UNIT.City — місце, де люди працюють... КРАЩЕ! Обирай свій простір просто зараз 👉
Наталя ХандусенкоHot News
25 July 2025, 17:49
2025-07-25
The SBU, together with the French police, have shut down the #1 hacker forum in the CIS, XSS.IS: a stub is hanging on the site, and the main admin has been arrested in Kyiv. We tell you why this is the antithesis for hackers from all over the world
The website of one of the most famous hacker platforms XSS.IS, where mostly Russians sat, is no longer working. It has a stub with "greetings" from the SBU and French law enforcement officers. This is due to the arrest of its admin in Kyiv on July 22. This is probably the administrator with the nickname Tokha, who is also the founder of another large hacker forum, exploit.in.
Law enforcement officials report a partial shutdown of the XSS.IS infrastructure, while cybercriminals claim that the main server was not affected. Are these actions enough to completely shut down XSS.IS? We asked Ukrainian white hat hacker Mykyta Knysh and Ukrainian hacktivist Sean Townsend about this, and learned some interesting details.
The website of one of the most famous hacker platforms XSS.IS, where mostly Russians sat, is no longer working. It has a stub with "greetings" from the SBU and French law enforcement officers. This is due to the arrest of its admin in Kyiv on July 22. This is probably the administrator with the nickname Tokha, who is also the founder of another large hacker forum, exploit.in.
Law enforcement officials report a partial shutdown of the XSS.IS infrastructure, while cybercriminals claim that the main server was not affected. Are these actions enough to completely shut down XSS.IS? We asked Ukrainian white hat hacker Mykyta Knysh and Ukrainian hacktivist Sean Townsend about this, and learned some interesting details.
XSS.IS and Russian intelligence
The XSS.IS forum was originally launched in 2004 under the name DaMaGeLaB as a Russian-language hacker community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian citizen Serhiy Yarets, known on the forum as “Ar3s,” was arrested, Hackread.com reports .
In late 2018, a prominent forum administrator obtained a backup copy of the site and relaunched it under the new name XSS, a reference to a web security vulnerability known as cross-site scripting.
The name change had two main goals. First, it distanced the forum from its past associations with law enforcement under the name DaMaGeLaB. Second, it gave the site a more technical and modern image, referencing a vulnerability familiar to its target audience.
Authorities and the cybersecurity community have long suspected that XSS.IS was run or supported by Russian intelligence services, including the Foreign Intelligence Service (SVR), the Federal Security Service (FSB), and the Main Intelligence Directorate (GRU).
More than 50,000 users were registered on the forum. Among them were well-known hacker groups, including REvil, LockBit, Conti, and Qilin.
Using the forum's "services," cybercriminals attacked automated management systems of banks, government agencies, and large corporations in the US and the European Union.
For example, attackers used malicious software purchased on the forum and priority access to the computer networks of international companies to further extort money.
If they refused, they threatened to "leak" their confidential data onto the Internet and paralyze the organization's work.
Numerous cases of using the online platform to recruit new members of hacker groups and sell the latest virus programs have also been documented.
On July 22, the administrator of XSS.IS was arrested at his apartment in Kyiv. He turned out to be a 37-year-old Ukrainian citizen. His role was to create and technically administer the resource — he provided the infrastructure for the criminal activities of other individuals and received a percentage from it. The operation was carried out by the SBU together with the National Police, French law enforcement officers, and Europol.
End of XSS.IS history or not?
After the admin was arrested, XSS.IS was removed. Forum visitors could see the following message: “This domain has been removed by the Cybercrime Brigade (ed. — France) with the assistance of the Cybersecurity Department of the SBU.”
However, darknet and mirror domains only showed a 504 Gateway Timeout error. On July 23, a Telegram channel associated with the XSS.IS administrator showed no signs of being taken down and was marked as "recently active."
On July 24, a message appeared from XSS.IS that the main server was not damaged. Then they wrote that the forum was available and would soon move to another domain. But one of the administrators is not available under the nickname Tokha, and some of the others who worked in forum support are not in touch.
"Tokha is unavailable, but this option was discussed with him in advance, in order to maintain the forum's functionality despite everything and everyone. Some of the people who helped support the forum are not getting in touch. The backend and backups are safe, but part of the infrastructure has caught fire and will require replacement. This will not affect the work of the forum. The domain has been canceled at the registrar, a new one will be created later, all old .onion domains will be replaced for security purposes. The moderators remain for now. Deposit operations are paused,” the message says.
Who is Tokha and what could his arrest mean for the forum?
As Ukrainian white hat hacker Mykyta Knysh explained to us, the issue here is not the address, but the basic information stored on the server: "Even if they took away the main server, they still have backups on which they can restore the service. You need to arrest all the leaders of the cyber group at the same time. And if you arrest three out of five admins, the system will be updated. The question is: is the leader arrested or not?"
Knysh also confirms that, together with the server, law enforcement officers could have gained access to some of the cybercriminals' user data: "If they (law enforcement officers) seized the server that stored the forum users' logins and passwords, then yes, they seized this information. But it could also be that they seized the Proxy server, then only blocked the domain through the registrar."
He adds that, in the opinion of further investigations, the extracted data may have some value. But it is impossible to say that it will have significant value.
Knysh also adds that there are many alternative forums, such as wwh, exploit, antichat, migalki, lolz, duty.
Ukrainian hacktivist Sean Townsend believes that the arrested person is probably an admin under the nickname Toha, and the site itself is under the control of law enforcement officers.
"The Tor version of the site is working. But it is not run by the admin, he said so himself, so neither moderators nor other users can verify who he really is. No one has any connection with "Tokha", the site admin, so most likely he was detained, and the site is under the control of law enforcement officers. The admin is the owner of the resource in this case, it is a technical position. If this is "Tokha", then he is the creator of another such site, exploit.in. A few years ago, he passed the exploit on to other people, and he himself switched to xss, after Ar3s (the creator of xss, who was called damagelab and has existed since 2004) was detained."
What's next?
An investigation is currently underway to determine whether other individuals were involved in the activities of the XSS.IS forum. The evidence collected in Ukraine has been transferred to the competent judicial authorities of the French Republic as part of international legal assistance procedures.
