Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • Reviews
    • Best antivirus software for 2026: independent picks from Ransomnews
    • Best ransomware-resistant backup for 2026: cloud, hybrid, and immutable picks reviewed
    • Best ransomware protection for business 2026: Alerts.bar, ESET PROTECT and 6 alternatives reviewed
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • Reviews
    • Best antivirus software for 2026: independent picks from Ransomnews
    • Best ransomware-resistant backup for 2026: cloud, hybrid, and immutable picks reviewed
    • Best ransomware protection for business 2026: Alerts.bar, ESET PROTECT and 6 alternatives reviewed
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Cybercrime

XSS forum: from DaMaGeLaB to the 2025 takedown

Ransomnews Research TeamBy Ransomnews Research TeamJune 29, 2026Updated:June 30, 2026No Comments15 Mins Read74 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
The fall of XSS: Operation Ratatouille and 21 years of DaMaGeLaB, Ransomnews investigation cover
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

XSS.is, the most influential Russian-language cybercrime forum of the past decade and the direct heir to the legacy board DaMaGeLaB, lost its administrator on 22 July 2025 when French and Ukrainian police arrested a 38-year-old man in Kyiv. Europol, which coordinated Operation Ratatouille, said the forum had more than 50,000 members and that the suspect earned over EUR 7 million arbitrating deals between criminals. The Ransomnews Research Team analysed a leaked copy of the forum database, 123,241 messages across 51 trading sections, to show exactly how the marketplace worked and where it sat in the ransomware kill chain.

This is a data-led profile, not a rewrite of the press release. Every figure attributed to “the leaked dataset” below comes from our own analysis of a XenForo database backup of the forum. We redacted all individual IP addresses, usernames, emails and password hashes, and publish only aggregates. The public-record facts about the arrest are attributed to Europol, Ukraine’s SBU, and the named reporting in the sources. Where attribution is contested, we say so.

// XSS IN NUMBERS Ransomnews.com
A mature marketplace, by the numbers
Registered users7,706
Forum threads14,509
Public messages123,241
IP log records19,192
Unique IP addresses (redacted)7,061
Private conversations6,168
Private messages6,776
Trading sections51
Source countries79
Cyrillic share of message text62.2%
RaaS crews named by SBU4: REvil, LockBit, Conti, Qilin
Lineage2004 → 2025
These numbers describe a mature, structured marketplace, not a loose collection of opportunists. Ransomnews analysis of the leaked XSS database; individual IPs redacted.

What was the XSS forum, and why did it matter?

XSS was a Russian-language cybercrime forum that operated as the wholesale layer of the intrusion economy. It was where malware authors, exploit sellers, initial access brokers, spammers and ransomware affiliates met to trade. Members bought and sold zero-day exploits, malware source code, compromised corporate access, and stealer logs. Crucially, the forum itself acted as a trusted third party: it ran escrow (“garant”) and arbitration so two criminals who had never met could complete a deal without either getting cheated. That trust function, not any single product, is what made XSS structurally important to the whole ecosystem.

The lineage runs through two decades of the Russian underground. DaMaGeLaB operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018 a partial backup of DaMaGeLaB was relaunched as xss.is by an operator using the handle “Toha,” who had earlier founded the Hack-All forum in 2005 and rebuilt it as Exploit.in in 2006. The earliest registration timestamps in the leaked database resolve to November 2004, consistent with that DaMaGeLaB origin.

Timeline from DaMaGeLaB 2004 to the XSS forum takedown in 2025, Ransomnews

Inside the database: what 123,241 messages reveal

The leaked backup contains 14,509 discussion threads, 123,241 public messages, 7,706 registered accounts, and a private layer of 6,168 conversations holding 6,776 messages. The language signal is unambiguous: across all message bodies, 62.2% of the alphabetic characters are Cyrillic, and 53.6% of accounts registered with an email on a CIS-region domain (.ru, .su, .by, .ua, .kz). Russian webmail providers (mail.ru, yandex.ru, bk.ru, rambler.ru) together outnumber Gmail. A minority used ProtonMail, the routine operational-security choice in this community.

Mapping the 51 sections by message volume shows what the forum was actually for. Beyond the inevitable off-topic lounge and administration boards, the busiest trading sections are web-application vulnerabilities, malware, exploit kits and crypting, network and Wi-Fi vulnerabilities, and a dedicated access board (“shells, FTP, roots, databases, SQL injection, RDPs”). One administrative thread title preserved in the dump, a complaint about spam from “thesecure.biz,” is itself an artefact: thesecure.biz is the encrypted Jabber server Europol later said the arrested administrator operated.

What the XSS forum traded by section message volume, Ransomnews analysis

Reducing the messages to a keyword frequency map gives a second view of demand. The most-discussed commodities are stealer logs, crypting and FUD services (making malware undetectable), credit-card data, network access, exploits and web shells. This is the raw material of ransomware intrusions, traded one layer upstream of the attack itself.

Commodities traded on XSS by keyword frequency across 123241 messages, Ransomnews

The forum kept Moscow office hours

Posting time is one of the hardest signals for an operator to fake, because it reflects when people are actually awake and working. The XSS data shows a textbook salaried-workday curve. Activity is low overnight, climbs sharply from 06:00 UTC, and peaks between 09:00 and 13:00 UTC. That window is the middle of the working day in Moscow (UTC+3). Weekdays dominate, with Monday and Tuesday the busiest and a clear weekend dip. This is the rhythm of a daytime, business-hours operation rather than a scattered global hobbyist crowd, and it lines up with the same pattern Ransomnews found when it timed 16,699 ransomware leak-site posts.

XSS forum posting activity by hour showing Moscow office hours, Ransomnews

Who was who: the real actors behind XSS

Europol did not name the man arrested in Kyiv, citing the live investigation, but the cybercrime community and open-source investigators converged on the handle “Toha,” the longtime administrator of XSS and several predecessor forums. According to KrebsOnSecurity, Toha was a founding member of Hack-All in 2005, rebranded it as Exploit.in in 2006, and sold Exploit in 2018, the same year DaMaGeLaB was reincarnated as XSS under his control. Europol assessed the suspect had spent nearly 20 years in cybercrime, which fits.

Identity attribution remains genuinely contested. A 2022 deanonymisation claim, later amplified in 2024 by LockBit’s leader “LockBitSupp” while he sought help unmasking Toha, pointed to a Russian man named Anton Avdeev. KrebsOnSecurity’s own pivot through domain-registration records tied to Toha’s historic email address surfaced a different and more likely candidate, a Kyiv resident named Anton Medvedovskiy whose December 1987 birthdate matches the arrested suspect’s age. The Avdeev trail may have been deliberate misdirection. The forum’s encrypted Jabber server, thesecure.biz, links into this same cluster: it was originally run by the Ukrainian cybercriminal Sergei Vovnenko (“Flycracker”) before, by his account, being taken over while he was imprisoned. The map below shows the documented connections.

Actor network of the XSS administrator Toha across four forums, Ransomnews

How XSS fed the ransomware supply chain

XSS sat upstream of almost every major ransomware brand of the past five years. Ukraine’s SBU said the forum counted among its members cybercriminals tied to ransomware groups including REvil, LockBit, Conti and Qilin. The mechanism was the access trade. Initial access brokers listed footholds into corporate networks, frequently as structured auctions with a Start price, a Step (bid increment) and a Blitz (“buy it now”). Flare documented one representative listing with a 25,000 USD start, 1,000 USD step and 40,000 USD blitz for access to a US manufacturer with 800 million USD in revenue. An affiliate buys that access, runs the intrusion, and the broker never touches the ransomware.

The scale of that pipeline is measurable. Intel 471 recorded 4,878 access and credential sale claims from initial access brokers between June 2024 and May 2025, correlated 70 of them to victims later named on ransomware leak sites, and measured a median of roughly 19 days between an access listing and the victim appearing on a leak blog. That gap is the single most useful number for defenders in this whole story, and we return to it below.

The 2021 ransomware ban: a tell, not a reform

On 13 May 2021, days after the DarkSide attack on Colonial Pipeline put ransomware on front pages worldwide, the XSS administrator banned all ransomware activity, sales, rentals and affiliate programs, and deleted existing ransomware threads. Within hours Exploit and RaidForums followed. The move is often described as forums “turning against” ransomware. The data-aware reading is narrower: the ban removed the loud, branded affiliate-recruitment threads that attracted Western law enforcement, while the quieter and more valuable access trade that actually feeds ransomware carried on. It was reputation management, not a change of business.

Threat modelling: where XSS sits in the kill chain

Placing XSS on the Lockheed Martin cyber kill chain, mapped to MITRE ATT&CK, explains why its takedown matters out of proportion to a single arrest. The forum did not sit at the noisy end of the chain, at execution or impact. It sat at the very start, in Resource Development (ATT&CK TA0042) and as the supply side of Initial Access (TA0001). Members acquired infrastructure and capabilities (T1583, T1588), then traded valid accounts and external remote services (T1078, T1133, T1650) that affiliates carried straight into intrusions.

Where XSS sits in the ransomware kill chain mapped to MITRE ATTACK, Ransomnews

This is why intelligence teams treat forum disruption as a “left of boom” intervention. Hitting the access market is cheaper and earlier than fighting encryption on the endpoint. The 19-day median between an access listing and a leak-site appearance is a live detection window: an organisation watching for its own domains, credentials and stealer-log fingerprints in that market gets, on average, almost three weeks of warning before the ransom note.

XSS indicators of compromise by country

The forum’s access logs in the leaked dataset cover 19,192 events across 7,061 unique IP addresses in 79 countries. The table and chart below aggregate that telemetry by country. “Events” counts logged actions, “Unique IPs” counts distinct redacted addresses, and “Accounts” counts distinct user IDs seen from each country. We withhold every individual address. Read the geography as an indicator of routing and hosting infrastructure for threat-intelligence enrichment, not as proof of any person’s physical location.

Russia is the largest single source of distinct accounts (564), far ahead of any other country. The United States and the Netherlands rank high by raw IP count, but those totals are dominated by VPN endpoints, hosting providers and Tor exit relays rather than residents. Geolocating a security-conscious crime forum measures where members route traffic, not where they sleep; combined with the 62% Cyrillic text and Moscow working hours, the centre of gravity is clearly the Russian-speaking world.

XSS forum distinct accounts by source country, redacted IoC chart, Ransomnews
// IOC BY COUNTRY · SEARCHABLERansomnews.com
XSS forum access telemetry, all 79 countries
Type to filter by country. Click a column header to sort. Individual IP addresses redacted. Download CSV ↓
#▼ Country ⇅ Events ⇅ Share ⇅ Unique IPs ⇅ Accounts ⇅
1Russia (RU)3,91020.37%1,486564
2United States (US)5,04626.29%3,938172
3Ukraine (UA)7213.76%255139
4Germany (DE)1,5828.24%14194
5The Netherlands (NL)1,1315.89%20694
6France (FR)1,2676.6%12578
7Switzerland (CH)5032.62%3156
8Canada (CA)7784.05%7455
9United Kingdom (GB)5853.05%6353
10Sweden (SE)3511.83%5044
11Romania (RO)2111.1%3640
12Finland (FI)2081.08%2632
13Moldova (MD)1800.94%3932
14Poland (PL)1250.65%3331
15Austria (AT)3992.08%2630
16Luxembourg (LU)1120.58%1228
17Belarus (BY)2471.29%8327
18Türkiye (TR)1380.72%2026
19Singapore (SG)550.29%2425
20Bulgaria (BG)1220.64%1524
21Liberia (LR)1600.83%121
22Denmark (DK)930.48%1021
23Latvia (LV)630.33%2021
24Italy (IT)680.35%1120
25Norway (NO)650.34%1820
26Czechia (CZ)630.33%1719
27Spain (ES)450.23%1319
28Iceland (IS)1230.64%1518
29Slovakia (SK)820.43%818
30Europe (EU)570.3%3618
31Portugal (PT)770.4%1717
32Hungary (HU)1190.62%616
33Mexico (MX)320.17%1811
34Seychelles (SC)320.17%110
35Australia (AU)230.12%910
36Israel (IL)250.13%109
37Uzbekistan (UZ)220.11%119
38South Africa (ZA)320.17%47
39Brazil (BR)210.11%87
40Lithuania (LT)110.06%55
41Armenia (AM)240.13%54
42Belgium (BE)130.07%44
43Hong Kong (HK)120.06%54
44India (IN)120.06%84
45Georgia (GE)80.04%44
46Saudi Arabia (SA)70.04%64
47Estonia (EE)60.03%54
48Slovenia (SI)40.02%24
49United Arab Emirates (AE)570.3%33
50Kyrgyzstan (KG)140.07%43
51Nigeria (NG)100.05%93
52Indonesia (ID)30.02%23
53Thailand (TH)30.02%33
54Algeria (DZ)240.13%152
55Azerbaijan (AZ)100.05%42
56Philippines (PH)90.05%32
57Japan (JP)50.03%32
58China (CN)40.02%32
59Morocco (MA)30.02%32
60Taiwan (TW)20.01%22
61Venezuela (VE)250.13%11
62Kazakhstan (KZ)230.12%221
63Turkmenistan (TM)110.06%71
64Egypt (EG)30.02%11
65South Korea (KR)20.01%21
66Colombia (CO)10.01%11
67Paraguay (PY)10.01%11
68Isle of Man (IM)10.01%11
69Belize (BZ)10.01%11
70Croatia (HR)10.01%11
71Costa Rica (CR)10.01%11
72New Zealand (NZ)10.01%11
73Ireland (IE)10.01%11
74Niue (NU)10.01%11
75Panama (PA)10.01%11
76Malaysia (MY)10.01%11
77Kenya (KE)10.01%11
78Jersey (JE)10.01%11
79Serbia (RS)10.01%11
Ransomnews analysis of the leaked XSS XenForo database. Geography reflects routing/hosting infrastructure (VPN, hosting, Tor), not residency.

Operation Ratatouille: the takedown

The operation was led by the French Police and the Paris prosecutor’s cybercrime unit (JUNALCO), working with Ukraine’s National Police and SBU, with Europol coordinating. The investigation opened in July 2021. On 22 July 2025, officers detained the suspected administrator at his home in Kyiv and seized the thesecure.biz Jabber server. Europol described the suspect as a trusted third party who arbitrated disputes and secured transactions, and put his cumulative earnings above EUR 7 million from advertising, escrow fees and services. The SBU confirmed the forum’s membership included actors from REvil, LockBit, Conti and Qilin.

What makes this seizure different from a typical forum bust is the private layer. Investigators did not just take the public board; they took the private message store and, by Europol’s account, the Jabber server. In our copy of the database alone, the private layer held 6,168 conversations. A full live seizure would hold far more, and that is the part the underground fears most.

The aftermath: a collapse of trust

XSS reappeared on a new Tor address within days, but with all previous moderators dismissed, member balances zeroed, and returning users asked to pay a fresh deposit. Few trusted it. A KELA analysis tracked a splinter, “DamageLib,” emerging from the disruption, and Intel 471 framed the aftermath as a loss of trust rather than a loss of infrastructure. By late 2025, threat-intel telemetry showed initial-access activity shifting away from the older boards toward RAMP and DarkForums, which between them accounted for the large majority of observed access threads.

On the forums themselves, the dominant fear was forensic. As one Exploit member put it in a thread about the arrest, the investigators now hold “two years of Jabber server logs. Full backup and forum database,” material that modern tooling can turn into ready-made dossiers linking nicknames, emails, password hashes, Jabber IDs, IP addresses and even writing style. For a marketplace whose entire value proposition was a “trusted person” holding everyone’s secrets, that is the more lasting damage.

What this means for defenders

The takedown removes a hub, not the economy. Access brokering, exploit sales and affiliate recruitment migrate faster than any single arrest can suppress. The durable lesson from the data is that ransomware begins as a marketplace transaction roughly three weeks before the encryption event. The practical response is intelligence-led and early: monitor initial-access-broker chatter for your sector and named assets, watch for your organisation’s credentials and session cookies surfacing in stealer logs, and track leak-site activity on a live victim feed. Reduce the surface those brokers sell by closing exposed RDP and VPN, enforcing phishing-resistant MFA, and rotating credentials that appear in breach and stealer corpora. The seizure of XSS is a rare and real win. The market it served is still open.

Frequently asked questions

What is XSS.is?

XSS.is is a Russian-language cybercrime forum that operated as a marketplace for malware, exploits, stolen corporate access and stealer logs, with built-in escrow and arbitration. It was the 2018 relaunch of the older DaMaGeLaB board and ran until its administrator was arrested in July 2025.

Is XSS the same as DaMaGeLaB?

Effectively yes. DaMaGeLaB operated from 2004 to 2017, and in 2018 a backup of it was relaunched as xss.is under the administrator “Toha.” Registration records in the leaked database date back to November 2004, confirming the lineage.

Who was arrested in the XSS takedown?

French and Ukrainian police arrested a 38-year-old man in Kyiv on 22 July 2025, widely believed to be the longtime administrator “Toha.” Europol did not publicly name him, citing the ongoing investigation, and estimated he earned more than EUR 7 million from the forum. Open-source reporting points to a Kyiv resident, though identity attribution remains contested.

Which ransomware groups used XSS?

Ukraine’s SBU said XSS members included actors tied to REvil, LockBit, Conti and Qilin. The forum was used to trade initial access and recruit affiliates rather than to host the ransomware itself.

What did members actually trade on XSS?

Our analysis of 123,241 messages shows the busiest trading sections were web-application vulnerabilities, malware, exploit kits and crypting, network vulnerabilities, and a dedicated access board. The most-discussed commodities were stealer logs, crypting/FUD services, credit-card data, network access, exploits and web shells.

What countries did XSS members come from?

The membership was overwhelmingly Russian-speaking: 62% of message text is Cyrillic, 53.6% of accounts used CIS-region email domains, and Russia was the largest single source of distinct accounts in the access logs. High US and Netherlands IP counts reflect VPN, hosting and Tor infrastructure, not resident members.

Where does XSS sit in the cyber kill chain?

At the start. XSS supplied the Resource Development and Initial Access stages (MITRE ATT&CK TA0042 and TA0001), trading the infrastructure, exploits and valid accounts that affiliates later used for execution, exfiltration and extortion. That is why disrupting it is a “left of boom” intervention.

Is the XSS forum still online?

A site under the XSS name reappeared on a new Tor address shortly after the arrest, but with new operators, reset balances and dismissed moderators. Most established members have kept their distance, and initial-access activity has shifted toward forums such as RAMP and DarkForums.

Sources and further reading

  • Europol: Key figure behind major Russian-speaking cybercrime forum targeted in Ukraine
  • KrebsOnSecurity: Who Got Arrested in the Raid on the XSS Crime Forum?
  • Intel 471: After disruption, XSS cybercrime forum faces loss of trust
  • Intel 471: How initial access offers power intrusions and ransomware
  • Flare: Initial Access Brokers and the underground corporate access economy
  • The Record: XSS bans ransomware ads after Colonial Pipeline
  • KELA: XSS forum after takedown, DamageLib emerges
  • Ransomnews internal: ransomware leak-site OSINT walkthrough, the initial access broker economy, and the Ransomnews Research Team.

Methodology: figures attributed to the leaked dataset are derived from Ransomnews analysis of a XenForo database backup of the XSS forum. All individual IP addresses, usernames, email addresses and password hashes were redacted; only aggregate country-level, section-level and keyword-level statistics are published. GeoIP was resolved offline. Public-record facts about the arrest are attributed to Europol, Ukraine’s SBU, and the named reporting above. Identity attribution of the arrested administrator remains contested and is reported as such.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleAgentic AI threats: how MCP becomes an attack chain
Ransomnews Research Team

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

1.16 billion attacks: how the FortiBleed crew broke FortiGate

June 19, 2026

FortiBleed: exposed firewalls are a ransomware early warning

June 18, 2026

Novo Nordisk hit by FulcrumSec: the stealer logs saw it coming

June 17, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Reviews
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Affiliate Disclosure
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.