In a significant victory against organized cybercrime, Europol, in conjunction with French and Ukrainian law enforcement, announced the arrest of the alleged administrator of XSS.is (formerly DaMaGeLaB) on Monday, July 22, 2025. This high-profile operation, initiated by the French Police in July 2021, culminated in a targeted arrest in Kyiv, Ukraine, and the subsequent seizure of the notorious cybercrime platform’s clearnet domain. The domain now displays a seizure notice, a clear message from authorities that the illicit activities once thriving there have been brought to an abrupt halt.
XSS.is, with over 50,000 registered users, had established itself as a central marketplace for a vast array of illegal cyber activities, including the trade of stolen data, hacking tools, and various illicit services. Europol highlighted its critical role as a coordination, advertising, and recruitment hub for some of the most active and dangerous cybercriminal networks. Beyond technical operation, the forum’s administrator is believed to have facilitated criminal undertakings by acting as a trusted third-party arbitrator for disputes and guaranteeing the security of transactions, demonstrating a deep integration into the cybercrime ecosystem.
The unnamed individual arrested is also suspected of operating secure.biz, a private messaging platform specifically designed for cybercriminals.
Through these combined illicit ventures, the suspect is estimated to have amassed profits exceeding €7 million ($8.24 million) from advertising and facilitation fees. This financial gain underscores the lucrative nature of these underground platforms and the significant resources involved in their operation. Investigators further believe that the suspect has been a prominent figure in the cybercrime landscape for nearly two decades, maintaining close ties with several major threat actors.
Active since 2013, XSS.is has long been recognized by the Paris Prosecutor as a primary conduit for global cybercrime, encompassing everything from access to compromised systems to ransomware-related services. It even provided an encrypted Jabber messaging server to enable anonymous communication among criminals. Alongside “Exploit,” XSS.is has been a foundational element of the Russian-speaking cybercriminal world, with its users predominantly targeting non-Russian-speaking nations. The platform’s sophisticated infrastructure included a built-in reputation system and an escrow service, facilitating secure and scam-free transactions for its nearly 49,000 registered users across more than 110,000 active threads.
This successful takedown comes on the heels of another Europol-led operation just last week, which disrupted the online infrastructure of the pro-Russian hacktivist group NoName057(16).
That action led to two arrests related to distributed denial-of-service (DDoS) attacks against Ukraine and its allies. Recorded Future’s analysis of NoName057(16) revealed a resilient, multi-tiered architecture that targeted nearly 3,800 unique hosts between July 2024 and July 2025, with a significant focus on Ukrainian organizations, followed by European nations supporting Ukraine. These recent law enforcement successes underscore a growing international effort to dismantle the sophisticated networks that underpin the global cybercrime landscape.
Reference:
