Europol on Monday introduced the arrest of the suspected administrator of XSS.is (previously DaMaGeLaB), a infamous Russian-speaking cybercrime platform.
The arrest, which came about in Kyiv, Ukraine, on July 222, 2025, was led by the French Police and Paris Prosecutor, in collaboration with Ukrainian authorities and Europol. The motion is the results of an investigation that was launched by the French Police in July 2021.
Coupled with the arrest, regulation enforcement has additionally taken management of the clearnet area of XSS.is, greeting guests with a seizure discover, “This area has been seized by la Brigade de Lutte Contre la Cybercriminalité with help of the SBU Cyber Division.”
“The discussion board, which had greater than 50,000 registered customers, served as a key market for stolen knowledge, hacking instruments and illicit companies,” the regulation enforcement company stated. “It has lengthy been a central platform for among the most lively and harmful cybercriminal networks, used to coordinate, promote and recruit.”
The discussion board’s administrator, in addition to partaking within the technical operations of the service, is alleged to have enabled prison exercise by appearing as a trusted third-party to arbitrate disputes between criminals and assure the safety of transactions.
The unnamed particular person can also be believed to have run thesecure.biz, a personal messaging platform specifically constructed to cater to the wants of cybercriminals. By means of these illicit ventures, the suspect is estimated to have made €7 million ($8.24 million) in earnings from promoting and facilitation charges.
“Investigators imagine he has been lively within the cybercrime ecosystem for practically twenty years, and maintained shut ties to a number of main menace actors over time,” Europol added.
In response to the Paris Prosecutor, XSS.is has been lively since 2013, appearing as a hub for all this cybercrime, starting from entry to compromised programs and ransomware-related companies. It additionally supplied an encrypted Jabber messaging server that allow cybercriminals talk anonymously.
XSS.is, together with Exploit, has served because the spine of the Russian-speaking cybercriminal ecosystem, with the menace actors on these boards primarily singling out non-Russian-speaking nations. Information shared by KELA exhibits that XSS at the moment has 48,750 registered customers and greater than 110,000 threads.
“To facilitate illicit transactions, the discussion board has a built-in repute system,” KELA stated. “Members can use a forum-appointed escrow service to make sure that offers are accomplished with out scams, in addition to add a deposit, contributing to their repute.”
The event comes every week after a Europol-led operation disrupted the web infrastructure related to a pro-Russian hacktivist group often known as NoName057(16) and the arrest of two individuals for conducting distributed denial-of-service (DDoS) assaults towards Ukraine and its allies utilizing a volunteer-driven Go-based software known as DDoSia.
Recorded Future’s Insikt Group, in a report revealed this week, stated the group focused 3,776 distinctive hosts between July 1, 2024, and July 14, 2025, primarily authorities, public-sector, transportation, know-how, media, and monetary entities in European nations opposing Russia’s invasion of Ukraine.
Ukrainian organizations accounted for the most important share of targets (29.47%), adopted by France (6.09%), Italy (5.39%), Sweden (5.29%), Germany (4.60%), Israel (4.50%), Czechia (4%), Poland (4%), and the UK (3.30%). America is a notable exclusion, regardless of its assist for Ukraine.
An in depth evaluation of NoName057(16)’s infrastructure has laid naked a resilient, multi-tiered structure consisting of quickly rotated Tier 1 command-and-control (C2) servers and Tier 2 servers protected by entry management lists (ACLs) to restrict upstream entry and keep dependable C2 performance. As many as 275 distinctive Tier 1 have been recognized throughout the time interval.
“The menace group maintains a excessive operational tempo, averaging 50 distinctive targets each day, with intense bursts of exercise correlating to geopolitical and navy developments in Ukraine,” the Mastercard-owned cybersecurity firm stated.
“NoName057(16) makes use of a combination of community and application-layer DDoS assaults, choosing strategies designed to overwhelm server assets and disrupt availability. The menace group’s assault methodology is simple but efficient, prioritizing high-volume floods and useful resource exhaustion strategies.”
