Cybercrime hotspot XSS: Admin arrested, forum confiscated – or not?

The French and Ukrainian authorities have apparently pulled off another coup in the international fight against cybercrime. Coordinated by Europol, officials from the SBU (Служба безпеки України, Ukraine's domestic intelligence service) and the French police arrested a man in Kyiv. He played a key role in the operation of the underground forum XSS and earned more than seven million euros from it over the years, the authorities say.

The main suspect not only managed the technical platform, but also facilitated criminal transactions, according to the accusation. He secured transactions as a trusted third party ("escrow") and settled disputes between cyber crooks. XSS has its own sub-forum for this so-called arbitrage. He has generated more than seven million euros in revenue through commissions and advertising income.

The forum has existed for more than 20 years and was founded in 2004 under the name DaMaGeLaB – The man who has now been arrested is said to have maintained links to cyber criminals for almost as long. Prominent names have come and gone at XSS –, such as the mastermind behind the Lockbit ransomware, identified by investigators as the Russian Dmitry K. Or"Lumma", the inventor or inventors of the Infostealer malware of the same name. Both are currently banned from XSS and in trouble with international investigative authorities.

Forum offline – or not

Shortly after the arrest was announced, it appeared that the forum and all user data had also fallen into the hands of the investigators: The domain "xss.is" is emblazoned with the usual banner of the investigating authorities involved in such digital raids. XSS's onion address, accessible via the Tor network, was also offline on July 23, but has since been restored. However, mistrust prevails in the forum: Many users assume that Europol has taken over the administration and is reading along for a while in order to advance the investigation.

This suspicion is also supported by the fact that several warning messages pointing to the arrest were initially deleted by moderators, while the forum administrator has not been active since July 22. And another underground forum with the symptomatic name "Exploit" has also been unavailable since yesterday, Wednesday, further increasing the unrest in the underground.

Users create backups

"Everyone was arrested at once," an alleged witness to the action is quoted as saying in another darknet forum. Not only the main administrator of XSS, but also moderators as well as the hoster and backbone provider were arrested –, a claim that contradicts Europol's official statement. Nevertheless, more and more voices are calling for the end of an era. And so some are bidding an emotional farewell to their digital home in the underground, while other users are taking a pragmatic approach.

Several participants have apparently made backup copies of the forum and all discussion threads in order to save them from the feared shutdown. This may seem superfluous for the majority of criminal activity on XSS – Who wants to keep disputes between ransomware gangsters about commission payments for posterity? But in some areas, XSS was definitely interesting to read about: The analyses of new malware variants by forum participants were sometimes at a high technical level.

However, such forum gems do not outweigh the fact that XSS has served as a meeting place for criminals in recent years, where they forged contacts and alliances and worked together to find ways to squeeze the maximum profit out of their victims using malware, blackmail and other means.

(cku)