Suspected forum administrator with nearly 20 years in cybercrime made over EUR 7 million facilitating illegal activities.
A long-running investigation led by the French Police and Paris Prosecutor, in close cooperation with their Ukrainian counterpart and Europol, has led to the arrest of the suspected administrator of xss.is, one of the world’s most influential Russian-speaking cybercrime platforms.
The forum, which had more than 50 000 registered users, served as a key marketplace for stolen data, hacking tools and illicit services. It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit.
The arrest took place in Kyiv, Ukraine, on 22 July, as part of a series of coordinated enforcement actions aimed at gathering evidence and dismantling the criminal infrastructure.
Suspect made millions facilitating cybercrime
The forum’s administrator was not only a technical operator but is believed to have played a central role in enabling criminal activity. Acting as a trusted third party, he arbitrated disputes between criminals and guaranteed the security of transactions. He is also believed to have run thesecure.biz, a private messaging service tailored to the needs of the cybercriminal underground.
Through these services, the suspect is thought to have made over EUR 7 million in advertising and facilitation fees. Investigators believe he has been active in the cybercrime ecosystem for nearly two decades, and maintained close ties to several major threat actors over the years.
Operational phase
The investigation was initiated by the French Police in 2021. In September 2024, the case moved into the operational phase in Ukraine, where French police investigators were deployed on the ground, supported by Europol through the establishment of a virtual command post.
It was followed by another action this week, which saw the arrest of the main suspect in Kyiv, Ukraine.
Europol support
Europol provided essential operational and analytical support throughout the investigation, facilitating information exchange and coordination between the French Police and Ukrainian authorities.
Europol also assisted in mapping the cybercriminal infrastructure and linking the suspect to other major threat actors. This collaborative approach ensured a swift, targeted response to dismantle the criminal platform and disrupt the illicit activities facilitated through the forum.
During this week’s enforcement actions in Kyiv, a Europol mobile office was deployed to support French and Ukrainian teams with on-site coordination and evidence collection. The seized data will now be analysed to support ongoing investigations across Europe and beyond.
IOCTA 2025 report underscores the threat from stolen data marketplaces
This operation aligns closely with findings from Europol’s 2025 Internet Organised Crime Threat Assessment (IOCTA), which highlights the booming black market for stolen data as a critical driver of the cybercrime economy.
Platforms like xss.is enabled the trade and monetisation of compromised data, hacking tools, and illicit services that fuel a wide range of criminal activities – from ransomware and fraud to identity theft and extortion.
The IOCTA reveals how such marketplaces empower cybercriminals by providing access, anonymity and trust mechanisms that sustain their operation.
The following authorities took part in the investigation:
- France: Paris Prosecutor (Parquet de Paris – JUNALCO), French Police – Paris Police Prefecture (Police française – Préfecture de Police de Paris – Brigade de lutte contre la cybercriminalité)
- Ukraine: General Prosecutor’s Office of Ukraine (Офіс Генерального Прокурора України), Security Service of Ukraine – Cybercrime Department (Служба безпеки України – Кібердепартамент)
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
