Europol on Monday introduced the arrest of the suspected administrator of XSS.is (previously DaMaGeLaB), a infamous Russian-speaking cybercrime platform.
The arrest, which befell in Kyiv, Ukraine, on July 222, 2025, was led by the French Police and Paris Prosecutor, in collaboration with Ukrainian authorities and Europol. The motion is the results of an investigation that was launched by the French Police in July 2021.
Coupled with the arrest, regulation enforcement has additionally taken management of the clearnet area of XSS.is, greeting guests with a seizure discover, “This area has been seized by la Brigade de Lutte Contre la Cybercriminalité with help of the SBU Cyber Division.”
“The discussion board, which had greater than 50,000 registered customers, served as a key market for stolen knowledge, hacking instruments and illicit companies,” the regulation enforcement company stated. “It has lengthy been a central platform for a few of the most energetic and harmful cybercriminal networks, used to coordinate, promote and recruit.”
The discussion board’s administrator, in addition to participating within the technical operations of the service, is alleged to have enabled legal exercise by appearing as a trusted third-party to arbitrate disputes between criminals and assure the safety of transactions.
The unnamed particular person can also be believed to have run thesecure.biz, a personal messaging platform specifically constructed to cater to the wants of cybercriminals. By way of these illicit ventures, the suspect is estimated to have made €7 million ($8.24 million) in income from promoting and facilitation charges.
“Investigators imagine he has been energetic within the cybercrime ecosystem for practically twenty years, and maintained shut ties to a number of main risk actors through the years,” Europol added.
In keeping with the Paris Prosecutor, XSS.is has been energetic since 2013, appearing as a hub for all this cybercrime, starting from entry to compromised techniques and ransomware-related companies. It additionally supplied an encrypted Jabber messaging server that permit cybercriminals talk anonymously.
XSS.is, together with Exploit, has served because the spine of the Russian-speaking cybercriminal ecosystem, with the risk actors on these boards primarily singling out non-Russian-speaking nations. Knowledge shared by KELA exhibits that XSS at the moment has 48,750 registered customers and greater than 110,000 threads.
“To facilitate illicit transactions, the discussion board has a built-in repute system,” KELA stated. “Members can use a forum-appointed escrow service to make sure that offers are accomplished with out scams, in addition to add a deposit, contributing to their repute.”
The event comes every week after a Europol-led operation disrupted the net infrastructure related to a pro-Russian hacktivist group often known as NoName057(16) and the arrest of two individuals for conducting distributed denial-of-service (DDoS) assaults in opposition to Ukraine and its allies utilizing a volunteer-driven Go-based instrument referred to as DDoSia.
Recorded Future’s Insikt Group, in a report printed this week, stated the group focused 3,776 distinctive hosts between July 1, 2024, and July 14, 2025, primarily authorities, public-sector, transportation, know-how, media, and monetary entities in European nations opposing Russia’s invasion of Ukraine.
Ukrainian organizations accounted for the biggest share of targets (29.47%), adopted by France (6.09%), Italy (5.39%), Sweden (5.29%), Germany (4.60%), Israel (4.50%), Czechia (4%), Poland (4%), and the UK (3.30%). America is a notable exclusion, regardless of its assist for Ukraine.
An intensive evaluation of NoName057(16)’s infrastructure has laid naked a resilient, multi-tiered structure consisting of quickly rotated Tier 1 command-and-control (C2) servers and Tier 2 servers protected by entry management lists (ACLs) to restrict upstream entry and keep dependable C2 performance. As many as 275 distinctive Tier 1 have been recognized throughout the time interval.
“The risk group maintains a excessive operational tempo, averaging 50 distinctive targets every day, with intense bursts of exercise correlating to geopolitical and army developments in Ukraine,” the Mastercard-owned cybersecurity firm stated.
“NoName057(16) makes use of a combination of community and application-layer DDoS assaults, deciding on strategies designed to overwhelm server assets and disrupt availability. The risk group’s assault methodology is simple but efficient, prioritizing high-volume floods and useful resource exhaustion strategies.”
