XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t


XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t

Pierluigi Paganini
June 30, 2026

Police arrested the alleged admin of XSS.is, a major cybercrime forum whose trusted escrow service helped power the underground economy.

On 22 July 2025, French and Ukrainian police arrested a 38-year-old man in Kyiv and shut down XSS.is, the most influential Russian-language cybercrime forum of the past decade. Europol, which coordinated the operation under the name Ratatouille, said the forum had over 50,000 members and that the suspect had earned more than EUR 7 million acting as a trusted middleman for criminal deals. That last part matters more than it sounds.

XSS wasn’t just a message board. It was the wholesale layer of the intrusion economy, where malware authors, exploit sellers, spammers, and ransomware affiliates met to trade. The forum ran its own escrow and arbitration service, so two criminals who’d never met could complete a transaction without either getting cheated. That trust function, not any single product on offer, is what made XSS structurally important to the whole operation.

The lineage is long. DaMaGeLaB ran from 2004 to 2017, when its administrator was arrested. In 2018, a partial backup was relaunched as xss.is by an operator using the handle “Toha,” who’d been active in the Russian underground since at least 2005. The earliest registration timestamps in the leaked database trace back to November 2004. Europol assessed that the arrested suspect had spent nearly 20 years in cybercrime.

Europol didn’t name the suspect, citing the live investigation, but open-source researchers and the cybercrime community converged on Toha. KrebsOnSecurity pivoted through domain registration records linked to his historic email address and surfaced a Kyiv resident named Anton Medvedovskiy, born December 1987, whose age matches the arrested suspect. A separate claim from 2022, later amplified by LockBitSupp, pointed to a Russian named Anton Avdeev. That trail may have been deliberate misdirection.

The Ransomnews Research Team analyzed a leaked copy of the XSS XenForo database: 14,509 threads, 123,241 public messages, 7,706 registered accounts, and a private layer of 6,168 conversations. The language signal is clear. Across all message text, 62.2% of alphabetic characters are Cyrillic, and 53.6% of accounts registered with an email on a CIS-region domain. Russian webmail providers collectively outnumber Gmail. A minority used ProtonMail, which is routine operational security in this community.

“Mapping the 51 sections by message volume shows what the forum was actually for. Beyond the inevitable off-topic lounge and administration boards, the busiest trading sections are web-application vulnerabilities, malware, exploit kits and crypting, network and Wi-Fi vulnerabilities, and a dedicated access board (“shells, FTP, roots, databases, SQL injection, RDPs”).” reads the report published by the Ransomnews Research Team. “One administrative thread title preserved in the dump, a complaint about spam from “thesecure.biz,” is itself an artefact: thesecure.biz is the encrypted Jabber server Europol later said the arrested administrator operated.”

The busiest trading sections, by message volume, were web-application vulnerabilities, malware, exploit kits, crypting services, and a dedicated access board for shells, FTP roots, databases, and RDPs. Reducing the messages to keyword frequency tells the same story: stealer logs, FUD (fully undetectable) crypting, credit-card data, network access, exploits, and web shells. As the report puts it, “this is the raw material of ransomware intrusions, traded one layer upstream of the attack itself” .

Posting time is hard to fake, because it reflects when people are actually awake and working. The XSS data shows a textbook salaried-workday pattern. Activity climbs sharply from 06:00 UTC and peaks between 09:00 and 13:00 UTC, which is the middle of the working day in Moscow. Weekdays dominate, with Monday and Tuesday the busiest and a clear dip on weekends. This matches the same rhythm the same research team found when timing 16,699 ransomware leak-site posts.

The access-log telemetry covers 19,192 events across 7,061 unique IP addresses in 79 countries. Russia is the largest single source of distinct accounts at 564, far ahead of any other country. The US and the Netherlands rank high by raw IP count, but those totals are dominated by VPN endpoints, hosting providers, and Tor exit relays.

“Russia is the largest single source of distinct accounts (564), far ahead of any other country. The United States and the Netherlands rank high by raw IP count, but those totals are dominated by VPN endpoints, hosting providers and Tor exit relays rather than residents.” continues the report. “Geolocating a security-conscious crime forum measures where members route traffic, not where they sleep; combined with the 62% Cyrillic text and Moscow working hours, the centre of gravity is clearly the Russian-speaking world.”

XSS sat at the very start of the attack chain, in what MITRE ATT&CK calls Resource Development and the supply side of Initial Access. Members didn’t run the ransomware. They sold the door in. Initial access brokers listed footholds into corporate networks as structured auctions, with a starting price, a bid increment, and a buy-it-now option. One documented listing had a USD 25,000 start and a USD 40,000 buy-it-now for access to a US manufacturer with USD 800 million in revenue. An affiliate buys that listing, runs the intrusion, and the broker never touches the ransomware.

Intel 471 recorded 4,878 access and credential sale listings from initial access brokers between June 2024 and May 2025, correlated 70 to victims later named on ransomware leak sites, and measured a median of roughly 19 days between an access listing and the victim appearing on a leak blog. That gap is the most operationally useful number in the whole report. It’s a detection window.

On 13 May 2021, days after the DarkSide attack on Colonial Pipeline, the XSS administrator banned all ransomware activity and deleted existing ransomware threads. Exploit and RaidForums followed within hours. This was widely read as forums cleaning up their act.

The data tells a different story.

“Within hours Exploit and RaidForums followed. The move is often described as forums “turning against” ransomware. The data-aware reading is narrower: the ban removed the loud, branded affiliate-recruitment threads that attracted Western law enforcement, while the quieter and more valuable access trade that actually feeds ransomware carried on.” states the report. “It was reputation management, not a change of business.”

Operation Ratatouille was led by French Police and JUNALCO, working with Ukraine’s National Police and SBU. The investigation opened in July 2021 and ran four years before the arrest. Officers seized the thesecure.biz Jabber server in addition to the forum itself. That’s the part the underground feared most.

XSS reappeared on a new Tor address within days, but with all moderators dismissed, member balances zeroed, and returning users asked to pay a fresh deposit. Few trusted it. KELA tracked a splinter called “DamageLib” emerging from the disruption. Intel 471 framed the aftermath as a loss of trust rather than a loss of infrastructure, with access-broker activity shifting toward RAMP and DarkForums.

The forensic exposure is the lasting problem. One Exploit forum member summed it up in a thread about the arrest: investigators now hold two years of Jabber server logs, a full backup and the forum database, material that can link nicknames, emails, password hashes, Jabber IDs, IP addresses, and writing style into ready-made dossiers. For a marketplace whose entire value was a trusted middleman holding everyone’s secrets, that’s the more durable damage.

What defenders can do with 19 days

The takedown removes a hub, not the economy. Access brokering and exploit sales migrate faster than any single arrest can suppress. The practical response is early and intelligence-led: monitor initial-access-broker chatter for your sector and named assets, watch for your organization’s credentials surfacing in stealer logs, and track leak-site activity on a live victim feed. Close exposed RDP and VPN, enforce phishing-resistant MFA, and rotate credentials that appear in breach data. The seizure of XSS is a real win. The market it served is still open.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, XSS.is)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Microsoft has spent the last several years pushing Copilot and new user interface designs, which has meant that several great features included with Windows don’t get the recognition that they deserve. These are some of my favorites that will run on any Windows 11-compatible PC.

Clipboard history remembers everything you copy

Win+V replaces one of the oldest frustrations in computing

Windows’s default clipboard has been a source of minor but constant annoyance: it holds exactly one thing. If you copy something new, the previous item is wiped out. It is enough of a problem that multiple third-party apps were created to address the shortcoming.

Now, Windows has Clipboard History built in, though it isn’t enabled by default. To turn it on, press Windows+i, then navigate to System > Clipboard, and click the toggle next to Clipboard history.

Once it is enabled, you can press Win+V to view up to 25 items in your clipboard history, including text, images, and links.

If you have specific pieces of information you use daily—like an email signature, a common code snippet, or a home address—you should pin up some of those items. Pinned items persist between system reboots and clipboard history clears, which means you never have to hunt to find something when you need it.

You can even enable sync in the Clipboard settings, allowing your copied text to follow you between different PCs signed in to the same Microsoft account. Once you get into the habit of using Win+V, the standard copy-paste function will feel useless by comparison.

Voice typing actually works now

Win+H lets you write with your voice

Notepad with Windows Voice Typing popup visible.

Windows dictation software has a reputation for being clunky and difficult to use, but that isn’t the case anymore. Thanks to the improvements in AI that we’ve seen since 2024, voice typing accuracy has improved significantly, especially for technical vocabulary. You don’t have to spend your time manually fixing formatting either. The tool supports punctuation commands like “period,” “new line,” and “question mark,” which prevents your text from turning into a rambling mess.

To use voice typing, press Windows+H anywhere there is a text field.

While it isn’t a full replacement for high-end professional software, it is free, built-in, and more than good enough for long-form writing, taking down a sudden idea, or writing quick messages when your hands are full.

Snap layouts make window management effortless

Hover over the maximize button and pick a layout

Notepad with the Windows Snap Layout window visible.

You can manually drag windows to the edges of your screen to split your display up, but you’re doing more work than is necessary in most cases. Windows’ Snap Layouts allow you to instantly arrange your Windows into predefined halves, thirds, or quarters. Just hover over the maximize button on any window or press Win+Z.

One of the most practical aspects of this system is the Snap Group. If you snap a browser and a document side-by-side, Windows remembers them as a pair. When you Alt+Tab, you can bring the entire group back together.

Live captions transcribe any audio on your device

Real-time subtitles for anything you’re watching

You can enable real-time subtitles for any audio playing through your speakers by going to Settings > Accessibility > Captions, or by pressing Win+Ctrl+L. The audio is processed locally on your device; nothing is sent to the cloud, which is critical if you’re privacy conscious or if whatever you’re captioning demands confidentiality.

I’ve mostly taken to using it when it is too hot to wear my headphones. I can just toggle it on and keep watching without disrupting anyone around me.

There are some hardware requirements you need to meet. Basic same-language captioning works on any Windows 11 PC running 22H2 and up, but if you want real-time translation, you will need Copilot+ hardware with an NPU and at least Windows 11 24H2.


The NZXT Capsule Elite USB microphone sitting on a desk.


Windows 11’s voice typing convinced me to skip Wispr Flow and other premium apps

Windows lets me turn my rambling thoughts into notes without typing anything.

Dynamic Lock locks your PC when you walk away

Pair your phone via Bluetooth and your computer can lock itself automatically

I can’t count how many times I’ve stepped away from my PC only to think, “Dang, I forgot to lock my PC.”

Fortunately, Windows has an easy way to handle that automatically by pairing your phone with your PC. When your phone gets out of range (about 20 feet in my house, though your wall materials and layout will affect that), your computer will automatically lock after about 30 seconds. There is no need to install a separate app on your phone, the setup just uses the Bluetooth connection itself. While the 30-second delay means it isn’t a guarantee no one can access my PC, it does mean it won’t remain unlocked if I step away for a long time.

I especially like this feature when I’m working on my laptop in public.

You can enable Dynamic Lock by navigating to Settings > Bluetooth & devices and pairing your phone, then enabling Dynamic Lock in Settings > Accounts > Sign-in options.


Microsoft includes tons of great tools if you dig for them

These tools aren’t alone either. There are tons of practical tools buried in Windows, unappreciated and underutilized.

Each of these tools takes less than a minute to enable, but they can make a significant difference in your day-to-day workflow. It is worth the small investment of time to find them and set them up.

If you’re looking for even more advanced customization options, I’d recommend checking out Microsoft PowerToys. It gives you a huge range of fantastic tools that make Windows much more pleasant to use.



Source link