Full Report
Officials accuse the unnamed suspect of running XSS.is, a key and long-running marketplace with more than 50,000 registered users. The suspect allegedly made more than $8.2 million. The post Authorities in Ukraine nab alleged admin of Russian-language cybercrime forum appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Alleged Administrator of XSS.is
## Attribution & Identity
The threat actor is the unnamed alleged administrator of the Russian-language cybercrime forum **XSS.is**. They are associated with the cybercrime ecosystem, allegedly having been active for nearly two decades and maintaining close ties to several major threat actors.
## Activity Summary
The individual was arrested in Kyiv, Ukraine, on July 22, 2025, following a four-year investigation led by the Paris public prosecutor’s office, with support from French police investigators and Europol. The core activity centered on running and administering the influential cybercrime marketplace **XSS.is**, which was operational since 2013 and boasted over 50,000 registered users. The suspect allegedly earned over **$8.2 million** in advertising and facilitation fees. Authorities also believe the suspect ran **thesecure.biz**, a Jabber-powered private messaging service used for cybercrime.
## Tactics, Techniques & Procedures
- Running and administering a large-scale, established cybercrime marketplace (XSS.is).
- Facilitating the trade of stolen data, malware, access to compromised systems, and ransomware services.
- Operating private messaging infrastructure for cybercriminal coordination (e.g., thesecure.biz).
- Earning revenue through advertising and facilitation fees across the platform.
- Coordinating activities with various major threat actors over time.
- *No specific MITRE ATT&CK IDs were mentioned in the source text.*
## Targeting
- Sectors: The platform facilitated activities targeting sectors that utilize stolen data, malware, and ransomware, suggesting broad cybercrime targeting.
- Geography: The investigation involved Ukrainian authorities (arrest location), French authorities (investigation lead), and Europol. The forum itself was Russian-language.
- Victims: Specific victim organizations were not named, but the activities involved access to compromised systems and the sale of stolen data.
## Tools & Infrastructure
- **Malware families used:** Facilitation of malware sales and ransomware services.
- **Infrastructure:**
- **XSS.is:** The primary marketplace (domain seized).
- **thesecure.biz:** A Jabber-powered private messaging service (reportedly remains online).
- C2/IPs: Not detailed in the source.
## Implications
The neutralization of the alleged administrator of XSS.is represents a significant blow to the infrastructure supporting Russian-language cybercriminal networks. Its long operation (since 2013) and high user count indicate it served as a central coordination, advertising, and recruitment platform for dangerous cybercriminal networks. Seized data is expected to support ongoing international investigations.
## Mitigations
- International cooperation between law enforcement agencies (Europol, France, Ukraine) is critical for dismantling major cybercrime enablers.
- Continuous monitoring and disruption of established, long-running cybercrime forums and related private communication channels.
- Use of intelligence derived from seized infrastructure to support wider ongoing investigations.