KrebsOnSecurity — a leading resource in the field of investigative journalism about cybercrime and Internet security — has worked well on the topic to try to reveal the name and biography of the legendary founder of the xss.is forum in the hacker world.
KrebsOnSecurity — a leading resource in the field of investigative journalism about cybercrime and Internet security — has worked well on the topic to try to reveal the name and biography of the legendary founder of the xss.is forum in the hacker world.
As a reminder, on July 22, 2025, the European police agency Europol and the SBU announced that they had arrested in Kyiv a 38-year-old administrator of XSS, a Russian-language cybercrime forum with over 50,000 members.
This action has sparked a constant frenzy of speculation and panic among XSS users regarding the identity of the unnamed suspect, but everyone agrees that he is a key figure on the criminal forum using the hacker nickname «Toha».
Europol and the SBU did not name the accused, but released partially obscured photos from the scene of the arrest. The police agency said the suspect acted as a trusted third party — resolving disputes between criminals — and ensuring the security of transactions on XSS. The Security Service of Ukraine said in a statement that the XSS participants included many cybercriminals from various ransomware groups, including REvil, LockBit, Conti and Qiliin.
After Europol’s announcement, the XSS forum reappeared at a new address on the darknet. But the open domain on the internet (xss.is) was no longer operational. Toha’s accounts on other forums have been silent since the arrest.
Europol said the suspect has a nearly 20-year career in cybercrime, roughly matching Toha’s. In 2005, Toha co-founded the Russian-language forum Hack-All until it was hacked a few months after its debut. In 2006, Toha renamed the forum exploit[.]in, which later attracted tens of thousands of members.
In 2018, Tokha announced that he was selling the Exploit forum, sparking wild speculation on forums that the buyer was secretly a Russian or Ukrainian state agency or front person. However, these suspicions were not supported by evidence, and Tokha strongly denied that the forum had been handed over to the authorities.
One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator «Ar3s» was arrested. In 2018, a partial backup of the DaMaGeLaB forum was renamed xss[.]is, with Tokha becoming its declared administrator.
Clues to Tokha’s early online presence—from around 2004 to 2010—are available in the archives of Intel 471, a cyber-intelligence firm that tracks forum activity. Intel 471 shows that Tokha used the same email address for multiple forum accounts, including Exploit, Antichat, Carder[.]su, and inattack[.]ru.
DomainTools.com reveals that Tokha’s email address — [email protected] — was used to register at least a dozen domain names — most of them dating back to the mid-to-late 2000s. In addition to exploit[.]in and a domain called ixyq[.]com, other domains registered to this email address end in .ua, the top-level domain for Ukraine (for example, deleted.org[.]ua, lj.com[.]ua, and blogspot.org [.]ua).
Almost all domains registered to [email protected] contain the name Anton Medvedovsky in the registration records, with the exception of the aforementioned ixyq[.]com, which is registered in the name of Yuri Avdeev in Moscow.
This name Avdeev mentioned during a long conversation with Lockbitsupp, the leader of the predatory and destructive affiliate of the Lockbit ransomware group. The conversation took place in February 2024, when Lockbitsupp asked for help in identifying Tokha’s true identity.
It appears that Lockbitsupp’s request was based on a since-deleted Twitter post from 2022, in which a user by the name «3xp0rt» claimed that Tokha was a Russian named Anton Viktorovich Avdeev, born on October 27, 1983.
An Internet search for Tokha’s email address [email protected] revealed a 2010 sales ad on the bmwclub.ru forum, where a user named Honeypo was selling a 2007 BMW X5. The ad listed Anton Avdeev as the contact person and the phone number 9588693.
A search for the phone number 9588693 on the Constella Intelligence violation tracking service turns up a slew of official Russian government documents with that number, date of birth, and the name Anton Viktorovich Avdeev. For example, the hacked Russian government documents show that this individual has a Russian tax ID and SIN (social insurance number), and that he has been ticketed by Moscow police for traffic violations several times; in 2004, 2006, 2009, and 2014.
However , there is a slight discrepancy between the ages of Avdeev (41) and the XSS administrator arrested this month (38), which seems to suggest that the arrested person is someone else.
For more information on this issue, KrebsOnSecurity reached out to Serhiy Vovnenko, a former cybercriminal from Ukraine who now works at security startup paranoidlab.com, for comment.
Vovnenko, for several years, starting around 2010, he was the owner and operator of thesecure[.]biz, an encrypted «Jabber» instant messaging server that Europol said was run by a suspect arrested in Kyiv.
Vovnenko, who used the hacker nicknames Fly and Flycracker, was arrested for cybercrime, extradited to the United States, convicted, and deported after spending 16 months in the U.S. prison system.
Vovnenko said he purchased a credit card cloning device from Toha in 2009, and that Toha shipped the product from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.
Vovnenko believes that thesecure[.]biz was hijacked while he was in prison, either by Toha and/or by an XSS administrator who went by the nicknames N0klos and Sonic.
«When I was in prison, the xss.is administrator stole this domain, or probably N0klos bought XSS from Toha, or vice versa,» Vovnenko said of the Jabber domain. «No one from [the forums] talked to me after my imprisonment, so I can only guess what really happened.»
When asked if he believed Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko claimed that Toha was Russian and that «the French police took the wrong person.»
So who did the Ukrainian police arrest in response to the French authorities' investigation? It seems plausible to the investigator that the BMW ad, which mentioned Tokha’s email address, name, and phone number of a Russian citizen, was simply misinformation on Tokha’s part — intended to confuse and mislead investigators. Perhaps this even explains the surname Avdeev, which appears in the registration records of one of Tokha’s domains.
But sometimes the simplest answer is the right one, the investigator writes. «Tokha» matches the name in the registration records for more than a dozen domains associated with Tokha’s email address — [email protected] — Anton Medvedovsky.
Constella Intelligence identified Anton Gennadiyovych Medvedovsky, who will turn 38 in December, as a resident of Kyiv. This individual has the email address [email protected] and an Airbnb account with a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by Ukrainian police.
«My take on this removal is that Ukrainian authorities likely arrested Medvedovsky. Tokha shared on DaMaGeLab in 2005 that he had recently graduated from 11th grade and was attending university — Medvedovsky would have been around 18 at the time. On December 11, 2006, other Exploit participants wished Tokha a happy birthday. Records exposed during the hack of the Ukrainian government services portal diia.gov.ua in 2022 show that Medvedovsky’s birthday is December 11, 1987,» the investigation states.
The actions of law enforcement and the resulting confusion over the identity of the detainee have led to chaos in Russian cybercrime forums in recent weeks, leading to long and heated debates on the forums about the future of XSS.
XSS restarted at a new Tor address shortly after authorities posted a takedown notice on the forum’s main page, but all trusted moderators from the old forum were fired without explanation. Existing forum members' account balances dropped to zero and were asked to make a deposit to register on the new forum. The new «administrator» of XSS said they were contacting the previous owners, and that the changes should help restore security and trust in the community.
However, the new administrator’s assurances appear to have done little to assuage the worst fears of former forum members, most of whom appear to be keeping their distance from the relaunched site for now.
«The ‘trusted person’ myth has been dispelled,» warned user «GordonBellford» on August 3 in an Exploit forum thread about the arrest of an XSS administrator. «The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.»
