Europol on Monday introduced the arrest of the suspected administrator of XSS.is (previously DaMaGeLaB), a infamous Russian-speaking cybercrime platform.
The arrest, which came about in Kyiv, Ukraine, on July 222, 2025, was led by the French Police and Paris Prosecutor, in collaboration with Ukrainian authorities and Europol. The motion is the results of an investigation that was launched by the French Police in July 2021.
Coupled with the arrest, legislation enforcement has additionally taken management of the clearnet area of XSS.is, greeting guests with a seizure discover, “This area has been seized by la Brigade de Lutte Contre la Cybercriminalité with help of the SBU Cyber Division.”
“The discussion board, which had greater than 50,000 registered customers, served as a key market for stolen knowledge, hacking instruments and illicit companies,” the legislation enforcement company mentioned. “It has lengthy been a central platform for a number of the most lively and harmful cybercriminal networks, used to coordinate, promote and recruit.”
The discussion board’s administrator, apart from partaking within the technical operations of the service, is alleged to have enabled prison exercise by appearing as a trusted third-party to arbitrate disputes between criminals and assure the safety of transactions.
The unnamed particular person can be believed to have run thesecure.biz, a non-public messaging platform specifically constructed to cater to the wants of cybercriminals. By means of these illicit ventures, the suspect is estimated to have made €7 million ($8.24 million) in income from promoting and facilitation charges.
“Investigators imagine he has been lively within the cybercrime ecosystem for practically 20 years, and maintained shut ties to a number of main menace actors through the years,” Europol added.
In response to the Paris Prosecutor, XSS.is has been lively since 2013, appearing as a hub for all this cybercrime, starting from entry to compromised methods and ransomware-related companies. It additionally supplied an encrypted Jabber messaging server that permit cybercriminals talk anonymously.
XSS.is, together with Exploit, has served because the spine of the Russian-speaking cybercriminal ecosystem, with the menace actors on these boards primarily singling out non-Russian-speaking nations. Knowledge shared by KELA exhibits that XSS at present has 48,750 registered customers and greater than 110,000 threads.
“To facilitate illicit transactions, the discussion board has a built-in popularity system,” KELA mentioned. “Members can use a forum-appointed escrow service to make sure that offers are accomplished with out scams, in addition to add a deposit, contributing to their popularity.”
The event comes every week after a Europol-led operation disrupted the net infrastructure related to a pro-Russian hacktivist group often known as NoName057(16) and the arrest of two folks for conducting distributed denial-of-service (DDoS) assaults towards Ukraine and its allies utilizing a volunteer-driven Go-based device referred to as DDoSia.
Recorded Future’s Insikt Group, in a report printed this week, mentioned the group focused 3,776 distinctive hosts between July 1, 2024, and July 14, 2025, primarily authorities, public-sector, transportation, expertise, media, and monetary entities in European nations opposing Russia’s invasion of Ukraine.
Ukrainian organizations accounted for the biggest share of targets (29.47%), adopted by France (6.09%), Italy (5.39%), Sweden (5.29%), Germany (4.60%), Israel (4.50%), Czechia (4%), Poland (4%), and the UK (3.30%). America is a notable exclusion, regardless of its assist for Ukraine.
An intensive evaluation of NoName057(16)’s infrastructure has laid naked a resilient, multi-tiered structure consisting of quickly rotated Tier 1 command-and-control (C2) servers and Tier 2 servers protected by entry management lists (ACLs) to restrict upstream entry and preserve dependable C2 performance. As many as 275 distinctive Tier 1 have been recognized in the course of the time interval.
“The menace group maintains a excessive operational tempo, averaging 50 distinctive targets each day, with intense bursts of exercise correlating to geopolitical and navy developments in Ukraine,” the Mastercard-owned cybersecurity firm mentioned.
“NoName057(16) makes use of a mix of community and application-layer DDoS assaults, choosing strategies designed to overwhelm server sources and disrupt availability. The menace group’s assault methodology is simple but efficient, prioritizing high-volume floods and useful resource exhaustion strategies.”
