitrator to settle disputes between cybercriminals and guaranteed secure transactions.

Investigations suggested the suspect has been active in the underground ecosystem for nearly two decades, and has had links to several major threat actors over the years. He also likely made millions through advertising and facilitation fees.

About XSS Forum’s Cybercriminal Link

The XSS forum has been active since 2013 and had around 50,000 registered users. It was formerly known as “DaMaGeLaB” which became operational in 2004, as per researchers at Searchlight Cyber. The forum was likely rebranded from DaMaGeLaB to XSS, as one of its administrators who was also involved in the operation of the Andromeda botnet, was arrested a year before.

XSS forum looked like any other professional platform with well defined sections on hacking, corporate access, database leaks, and even competitive intelligence, researchers said. The forum had previously also acted as a recruitment and PR tool for Ransomware-as-a-Service (RaaS) providers. However, researchers say such content was “banned” time and again to not attract unwanted attention from law enforcement.

The forum also trialled an “XSSBot“ in 2023. Researchers suspect the chatbot was powered by ChatGPT and users could potentially ask for details such as information about different malware strains, tips on code obfuscation, etc.

The latest arrest is a part of a broader crackdown on cybercrime ecosystems in Europe. Last month, the French authorities arrested the alleged administrator, known under the moniker “IntelBroker,” of another prolific underground marketplace the BreachForums. The French police arrested four other individuals mostly in their twenties, who they said were complicit in handling the forum’s operations.

Related