Dark web cybercrime forum XSS.is shut down in a joint France-Ukraine operation: Header image
News & Stories 5 min read

Dark web cybercrime forum XSS.is shut down in a joint France-Ukraine operation

byRay Fernandez

Published:Aug 8, 2025

The infamous Russian-language dark web forum XSS[.]is was seized by authorities. The forum was perhaps the most active and well-known forum in the dark web landscape. Let’s dive right in.

Alleged administrator and technical operator of a massive Russian-linked cybercriminal forum arrested 

On July 22, after a long-running investigation led by French police and the Paris Prosecutor’s Office with the cooperation of their Ukrainian counterpart and Europol, the alleged administrator of the forum XSS[.]is was arrested.  

Europol reported that the suspect allegedly played a key role in enabling criminal activity. According to Europol, the suspect acted as a trusted third party, arbitrated disputes, and ensured that transactions ran smoothly. 

Interestingly, Europol reported that a private messaging service known as thesecure[.]biz was identified in this investigation, which the suspect allegedly managed. The use of encrypted messaging apps is common in the criminal underworld, as they enable cybercriminals to operate under the radar. 

“Through these services, the suspect is thought to have made over €7 million in advertising and facilitation fees,” Europol stated.

According to investigators, the individual has been active in the ecosystem for nearly 2 decades. 

The investigation was begun by French police in 2021 and moved to Ukraine in September 2024. According to the Europol press release, the individual is the main suspect in the investigation. 

A screenshot of a website notification that reads, "This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité."

Is XSS[.]is back online? 

Moonlock checked the dark forum front-facing website and can confirm that the forum displays a law enforcement “seized” banner. However, the day after the forum was shut down, media like HackRead, SCWorld, and others in the cybersecurity industry reported that messages were circulating that the site would reopen. The same media said the chatter could simply be a honeypot set up by law enforcement. 

A screenshot of a forum post about XSS.
Cybersecurity media reported chatter about a possible resurfacing of XSS the day after the arrest was made. Image: Screenshot, Moonlock.

There have been instances in the past when dark web forums were seized by international law enforcement operations, only to later resurface online. Will XSS[.]is resurface? With the information currently available, we cannot answer this question.

We can say, however, that if it does resurface, it will come as no surprise to anyone in the cybersecurity industry. It is also possible that the vacuum left by XSS[.]is will lead to a power struggle in the criminal underworld. 

What the XSS[.]is forum is (or was) and its history

Our malware research team, Moonlock Lab, shared that XSS[.]is was originally founded as DaMaGeLaB in 2013 and was renamed in 2018 after one of the administrators was arrested. 

“It is a legendary Russian-speaking hacker platform that existed for over 12 years on both the dark web and clearnet,” Moonlock Lab said. 

The forum has approximately 50,000–55,000 registered users and over 100,000 threads.

The forum managed to remain online and available on the public web for years. Unlike other cybercriminal forums that require special onion-capable browsers like Tor, anyone could access XSS with a normal web browser.

XSS, like other forums, offered:

  • Access to compromised systems
  • Stealer logs
  • Stolen data
  • Elite ransomware
  • Private sections for coordinating cyberattacks
  • And much more

XSS data is also considered a treasure trove for cybercriminal experts and digital forensic teams. Black hat malware developers used this forum like legitimate software developers use GitHub — as a place for sharing and cooperating, pushing innovation.

Moonlock Lab told us that the forum was a global hub for Russian-speaking cybercriminals serving to coordinate attacks, share malware, and facilitate underground communications.

I use Apple devices. Why is this news relevant to me?

On the XSS forum, cybercriminals sold Apple malware to other operators, as well as the personal data of soon-to-be victims of cybercrime. On today’s dark web forums, unfortunately, anyone can find all they need to commit a hack or a cybercrime, even if they have little or no technical skills. And this forum was the most well-known on the dark web.

So, what does this all mean for Apple users? The arrest means more security and less cybercrime, at least coming from this site.  

Furthermore, while there is no mention in the official press releases, the site was popular among cybercriminal gangs, and these are linked to more serious crimes like money laundering, drug trafficking, human trafficking, and more. Shutting down the site, as we said above, brings accountability and added security for Apple users. 

“XSS[.]is is a source of stealer bot data and combo lists that often end up affecting macOS users through browser extensions, phishing forms, and more, ” Moonlock Lab told us. 

XSS[.]is is a source of stealer bot data and combo lists that often end up affecting macOS users through browser extensions, phishing forms, and more.

Moonlock Lab

“Looking forward — several arrested or exposed forum users are under investigation, which slows down the leak of data and sale of malware targeting iOS/macOS,” Moonlock Lab added. 

“Neighboring forums (Kitty Forum, Exploit[.]in) have already reported influxes or possible sales,” Moonlock Lab said. “A migration wave to Telegram or other Tor-based services is likely — but the old infrastructure is gone.” 

Both forums became underground brands, but XSS had a far greater impact on modern cyberterrorism. 

Moonlock Lab added that the following information has already been made public:

  • Jabber chats: Used in the investigation but not yet publicly released
  • BTC transactions: Profits disclosed but specific addresses not made public
  • Telegram communications: Not confirmed in public records

Who was arrested? What about other cybercriminals?

The individual arrested was the alleged administrator, alleged forum organizer, and alleged deal arbiter who earned over €7M over roughly 20 years of activity and operated thesecure[.]biz in Kyiv, Ukraine on July 22, 2025. 

A photo showing an arrest being made.
This photograph was distributed along with Europol’s official press release announcing the arrest. Image: Screenshot, Moonlock.

“Other participants have not yet been disclosed,” Moonlock Lab said. “Possible suspects may emerge via data and transaction analysis, but no official arrests have been made yet,” Moonlock Lab said. 

Final thoughts

The shutdown of XSS[.]is is an important turn of events in the cybersecurity community. This investigation is likely to make waves in the criminal underground and may lead to new markets and new threat actors who see this as an opportunity to rise to a more dominant position. 

At Moonlock, we will continue to monitor this news and keep you up to date on everything you need to know. One thing is certain, the XSS[.]is forum held a lot of information, and all that information is now in the hands of law enforcement officers, prosecutors, and authorities.

MoonLock Banner
Ray Fernandez

Ray Fernandez

Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.

You might also like

Instagram's new Map feature sparks a privacy scandal (Header image)
Instagram’s new Map feature sparks a privacy scandal
Aug 15, 2025
7 min read
Is North Korean spy scheme behind the rise of macOS stealers? Header image
Is a North Korean spy scheme behind the rise of macOS stealers?
Aug 8, 2025
6 min read
AI-powered impersonation scams are up 148%: Header image
AI-powered impersonation scams are up 148%
Jul 25, 2025
7 min read