Key Operator of World’s Largest XSS Dark Web Platform Detained

The takedown of xss.is represents a significant blow to global cybercriminal networks that have operated with relative impunity on the dark web for nearly two decades.

Major Cybercrime Hub Disrupted

The arrest took place in Kyiv, Ukraine, on July 22, marking the culmination of a multi-year investigation initiated by French Police in 2021.

The suspect, whose identity has not been publicly disclosed, allegedly administered the xss.is forum, which served over 50,000 registered users as a central marketplace for stolen data, hacking tools, and illicit services.

The platform functioned as more than a simple marketplace, operating as a sophisticated criminal ecosystem where dangerous cybercriminal networks coordinated operations, advertised services, and recruited new members.

The administrator’s role extended beyond technical operations, as investigators believe he served as a trusted intermediary, arbitrating disputes between criminals and guaranteeing transaction security.

Through his criminal enterprise, which included operating thesecure.biz, a private messaging service designed for cybercriminal communications, the suspect allegedly generated over €7 million in advertising and facilitation fees.

Investigators trace his involvement in cybercrime activities back nearly twenty years, during which he maintained relationships with several major threat actors in the underground economy.

The investigation’s operational phase began in Ukraine in September 2024, with French police investigators deployed on the ground and supported by Europol through a virtual command post.

This week’s enforcement actions included the deployment of a Europol mobile office to assist with on-site coordination and evidence collection.

The operation aligns with findings from Europol’s 2025 Internet Organised Crime Threat Assessment (IOCTA), which identifies stolen data marketplaces as critical drivers of the cybercrime economy.

Platforms like xss.is enable the trade and monetization of compromised data, hacking tools, and illicit services that fuel ransomware attacks, fraud schemes, identity theft, and extortion operations.

Europol provided essential operational and analytical support throughout the investigation, facilitating information exchange between French and Ukrainian authorities while mapping the cybercriminal infrastructure and connecting the suspect to other major threat actors.

The successful operation involved collaboration between France’s Paris Prosecutor’s Office and Paris Police Prefecture’s Brigade against Cybercrime, Ukraine’s General Prosecutor’s Office and Security Service Cybercrime Department, along with Europol’s coordination support.

Seized data from the operation will undergo analysis to support ongoing investigations across Europe and beyond, potentially leading to additional arrests and the disruption of related criminal networks that relied on the forum’s services.