Kyiv detains hacker who ran one of the world's largest forums for cybercriminals
The arrest ended a multi-year investigation conducted by Parisian law enforcement officers together with Ukrainian and European human rights activists.
On 22 July 2025, a person suspected of administering the XSS.is forum, a Russian-language platform for cybercriminals with more than 50,000 registered users, was detained in Kyiv. The forum was one of the world's largest platforms for communication between criminals.
What we know about XSS.is and the suspect
XSS.is, created in 2013, was an important marketplace for the sale of stolen data, hacking tools, access to other people's systems and ransomware services.
The hackers had control over the XMPP (Jabber) encrypted messaging service thesecure.biz, and by intercepting messages from it, law enforcement officers were able to accurately identify the offender.
It is known that the offender was not only involved in the administration of the forum, but also earned money by arbitration and conflict resolution. Investigators believe that he had been involved in hacking for at least twenty years and had close ties to the industry.
According to the investigation, the attacker earned more than 7 million euros (≈ $8.2 million) from this activity.
Interestingly, the forum was subject to some form of censorship. For example, since May 2021, all threads advertising and discussing ransomware have been banned from the forum.
XSS.is no longer works, and now it has the following captions. Illustration: bleepingcomputer.com
How the investigation went
The operation lasted from November 2021 and was launched by the Paris prosecutor's office with the participation of Ukrainian and French law enforcement agencies and Europol. In September 2024, the investigation moved to the operational phase in Ukraine. At this time, a mobile Europol office was deployed in Ukraine to ensure close cooperation between the French and Ukrainian parties.
The XSS.is domain was confiscated by joint law enforcement agencies. According to official statements, access to the server's database was gained, which meant that law enforcement officers got hold of personal data and the correspondence history of many other criminals.