Key Administrator of World’s Most Popular Dark Web Cybercrime Platform Arrested
An investigation led by the French Police and Paris Prosecutor, in close cooperation with their Ukrainian counterparts and Europol, has resulted in the arrest of the suspected administrator of xss[.]is, one of the world’s most influential Russian-speaking cybercrime platforms.
The forum, which had more than 50,000 registered users, served as a key marketplace for stolen data, hacking tools, and illicit services. It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise, and recruit.
The arrest took place in Kyiv, Ukraine, on July 22, as part of a series of coordinated enforcement actions aimed at gathering evidence and dismantling the criminal infrastructure.
Forum Admins Made Millions
The forum’s administrator was not only a technical operator but is believed to have played a central role in enabling criminal activity. Acting as a trusted third party, he arbitrated disputes between criminals and guaranteed the security of transactions.
He is also believed to have run thesecure[.]biz, a private messaging service tailored to the needs of the cybercriminal underground.
Through these services, the suspect is thought to have made over EUR 7 million in advertising and facilitation fees. Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years.
The investigation was initiated by the French Police in 2021. In September 2024, the case moved into the operational phase in Ukraine, where French police investigators were deployed on the ground, supported by Europol through the establishment of a virtual command post.
French authorities obtained judicial authorization to monitor a Jabber server operated by the suspect, revealing extensive criminal communications that exposed ransomware attacks and other cybercrime activities generating at least EUR 7 million in illicit profits.
The breakthrough came through intercepted messages on the thesecure.biz server, which accompanied the XSS forum to facilitate anonymous exchanges between cybercriminals. These interceptions revealed the suspect’s alleged links to numerous ransomware operations and other cybercrime activities.
Europol provided essential operational and analytical support throughout the investigation, facilitating information exchange and coordination between French Police and Ukrainian authorities.
The agency also assisted in mapping the cybercriminal infrastructure and linking the suspect to other major threat actors.
During this week’s enforcement actions in Kyiv, a Europol mobile office was deployed to support French and Ukrainian teams with on-site coordination and evidence collection. The seized data will now be analyzed to support ongoing investigations across Europe and beyond.
This operation aligns closely with findings from Europol’s 2025 Internet Organised Crime Threat Assessment (IOCTA), which highlights the booming black market for stolen data as a critical driver of the cybercrime economy.
The IOCTA reveals how such marketplaces empower cybercriminals by providing access, anonymity, and trust mechanisms that sustain their operations.
The following authorities participated in the investigation: France’s Paris Prosecutor (Parquet de Paris – JUNALCO), French Police – Paris Police Prefecture, Ukraine’s General Prosecutor’s Office, and the Security Service of Ukraine’s Cybercrime Department.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
