Europol, in collaboration with French and Ukrainian police, arrested the behind-the-scenes administrator of the Russian-language Dark Web platform XSS.is in Kyiv on July 22, putting an end to an underground economic hub that had been operating for nearly two decades.
The authorities noted that this administrator played a crucial role in XSS.is, earning approximately 7 million euros in advertising and management fees by providing various services.
Intricate Underground Economy
According to public information, XSS.is is a primarily Russian-language cybercrime platform first launched in 2004 under the name DaMaGeLaB, and is one of the largest and most well-known cybercrime platforms globally.
The forum provided a trading platform where hackers could buy and sell stolen system access, malware, stolen credentials, databases, ransomware kits, and conduct anonymous transactions through encrypted Jabber channels. The platform was known for its strict member review mechanism, with over 50,000 registered users, some of whom had to pay fees to ensure account authenticity and prevent spam accounts. With the arrest of XSS.is's administrator, the platform's domain has been seized, and its Dark Web domain and backup domains now show a "504 Gateway Timeout" error.
It's worth noting that the Chief Information Security Officer of Slow Mist, @im23pds, also warned that XSS.is was the largest trading ground for Stealer tools, which have long posed significant security challenges to the cryptocurrency domain: For example, Lumma Stealer can mass-steal cryptocurrency wallet browser extensions, private keys, and seed phrases.
International Cooperation in Crackdown
The police press release indicated that this arrest operation can be traced back to a lead provided by French police in 2021. Based on intelligence, Europol conducted on-site surveillance of XSS.is with Ukrainian law enforcement in 2024.
After multiple infiltration and positioning efforts, the task force ultimately located the suspect's residence and server location, successfully arresting key personnel and seizing a large amount of data. Law enforcement officials added that removing the platform's operator would immediately undermine XSS.is's trust mechanism and is expected to suppress related malicious trading activities in the short term.
Subsequent Risks and Long-term Challenges
Finally, Europol's latest IOCTA report warns that the thriving Dark Web data trading market is one of the key driving factors behind cybercrime. Platforms like XSS.is have made it possible to trade and monetize stolen data, hacking tools, and illegal services, thereby fueling various criminal activities. The arrest of the XSS.is administrator also reveals the vulnerability of "platformized" crime in the Dark Web: once the core node is broken, the massive underground ecosystem can be instantly impacted.
However, it's worth noting that new platforms and mirror sites are likely to quickly emerge. Therefore, facing constantly evolving attack methods, businesses, individuals, and regulatory bodies must remain vigilant to keep up with this war without gunpowder.
