After a four-year long manhunt for the operators of XSS, one of the most popular and longest-running Russian-language cybercrime forums, authorities finally broke through this week, with an arrest of one of its alleged administrators in Ukraine. The forum was popular among cybercriminals for the sale of various malware code, access to compromised systems, stolen data, and ransomware-related services.
The investigation into the forum’s operations began in July 2021 when one of the encrypted Jabber messaging servers – thesecure[.]biz – first came under the French law enforcement’s scanner. This jabber server was used by XSS forum for anonymous messaging between users registered on its platform.
“The intercepted messages revealed numerous illicit cybercrime and ransomware activities, and established that they had generated at least $7 million in profit,” the Public Prosecutor’s Office in Paris said.
Along with the XSS forum, the suspect is also believed to have run thesecure[.]biz jabber server service.
Europol coordinated the operation between the French and Ukrainian authorities and revealed that the arrested individual was not only a technical administrator but also acted as a trusted third-party arbitrator to settle disputes between cybercriminals and guaranteed secure transactions.
Investigations suggested the suspect has been active in the underground ecosystem for nearly two decades, and has had links to several major threat actors over the years. He also likely made millions through advertising and facilitation fees.
XSS Forum’s Cybercriminal Link
XSS forum has been active since 2013 and had around 50,000 registered users. It was formerly known as “DaMaGeLaB” which became operational in 2004, as per researchers at Searchlight Cyber. The forum was likely rebranded from DaMaGeLaB to XSS, as one of its administrators who was also involved in the operation of the Andromeda botnet, was arrested a year before.
XSS forum looked like any other professional platform with well defined sections on hacking, corporate access, database leaks, and even competitive intelligence, researchers said. The forum had previously also acted as a recruitment and PR tool for Ransomware-as-a-Service (RaaS) providers. However, researchers say such content was “banned” time and again to not attract unwanted attention from law enforcement.
The forum also trialed an “XSSBot“ in 2023. Researchers suspect the chatbot was powered by ChatGPT and users could potentially ask for details such as information about different malware strains, tips on code obfuscation, etc.
Main Site Down, But…
The main forum domain xss[.]is currently displays a seizure notice but a tweet from a platform X user under the moniker @3xp0rtblog, who claims to be a cybersecurity analyst at Prodaft said, “the backup domain xss[.]as, the .onion site, and the Jabber service at thesecure[.]biz are still online and functioning.”
@3xp0rt also added that the XSS community is actively discussing the current scenario on the forum. The X user revealed that the moderators were deleting all content where the admin name LARVA-27 was being discussed. “This was confirmed in a Telegram chat by moderator LARVA-466 (Rehub),” he said. “The goal is to suppress any narrative that could turn the situation into a newsworthy event and to ‘troll’ Westerners in the process.”
The latest arrest is a part of a broader crackdown on cybercrime ecosystems in Europe. Last month, the French authorities arrested the alleged administrator, known under the moniker “IntelBroker,” of another prolific underground marketplace: BreachForums. The French police arrested four other individuals mostly in their twenties, who they said were complicit in handling the forum’s operations.
Updated on July 23, 07:20 PM: The article was updated with additional information on the seizure of the main domain xss[.]is and details of forum discussion from X user @3xp0rtblog.
