What Happened to XSS.is? Everything You Need to Know About the Forum Takedown

This week, authorities made a major move against the cybercrime underground. After years of investigation, the suspected admin of XSS.is, one of the most active Russian-speaking hacker forums, was arrested in Ukraine. The forum’s domain was seized, and its once-thriving black market has been disrupted.

Here’s what happened, why it matters, and what you need to know.

What is XSS.is?

XSS.is was one of the most active Russian-speaking cybercrime forums. It served as a marketplace for stolen data, malware, access to hacked systems, and ransomware services. It had over 50,000 registered users and operated for more than a decade. Many well-known threat actors used the forum to advertise, recruit, and communicate.

What Happened?

On July 22, 2025, authorities arrested the suspected administrator of XSS.is in Kyiv, Ukraine. This was the result of a four-year investigation led by French police and the Paris Prosecutor, in close cooperation with Ukrainian law enforcement and Europol.

The suspect also allegedly operated a secure messaging service called thesecure.biz, which allowed cybercriminals to communicate anonymously.

Why Was This Forum So Important?

XSS.is wasn’t just another Dark Web forum, it was a major player in the Russian-speaking cybercrime world. Originally launched as DaMaGeLaB, it rebranded to XSS and grew into a trusted platform for selling stolen data, malware, exploits, and access to hacked systems.

Main screen of XSS hacker forum

It was tightly connected to other top forums like Exploit and RAMP. In fact, reputation on XSS was often needed to join newer forums like RAMP 2.0. XSS also played a role in ransomware operations, serving as a recruitment tool for Ransomware-as-a-Service (RaaS) groups before banning such topics in 2021.

With encrypted messaging, dispute resolution services, and strict admin control, XSS offered trust and security that kept it popular for over a decade. Its takedown weakens a key part of the cybercrime ecosystem.

How Much Money Was Involved?

Authorities believe the admin made over €7 million in profits from ad placements and service fees. The intercepted messages from the Jabber server showed extensive illegal activity, including ransomware operations and organized extortion.

How Was the Operation Carried Out?

The French police began the investigation in July 2021. In 2024, they moved into the operational phase in Ukraine. French officers even worked on the ground in Kyiv. Europol helped set up a virtual command post and deployed a mobile office for real-time coordination and data collection.

Why Does This Operation Matter?

This takedown strikes at the heart of the cybercrime economy. According to Europol’s IOCTA 2025 report, stolen data marketplaces drive a wide range of crimes like fraud, identity theft, and ransomware. Platforms like XSS.is give criminals access, anonymity, and trust, three things they need to thrive.

Shutting down XSS.is may not end cybercrime, but it sends a strong message. Law enforcement is getting better at tracking and disrupting these networks.

What Happens Next?

So, the domain xss.is now displays a seizure notice. However, parts of the infrastructure are still active. The .onion version of the forum is reachable, although access seems restricted. The backup domain xss.as and the Jabber server at thesecure.biz also remain online. These services may still allow communication between users who haven’t abandoned the platform.

Inside the community, moderators are reportedly deleting any mentions of the arrested admin, known by the handle LARVA-27. Of course this appears to be an attempt to suppress panic and control the narrative.

Meanwhile, two newly registered domains, theazot.icu and theazot.xyz, were found redirecting to XSS earlier this year. Both domains share a Malaysian registration address, while the original xss.is and breachforums.is listed contact info tied to Iceland’s police address, possibly to mask ownership or to confuse investigators.

The fallout has also affected smaller forums. Kitty Forums announced it would shut down following the XSS seizure, citing “the current situation” as the reason. The admin has listed the forum for sale, asking for payment in Monero only and promising to hand it over to someone “with the power to run it.”

These moves show that the takedown of XSS has caused real disruption but also that pieces of the ecosystem are still in motion. Telegram will likely remain one of the main hubs for cybercriminal activity — at least for now. Other Russian-speaking forums will probably see a rise in both user numbers and activity. Thus, as seen with the Kitty Forum shutdown, fear is clearly spreading among threat actors.

How Can SOCRadar Help?

Operations like the takedown of XSS.is show how fast the dark web can shift. When one forum goes down, others grow. Threat actors migrate, regroup, and continue their activity — often more carefully than before. That’s why real-time visibility into these underground channels is critical.

SOCRadar’s Advanced Dark Web Monitoring helps security teams stay ahead by tracking activities across hidden forums, marketplaces, Telegram groups, and even .onion sites. It detects mentions of your brand, leaked credentials, and indicators of planned attacks — often before those threats reach the surface.

With SOCRadar, organizations can:

• Monitor evolving threat actor chatter and behavior
• Receive alerts on leaked data or credentials
• Track domain spoofing, phishing infrastructure, and scam campaigns
• Analyze forum discussions tied to ransomware, exploits, and breach activity 

As the cybercrime landscape shifts, SOCRadar gives you the insights you need to respond quickly and reduce risk, even when the attackers go underground.