XSS.is, the most influential Russian-language cybercrime forum of the past decade and the direct heir to the legacy board DaMaGeLaB, lost its administrator on 22 July 2025 when French and Ukrainian police arrested a 38-year-old man in Kyiv. Europol, which coordinated Operation Ratatouille, said the forum had more than 50,000 members and that the suspect earned over EUR 7 million arbitrating deals between criminals. The Ransomnews Research Team analysed a leaked copy of the forum database, 123,241 messages across 51 trading sections, to show exactly how the marketplace worked and where it sat in the ransomware kill chain.
This is a data-led profile, not a rewrite of the press release. Every figure attributed to “the leaked dataset” below comes from our own analysis of a XenForo database backup of the forum. We redacted all individual IP addresses, usernames, emails and password hashes, and publish only aggregates. The public-record facts about the arrest are attributed to Europol, Ukraine’s SBU, and the named reporting in the sources. Where attribution is contested, we say so.
| Registered users | 7,706 |
| Forum threads | 14,509 |
| Public messages | 123,241 |
| IP log records | 19,192 |
| Unique IP addresses (redacted) | 7,061 |
| Private conversations | 6,168 |
| Private messages | 6,776 |
| Trading sections | 51 |
| Source countries | 79 |
| Cyrillic share of message text | 62.2% |
| RaaS crews named by SBU | 4: REvil, LockBit, Conti, Qilin |
| Lineage | 2004 → 2025 |
What was the XSS forum, and why did it matter?
XSS was a Russian-language cybercrime forum that operated as the wholesale layer of the intrusion economy. It was where malware authors, exploit sellers, initial access brokers, spammers and ransomware affiliates met to trade. Members bought and sold zero-day exploits, malware source code, compromised corporate access, and stealer logs. Crucially, the forum itself acted as a trusted third party: it ran escrow (“garant”) and arbitration so two criminals who had never met could complete a deal without either getting cheated. That trust function, not any single product, is what made XSS structurally important to the whole ecosystem.
The lineage runs through two decades of the Russian underground. DaMaGeLaB operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018 a partial backup of DaMaGeLaB was relaunched as xss.is by an operator using the handle “Toha,” who had earlier founded the Hack-All forum in 2005 and rebuilt it as Exploit.in in 2006. The earliest registration timestamps in the leaked database resolve to November 2004, consistent with that DaMaGeLaB origin.

Inside the database: what 123,241 messages reveal
The leaked backup contains 14,509 discussion threads, 123,241 public messages, 7,706 registered accounts, and a private layer of 6,168 conversations holding 6,776 messages. The language signal is unambiguous: across all message bodies, 62.2% of the alphabetic characters are Cyrillic, and 53.6% of accounts registered with an email on a CIS-region domain (.ru, .su, .by, .ua, .kz). Russian webmail providers (mail.ru, yandex.ru, bk.ru, rambler.ru) together outnumber Gmail. A minority used ProtonMail, the routine operational-security choice in this community.
Mapping the 51 sections by message volume shows what the forum was actually for. Beyond the inevitable off-topic lounge and administration boards, the busiest trading sections are web-application vulnerabilities, malware, exploit kits and crypting, network and Wi-Fi vulnerabilities, and a dedicated access board (“shells, FTP, roots, databases, SQL injection, RDPs”). One administrative thread title preserved in the dump, a complaint about spam from “thesecure.biz,” is itself an artefact: thesecure.biz is the encrypted Jabber server Europol later said the arrested administrator operated.

Reducing the messages to a keyword frequency map gives a second view of demand. The most-discussed commodities are stealer logs, crypting and FUD services (making malware undetectable), credit-card data, network access, exploits and web shells. This is the raw material of ransomware intrusions, traded one layer upstream of the attack itself.

The forum kept Moscow office hours
Posting time is one of the hardest signals for an operator to fake, because it reflects when people are actually awake and working. The XSS data shows a textbook salaried-workday curve. Activity is low overnight, climbs sharply from 06:00 UTC, and peaks between 09:00 and 13:00 UTC. That window is the middle of the working day in Moscow (UTC+3). Weekdays dominate, with Monday and Tuesday the busiest and a clear weekend dip. This is the rhythm of a daytime, business-hours operation rather than a scattered global hobbyist crowd, and it lines up with the same pattern Ransomnews found when it timed 16,699 ransomware leak-site posts.

Who was who: the real actors behind XSS
Europol did not name the man arrested in Kyiv, citing the live investigation, but the cybercrime community and open-source investigators converged on the handle “Toha,” the longtime administrator of XSS and several predecessor forums. According to KrebsOnSecurity, Toha was a founding member of Hack-All in 2005, rebranded it as Exploit.in in 2006, and sold Exploit in 2018, the same year DaMaGeLaB was reincarnated as XSS under his control. Europol assessed the suspect had spent nearly 20 years in cybercrime, which fits.
Identity attribution remains genuinely contested. A 2022 deanonymisation claim, later amplified in 2024 by LockBit’s leader “LockBitSupp” while he sought help unmasking Toha, pointed to a Russian man named Anton Avdeev. KrebsOnSecurity’s own pivot through domain-registration records tied to Toha’s historic email address surfaced a different and more likely candidate, a Kyiv resident named Anton Medvedovskiy whose December 1987 birthdate matches the arrested suspect’s age. The Avdeev trail may have been deliberate misdirection. The forum’s encrypted Jabber server, thesecure.biz, links into this same cluster: it was originally run by the Ukrainian cybercriminal Sergei Vovnenko (“Flycracker”) before, by his account, being taken over while he was imprisoned. The map below shows the documented connections.

How XSS fed the ransomware supply chain
XSS sat upstream of almost every major ransomware brand of the past five years. Ukraine’s SBU said the forum counted among its members cybercriminals tied to ransomware groups including REvil, LockBit, Conti and Qilin. The mechanism was the access trade. Initial access brokers listed footholds into corporate networks, frequently as structured auctions with a Start price, a Step (bid increment) and a Blitz (“buy it now”). Flare documented one representative listing with a 25,000 USD start, 1,000 USD step and 40,000 USD blitz for access to a US manufacturer with 800 million USD in revenue. An affiliate buys that access, runs the intrusion, and the broker never touches the ransomware.
The scale of that pipeline is measurable. Intel 471 recorded 4,878 access and credential sale claims from initial access brokers between June 2024 and May 2025, correlated 70 of them to victims later named on ransomware leak sites, and measured a median of roughly 19 days between an access listing and the victim appearing on a leak blog. That gap is the single most useful number for defenders in this whole story, and we return to it below.
The 2021 ransomware ban: a tell, not a reform
On 13 May 2021, days after the DarkSide attack on Colonial Pipeline put ransomware on front pages worldwide, the XSS administrator banned all ransomware activity, sales, rentals and affiliate programs, and deleted existing ransomware threads. Within hours Exploit and RaidForums followed. The move is often described as forums “turning against” ransomware. The data-aware reading is narrower: the ban removed the loud, branded affiliate-recruitment threads that attracted Western law enforcement, while the quieter and more valuable access trade that actually feeds ransomware carried on. It was reputation management, not a change of business.
Threat modelling: where XSS sits in the kill chain
Placing XSS on the Lockheed Martin cyber kill chain, mapped to MITRE ATT&CK, explains why its takedown matters out of proportion to a single arrest. The forum did not sit at the noisy end of the chain, at execution or impact. It sat at the very start, in Resource Development (ATT&CK TA0042) and as the supply side of Initial Access (TA0001). Members acquired infrastructure and capabilities (T1583, T1588), then traded valid accounts and external remote services (T1078, T1133, T1650) that affiliates carried straight into intrusions.

This is why intelligence teams treat forum disruption as a “left of boom” intervention. Hitting the access market is cheaper and earlier than fighting encryption on the endpoint. The 19-day median between an access listing and a leak-site appearance is a live detection window: an organisation watching for its own domains, credentials and stealer-log fingerprints in that market gets, on average, almost three weeks of warning before the ransom note.
XSS indicators of compromise by country
The forum’s access logs in the leaked dataset cover 19,192 events across 7,061 unique IP addresses in 79 countries. The table and chart below aggregate that telemetry by country. “Events” counts logged actions, “Unique IPs” counts distinct redacted addresses, and “Accounts” counts distinct user IDs seen from each country. We withhold every individual address. Read the geography as an indicator of routing and hosting infrastructure for threat-intelligence enrichment, not as proof of any person’s physical location.
Russia is the largest single source of distinct accounts (564), far ahead of any other country. The United States and the Netherlands rank high by raw IP count, but those totals are dominated by VPN endpoints, hosting providers and Tor exit relays rather than residents. Geolocating a security-conscious crime forum measures where members route traffic, not where they sleep; combined with the 62% Cyrillic text and Moscow working hours, the centre of gravity is clearly the Russian-speaking world.

| #▼ | Country ⇅ | Events ⇅ | Share ⇅ | Unique IPs ⇅ | Accounts ⇅ |
|---|---|---|---|---|---|
| 1 | Russia (RU) | 3,910 | 20.37% | 1,486 | 564 |
| 2 | United States (US) | 5,046 | 26.29% | 3,938 | 172 |
| 3 | Ukraine (UA) | 721 | 3.76% | 255 | 139 |
| 4 | Germany (DE) | 1,582 | 8.24% | 141 | 94 |
| 5 | The Netherlands (NL) | 1,131 | 5.89% | 206 | 94 |
| 6 | France (FR) | 1,267 | 6.6% | 125 | 78 |
| 7 | Switzerland (CH) | 503 | 2.62% | 31 | 56 |
| 8 | Canada (CA) | 778 | 4.05% | 74 | 55 |
| 9 | United Kingdom (GB) | 585 | 3.05% | 63 | 53 |
| 10 | Sweden (SE) | 351 | 1.83% | 50 | 44 |
| 11 | Romania (RO) | 211 | 1.1% | 36 | 40 |
| 12 | Finland (FI) | 208 | 1.08% | 26 | 32 |
| 13 | Moldova (MD) | 180 | 0.94% | 39 | 32 |
| 14 | Poland (PL) | 125 | 0.65% | 33 | 31 |
| 15 | Austria (AT) | 399 | 2.08% | 26 | 30 |
| 16 | Luxembourg (LU) | 112 | 0.58% | 12 | 28 |
| 17 | Belarus (BY) | 247 | 1.29% | 83 | 27 |
| 18 | Türkiye (TR) | 138 | 0.72% | 20 | 26 |
| 19 | Singapore (SG) | 55 | 0.29% | 24 | 25 |
| 20 | Bulgaria (BG) | 122 | 0.64% | 15 | 24 |
| 21 | Liberia (LR) | 160 | 0.83% | 1 | 21 |
| 22 | Denmark (DK) | 93 | 0.48% | 10 | 21 |
| 23 | Latvia (LV) | 63 | 0.33% | 20 | 21 |
| 24 | Italy (IT) | 68 | 0.35% | 11 | 20 |
| 25 | Norway (NO) | 65 | 0.34% | 18 | 20 |
| 26 | Czechia (CZ) | 63 | 0.33% | 17 | 19 |
| 27 | Spain (ES) | 45 | 0.23% | 13 | 19 |
| 28 | Iceland (IS) | 123 | 0.64% | 15 | 18 |
| 29 | Slovakia (SK) | 82 | 0.43% | 8 | 18 |
| 30 | Europe (EU) | 57 | 0.3% | 36 | 18 |
| 31 | Portugal (PT) | 77 | 0.4% | 17 | 17 |
| 32 | Hungary (HU) | 119 | 0.62% | 6 | 16 |
| 33 | Mexico (MX) | 32 | 0.17% | 18 | 11 |
| 34 | Seychelles (SC) | 32 | 0.17% | 1 | 10 |
| 35 | Australia (AU) | 23 | 0.12% | 9 | 10 |
| 36 | Israel (IL) | 25 | 0.13% | 10 | 9 |
| 37 | Uzbekistan (UZ) | 22 | 0.11% | 11 | 9 |
| 38 | South Africa (ZA) | 32 | 0.17% | 4 | 7 |
| 39 | Brazil (BR) | 21 | 0.11% | 8 | 7 |
| 40 | Lithuania (LT) | 11 | 0.06% | 5 | 5 |
| 41 | Armenia (AM) | 24 | 0.13% | 5 | 4 |
| 42 | Belgium (BE) | 13 | 0.07% | 4 | 4 |
| 43 | Hong Kong (HK) | 12 | 0.06% | 5 | 4 |
| 44 | India (IN) | 12 | 0.06% | 8 | 4 |
| 45 | Georgia (GE) | 8 | 0.04% | 4 | 4 |
| 46 | Saudi Arabia (SA) | 7 | 0.04% | 6 | 4 |
| 47 | Estonia (EE) | 6 | 0.03% | 5 | 4 |
| 48 | Slovenia (SI) | 4 | 0.02% | 2 | 4 |
| 49 | United Arab Emirates (AE) | 57 | 0.3% | 3 | 3 |
| 50 | Kyrgyzstan (KG) | 14 | 0.07% | 4 | 3 |
| 51 | Nigeria (NG) | 10 | 0.05% | 9 | 3 |
| 52 | Indonesia (ID) | 3 | 0.02% | 2 | 3 |
| 53 | Thailand (TH) | 3 | 0.02% | 3 | 3 |
| 54 | Algeria (DZ) | 24 | 0.13% | 15 | 2 |
| 55 | Azerbaijan (AZ) | 10 | 0.05% | 4 | 2 |
| 56 | Philippines (PH) | 9 | 0.05% | 3 | 2 |
| 57 | Japan (JP) | 5 | 0.03% | 3 | 2 |
| 58 | China (CN) | 4 | 0.02% | 3 | 2 |
| 59 | Morocco (MA) | 3 | 0.02% | 3 | 2 |
| 60 | Taiwan (TW) | 2 | 0.01% | 2 | 2 |
| 61 | Venezuela (VE) | 25 | 0.13% | 1 | 1 |
| 62 | Kazakhstan (KZ) | 23 | 0.12% | 22 | 1 |
| 63 | Turkmenistan (TM) | 11 | 0.06% | 7 | 1 |
| 64 | Egypt (EG) | 3 | 0.02% | 1 | 1 |
| 65 | South Korea (KR) | 2 | 0.01% | 2 | 1 |
| 66 | Colombia (CO) | 1 | 0.01% | 1 | 1 |
| 67 | Paraguay (PY) | 1 | 0.01% | 1 | 1 |
| 68 | Isle of Man (IM) | 1 | 0.01% | 1 | 1 |
| 69 | Belize (BZ) | 1 | 0.01% | 1 | 1 |
| 70 | Croatia (HR) | 1 | 0.01% | 1 | 1 |
| 71 | Costa Rica (CR) | 1 | 0.01% | 1 | 1 |
| 72 | New Zealand (NZ) | 1 | 0.01% | 1 | 1 |
| 73 | Ireland (IE) | 1 | 0.01% | 1 | 1 |
| 74 | Niue (NU) | 1 | 0.01% | 1 | 1 |
| 75 | Panama (PA) | 1 | 0.01% | 1 | 1 |
| 76 | Malaysia (MY) | 1 | 0.01% | 1 | 1 |
| 77 | Kenya (KE) | 1 | 0.01% | 1 | 1 |
| 78 | Jersey (JE) | 1 | 0.01% | 1 | 1 |
| 79 | Serbia (RS) | 1 | 0.01% | 1 | 1 |
Operation Ratatouille: the takedown
The operation was led by the French Police and the Paris prosecutor’s cybercrime unit (JUNALCO), working with Ukraine’s National Police and SBU, with Europol coordinating. The investigation opened in July 2021. On 22 July 2025, officers detained the suspected administrator at his home in Kyiv and seized the thesecure.biz Jabber server. Europol described the suspect as a trusted third party who arbitrated disputes and secured transactions, and put his cumulative earnings above EUR 7 million from advertising, escrow fees and services. The SBU confirmed the forum’s membership included actors from REvil, LockBit, Conti and Qilin.
What makes this seizure different from a typical forum bust is the private layer. Investigators did not just take the public board; they took the private message store and, by Europol’s account, the Jabber server. In our copy of the database alone, the private layer held 6,168 conversations. A full live seizure would hold far more, and that is the part the underground fears most.
The aftermath: a collapse of trust
XSS reappeared on a new Tor address within days, but with all previous moderators dismissed, member balances zeroed, and returning users asked to pay a fresh deposit. Few trusted it. A KELA analysis tracked a splinter, “DamageLib,” emerging from the disruption, and Intel 471 framed the aftermath as a loss of trust rather than a loss of infrastructure. By late 2025, threat-intel telemetry showed initial-access activity shifting away from the older boards toward RAMP and DarkForums, which between them accounted for the large majority of observed access threads.
On the forums themselves, the dominant fear was forensic. As one Exploit member put it in a thread about the arrest, the investigators now hold “two years of Jabber server logs. Full backup and forum database,” material that modern tooling can turn into ready-made dossiers linking nicknames, emails, password hashes, Jabber IDs, IP addresses and even writing style. For a marketplace whose entire value proposition was a “trusted person” holding everyone’s secrets, that is the more lasting damage.
What this means for defenders
The takedown removes a hub, not the economy. Access brokering, exploit sales and affiliate recruitment migrate faster than any single arrest can suppress. The durable lesson from the data is that ransomware begins as a marketplace transaction roughly three weeks before the encryption event. The practical response is intelligence-led and early: monitor initial-access-broker chatter for your sector and named assets, watch for your organisation’s credentials and session cookies surfacing in stealer logs, and track leak-site activity on a live victim feed. Reduce the surface those brokers sell by closing exposed RDP and VPN, enforcing phishing-resistant MFA, and rotating credentials that appear in breach and stealer corpora. The seizure of XSS is a rare and real win. The market it served is still open.
Frequently asked questions
What is XSS.is?
XSS.is is a Russian-language cybercrime forum that operated as a marketplace for malware, exploits, stolen corporate access and stealer logs, with built-in escrow and arbitration. It was the 2018 relaunch of the older DaMaGeLaB board and ran until its administrator was arrested in July 2025.
Is XSS the same as DaMaGeLaB?
Effectively yes. DaMaGeLaB operated from 2004 to 2017, and in 2018 a backup of it was relaunched as xss.is under the administrator “Toha.” Registration records in the leaked database date back to November 2004, confirming the lineage.
Who was arrested in the XSS takedown?
French and Ukrainian police arrested a 38-year-old man in Kyiv on 22 July 2025, widely believed to be the longtime administrator “Toha.” Europol did not publicly name him, citing the ongoing investigation, and estimated he earned more than EUR 7 million from the forum. Open-source reporting points to a Kyiv resident, though identity attribution remains contested.
Which ransomware groups used XSS?
Ukraine’s SBU said XSS members included actors tied to REvil, LockBit, Conti and Qilin. The forum was used to trade initial access and recruit affiliates rather than to host the ransomware itself.
What did members actually trade on XSS?
Our analysis of 123,241 messages shows the busiest trading sections were web-application vulnerabilities, malware, exploit kits and crypting, network vulnerabilities, and a dedicated access board. The most-discussed commodities were stealer logs, crypting/FUD services, credit-card data, network access, exploits and web shells.
What countries did XSS members come from?
The membership was overwhelmingly Russian-speaking: 62% of message text is Cyrillic, 53.6% of accounts used CIS-region email domains, and Russia was the largest single source of distinct accounts in the access logs. High US and Netherlands IP counts reflect VPN, hosting and Tor infrastructure, not resident members.
Where does XSS sit in the cyber kill chain?
At the start. XSS supplied the Resource Development and Initial Access stages (MITRE ATT&CK TA0042 and TA0001), trading the infrastructure, exploits and valid accounts that affiliates later used for execution, exfiltration and extortion. That is why disrupting it is a “left of boom” intervention.
Is the XSS forum still online?
A site under the XSS name reappeared on a new Tor address shortly after the arrest, but with new operators, reset balances and dismissed moderators. Most established members have kept their distance, and initial-access activity has shifted toward forums such as RAMP and DarkForums.
Sources and further reading
- Europol: Key figure behind major Russian-speaking cybercrime forum targeted in Ukraine
- KrebsOnSecurity: Who Got Arrested in the Raid on the XSS Crime Forum?
- Intel 471: After disruption, XSS cybercrime forum faces loss of trust
- Intel 471: How initial access offers power intrusions and ransomware
- Flare: Initial Access Brokers and the underground corporate access economy
- The Record: XSS bans ransomware ads after Colonial Pipeline
- KELA: XSS forum after takedown, DamageLib emerges
- Ransomnews internal: ransomware leak-site OSINT walkthrough, the initial access broker economy, and the Ransomnews Research Team.
Methodology: figures attributed to the leaked dataset are derived from Ransomnews analysis of a XenForo database backup of the XSS forum. All individual IP addresses, usernames, email addresses and password hashes were redacted; only aggregate country-level, section-level and keyword-level statistics are published. GeoIP was resolved offline. Public-record facts about the arrest are attributed to Europol, Ukraine’s SBU, and the named reporting above. Identity attribution of the arrested administrator remains contested and is reported as such.
